update

[ikiwiki.git] / doc / security.mdwn

diff --git a/doc/security.mdwn b/doc/security.mdwn
index b3b5b6f3ee98a5be03a4cdfc80433d09c0e343cd..f3567d1558c5c2993571b5dc5a4eb0b9d33d2a46 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -18,14 +18,6 @@ Anyone with direct commit access can forge "web commit from foo" and
 make it appear on [[RecentChanges]] like foo committed. One way to avoid
 this would be to limit web commits to those done by a certian user.
 
-## XML::Parser
-
-XML::Parser is used by the aggregation plugin, and has some security holes
-that are still open in Debian unstable as of this writing. #378411 does not
-seem to affect our use, since the data is not encoded as utf-8 at that
-point. #378412 could affect us, although it doesn't seem very exploitable.
-It has a simple fix, which should be NMUed or something..
-
 ## other stuff to look at
 
 I need to audit the git backend a bit, and have been meaning to
@@ -246,3 +238,12 @@ have come just before yours, by forging svn log output. This was
 guarded against by using svn log --xml.
 
 ikiwiki escapes any html in svn commit logs to prevent other mischief.
+
+## XML::Parser
+
+XML::Parser is used by the aggregation plugin, and has some security holes. 
+Bug #[378411](http://bugs.debian.org/378411) does not
+seem to affect our use, since the data is not encoded as utf-8 at that
+point. #[378412](http://bugs.debian.org/378412) could affect us, although it
+doesn't seem very exploitable. It has a simple fix, and has been fixed in
+Debian unstable.