improve news layout, update buf cve

6 files changed, 98 insertions, 46 deletions

diff --git a/_layouts/default.html b/_layouts/default.html
index 1d57e03..cc2c463 100644
--- a/_layouts/default.html
+++ b/_layouts/default.html
@@ -6,7 +6,7 @@
         {% include header.html %}
 
         <div class="page-content">
-            <div class="container">
+            <div class="container {{page.layout}}">
                 {% if page.sidebar %}
                 <div class="col-xs-12 col-md-8">
                     {{ content }}
diff --git a/_layouts/home.html b/_layouts/home.html
index e86425a..8cd68e1 100644
--- a/_layouts/home.html
+++ b/_layouts/home.html
@@ -8,7 +8,7 @@ sidebar: sb_sidebar_news.html
     <h2><a href="{{ site.baseurl }}{{ post.url }}">{{ post.title }}</a></h2>
     {% include postmeta.html node=post %}
     {{ post.excerpt }}{%
-    if post.excerpt != post.content %}<a href="{{ site.baseurl }}{{ post.url }}">Read more...</a> the Irssi Team.{%
+    if post.excerpt != post.content %}<p><a href="{{ site.baseurl }}{{ post.url }}">Read more...</a> the Irssi Team.</p>{%
     endif %}
 {% endfor %}
 
diff --git a/_posts/2016-09-22-buf.pl-update.markdown b/_posts/2016-09-22-buf.pl-update.markdown
index 410d011..460ab0f 100644
--- a/_posts/2016-09-22-buf.pl-update.markdown
+++ b/_posts/2016-09-22-buf.pl-update.markdown
@@ -3,49 +3,10 @@ layout: post
 title: "buf.pl update available"
 ---
 
-An information disclosure vulnerability was found, reported and fixed
-in the buf.pl script by its author.
+An update to the [buf.pl](//scripts.irssi.org/scripts/buf.pl) script
+has been released. This release fixes an information disclosure
+vulnerability. All users should upgrade to this version.
 
-CWE Classification: CWE-732, CWE-538
+The updated buf.pl script can be found on [scripts.irssi.org](//scripts.irssi.org).
 
-### Impact
-
-Other users on the same machine may be able to retrieve the whole
-window contents after /UPGRADE when the buf.pl script is
-loaded. Furthermore, this dump of the windows contents is never
-removed afterwards.
-
-Since buf.pl is also an Irssi core script and we recommended its use
-to retain your window content, many people could potentially be
-affected by this.
-
-Remote users may be able to retrieve these contents when combined with
-other path traversal vulnerabilities in public facing services on that
-machine.
-
-### Detailed analysis
-
-buf.pl restores the scrollbuffer between "/upgrade"s by writing the
-contents to a file, and reading that after the new process was spawned.
-Through that file, the contents of (private) chat conversations may leak to
-other users.
-
-### Mitigating facts
-
-Careful users with a limited umask (e.g. 077) are not affected by this bug.
-However, most Linux systems default to a umask of 022, meaning that files
-written without further restricting the permissions, are readable by any
-user.
-
-### Affected versions
-
-All up to 2.13
-
-### Fixed versions
-
-[buf.pl](//scripts.irssi.org/scripts/buf.pl) 2.20
-
-### Resolution
-
-Update the buf.pl script with the latest version from
-[scripts.irssi.org](//scripts.irssi.org).
\ No newline at end of file
+Read the [security advisory](/security/buf_pl_sa_2016.txt).
diff --git a/assets/css/style.css b/assets/css/style.css
index f7b4213..c3d7e04 100644
--- a/assets/css/style.css
+++ b/assets/css/style.css
@@ -196,6 +196,23 @@ blockquote {
     height: 80vh !important;
 }
 
+/* news archive */
+.container.home h3,
+.container.home .h3 {
+    font-size: 20px;
+    font-weight: bold;
+}
+
+.container.home p + h2 {
+    border-top: 2px solid #eee;
+    padding-top: 20px;
+}
+
+.container.home hr {
+    width: 70%;
+}
+
+
 /* download page */
 .osicon, .obsicon {
     padding-right: 1ex;
diff --git a/security/buf_pl_sa_2016.txt b/security/buf_pl_sa_2016.txt
new file mode 100644
index 0000000..7257538
--- /dev/null
+++ b/security/buf_pl_sa_2016.txt
@@ -0,0 +1,73 @@
+information disclosure vulnerability in buf.pl
+==============================================
+CWE Classification: CWE-732, CWE-538
+
+CVE-2016-7553 [1] was assigned to this bug.
+
+
+Description
+-----------
+
+An information disclosure vulnerability was found, reported and fixed
+in the buf.pl script by its author.
+
+
+Impact
+------
+
+Other users on the same machine may be able to retrieve the whole
+window contents after /UPGRADE when the buf.pl script is
+loaded. Furthermore, this dump of the windows contents is never
+removed afterwards.
+
+Since buf.pl is also an Irssi core script and we recommended its use
+to retain your window content, many people could potentially be
+affected by this.
+
+Remote users may be able to retrieve these contents when combined with
+other path traversal vulnerabilities in public facing services on that
+machine.
+
+
+Detailed analysis
+-----------------
+
+buf.pl restores the scrollbuffer between "/upgrade"s by writing the
+contents to a file, and reading that after the new process was spawned.
+Through that file, the contents of (private) chat conversations may leak to
+other users.
+
+
+Mitigating facts
+----------------
+
+Careful users with a limited umask (e.g. 077) are not affected by this bug.
+However, most Linux systems default to a umask of 022, meaning that files
+written without further restricting the permissions, are readable by any
+user.
+
+
+Affected versions
+-----------------
+
+All up to 2.13
+
+
+Fixed versions
+--------------
+
+buf.pl 2.20 [2]
+
+
+Resolution
+----------
+
+Update the buf.pl script with the latest version from
+https://scripts.irssi.org
+
+
+References
+----------
+
+[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553
+[2] https://scripts.irssi.org/scripts/buf.pl
diff --git a/security/irssi_sa_2016.txt b/security/irssi_sa_2016.txt
index f784e8e..4b60040 100644
--- a/security/irssi_sa_2016.txt
+++ b/security/irssi_sa_2016.txt
@@ -96,5 +96,6 @@ https://github.com/irssi/irssi/commit/295a4b77f07f14602eeaa371f00ddbf09910c82b
 
 References
 ----------
+
 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7044
 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7045