ikiwiki: CVE-2017-0356: Authentication bypass via repeated parameters

[Simon McVittie <smcv () debian org>]

Reference: https://ikiwiki.info/security/#cve-2017-0356
Affected versions: >= 2.11
Fixed versions: >= 3.20170111
Fixed versions (3.20141016.x branch): >= 3.20141016.4

ikiwiki is a static site generator with some dynamic features,
used for wikis, blogs and other websites.

The ikiwiki maintainers discovered two related flaws in the
passwordauth plugin's use of CGI::FormBuilder, involving API design
issues similar to those that led to CVE-2014-1572. Impact:

* An attacker who can log in to a site with a password can log in
  as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
  in the user database for that account.

Sites that enable the CGI script (cgi_wrapper) and do not disable the
simple password authentication plugin (passwordauth, enabled by default)
are affected.

For current releases, this is fixed in ikiwiki >= 3.20170111.
For the Debian 8 branch, it is fixed in ikiwiki 3.20141016.4.

Regards,
    S