404 automatically loads goto

diff --git a/doc/ikiwiki-mass-rebuild.mdwn b/doc/ikiwiki-mass-rebuild.mdwn
index 5f144b49bcd68a7978a711b19a7145c0346d1a23..a2db0a858155fd120634a02093c522cfe9a3e972 100644 (file)
--- a/doc/ikiwiki-mass-rebuild.mdwn
+++ b/doc/ikiwiki-mass-rebuild.mdwn
@@ -9,7 +9,10 @@ ikiwiki-mass-rebuild
 # DESCRIPTION
 
 `ikiwiki-mass-rebuild` can be used to force a rebuild of all the wikis
 # DESCRIPTION
 
 `ikiwiki-mass-rebuild` can be used to force a rebuild of all the wikis

-on a system. You will need to list the setup files for the wikis it should
+on a system (when run as root), or all of a user's wikis (when run as
+non-root).
+
+You will need to list the setup files for the wikis it should

 build in the file `/etc/ikiwiki/wikilist`, which has the format:
 
 user /path/to/ikiwiki.setup
 build in the file `/etc/ikiwiki/wikilist`, which has the format:
 
 user /path/to/ikiwiki.setup

diff --git a/doc/plugins/404.mdwn b/doc/plugins/404.mdwn
index db86a13b892c98c6a29a40965b3fbf73525eb0c1..128b26e7b096640af8d44b49fe36c093e5af13df 100644 (file)
--- a/doc/plugins/404.mdwn
+++ b/doc/plugins/404.mdwn
@@ -7,7 +7,7 @@ nonexistent page provides you with a link to create it.
 
 To enable the 404 handler you need to:
 
 
 To enable the 404 handler you need to:
 

-1. Edit your `.setup` file and add `404` and `goto` to the `add_plugins` line.
+1. Edit your `.setup` file and add `404` to the `add_plugins` line.

 2. Add a 404 error document handler in your Apache configuration:
 
     `ErrorDocument 404 /url/path/to/ikiwiki.cgi`
 2. Add a 404 error document handler in your Apache configuration:
 
     `ErrorDocument 404 /url/path/to/ikiwiki.cgi`

diff --git a/doc/security.mdwn b/doc/security.mdwn
index 35385465607929108d488eff73fa395e71d82467..f0fcb0cd7d65576ab6437030040dfaa13d4b0f3d 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -471,6 +471,19 @@ who could upload a malicious stylesheet to a site to add it to a
 page as an alternate stylesheet, or replacing the default stylesheet.
 
 This hole was discovered on 28 Mar 2011 and fixed the same hour with
 page as an alternate stylesheet, or replacing the default stylesheet.
 
 This hole was discovered on 28 Mar 2011 and fixed the same hour with

-the release of ikiwiki 3.20110328. An upgrade is recommended for sites
-that have untrusted committers, or have the attachments plugin enabled.
+the release of ikiwiki 3.20110328. A fix was backported to Debian squeeze,
+as version 3.20100815.6. An upgrade is recommended for sites that have
+untrusted committers, or have the attachments plugin enabled.

 ([[!cve CVE-2011-1401]])
 ([[!cve CVE-2011-1401]])

+
+## tty hijacking via ikiwiki-mass-rebuild
+
+Ludwig Nussel discovered a way for users to hijack root's tty when
+ikiwiki-mass-rebuild was run. Additionally, there was some potential
+for information disclosure via symlinks.
+
+This hole was disconvered on 8 June 2011 and fixed the same day with
+the release of ikiwiki 3.20110608. Note that the fix is dependant on
+a su that has a similar hole fixed; [[!debbug 628843]] tracks fixing
+the hole in Debian's su. An upgrade is a must for any sites whose
+admins run ikiwiki-mass-rebuild.