1 ikiwiki 3.20190228 released with [[!toggle text="these changes"]]
3 * aggregate: Use LWPx::ParanoidAgent if available.
4 Previously blogspam, openid and pinger used this module if available,
5 but aggregate did not. This prevents server-side request forgery or
6 local file disclosure, and mitigates denial of service when slow
7 "tarpit" URLs are accessed.
8 ([[!debcve CVE-2019-9187]])
9 * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
10 LWPx::ParanoidAgent is installed.
11 Previously, only aggregate would obey proxy configuration. If a proxy
12 is used, the proxy (not ikiwiki) is responsible for preventing attacks
14 * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
16 Previously, these plugins would have allowed non-HTTP-based requests if
17 LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
18 file disclosure, and preventing other rarely-used URI schemes like
19 gopher mitigates request forgery attacks.
20 * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
22 These plugins can request attacker-controlled URLs in some site
24 * blogspam: Document LWPx::ParanoidAgent as desirable.
25 This plugin doesn't request attacker-controlled URLs, so it's
27 * blogspam, openid, pinger: Consistently use cookiejar if configured.
28 Previously, these plugins would only obey this configuration if
29 LWPx::ParanoidAgent was not installed, but this appears to have been
31 * po: Always filter .po files.
32 The po plugin in previous ikiwiki releases made the second and
33 subsequent filter call per (page, destpage) pair into a no-op,
34 apparently in an attempt to prevent *recursive* filtering (which as
35 far as we can tell can't happen anyway), with the undesired effect
36 of interpreting the raw .po file as page content (e.g. Markdown)
37 if it was inlined into the same page twice, which is apparently
38 something that tails.org does. Simplify this by deleting the code
39 that prevented repeated filtering. Thanks, intrigeri
40 (Closes: #[911356](http://bugs.debian.org/911356))"""]]
42 ikiwiki 3.20170111.1 was also released, backporting the LWP-related
43 changes from 3.20190228 to the branch used in Debian 9 'stretch'.