* Fix security hole that occurred if openid and passwordauth were both
enabled. passwordauth would allow logging in as a known openid, with an
- empty password. Closes: #483770
+ empty password. Closes: #483770 (CVE-2008-0169)
* Add rel=nofollow to edit links. This may prevent some spiders from
pounding on the cgi following edit links.
* passwordauth: If Authen::Passphrase is installed, use it to store
* Fix security hole that occurred if openid and passwordauth were both
enabled. passwordauth would allow logging in as a known openid, with an
empty password. Closes: #[483770](http://bugs.debian.org/483770)
+ (CVE-2008-0169)
* Add rel=nofollow to edit links. This may prevent some spiders from
pounding on the cgi following edit links.
* passwordauth: If Authen::Passphrase is installed, use it to store
This hole allowed ikiwiki to accept logins using empty passwords, to openid
accounts that didn't use a password. It was introduced in version 1.34, and
fixed in version 2.48. The [bug](http://bugs.debian.org/483770) was
-discovered on 30 May 2008 and fixed the same day.
+discovered on 30 May 2008 and fixed the same day. ([[cve CVE-2008-0169]])
I recommend upgrading to 2.48 immediatly if your wiki allows both password
and openid logins.
sipb-www / ikiwiki.git / commitdiff
