-ikiwiki (3.20120203) UNRELEASED; urgency=low
+ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
+
+ [ Simon McVittie ]
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572.
+ - passwordauth: prevent authentication bypass via multiple name
+ parameters (CVE-2017-0356, OVE-20170111-0001)
+ - passwordauth: prevent userinfo forgery via repeated email
+ parameter (also CVE-2017-0356)
+ - comments, editpage: prevent commit metadata forgery
+ (CVE-2016-9646, OVE-20161226-0001)
+ - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+ po, rename: harden against similar issues that are not believed
+ to be exploitable
+ * t/passwordauth.t: new automated test for CVE-2017-0356
+ * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
+ bugs, including one minor security vulnerability:
+ - Security: try revert operations before approving them. Previously,
+ automatic rename detection could result in a revert writing outside
+ the wiki srcdir or altering a file that the reverting user should not
+ be able to alter, an authorization bypass.
+ (CVE-2016-10026 represents the original vulnerability.)
+ The incomplete fix released in 3.20161219 was not effective for git
+ versions prior to 2.8.0rc0.
+ (CVE-2016-9645 represents that incomplete solution. Debian stable
+ was never vulnerable to this one.)
+ - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
+ file or directory" seen in the initial fixes for those security issues
+ - If no committer identity is known, set it to
+ "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
+ in versions of git that require a non-trivial committer identity.
+ - Use git log --no-renames to generate recentchanges, fixing the git
+ test-case with git 2.9 (Closes: #835612)
+ - Don't issue a warning if the rcsinfo CGI parameter is undefined
+ - Do not fail to commit changes with a recent git version
+ and an anonymous committer
+ - Do not fail on filenames starting with a dash
+ (patch from Florian Wagner)
+ - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
+ * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
+ for using the CGI with git, including tests for CVE-2016-10026
+ - Build-depend on libipc-run-perl for better build-time test coverage
+ * Backport tests' installed-test (autopkgtest) support from 3.20160121,
+ adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
+ - d/control: add enough build-dependencies to run all tests, except for
+ non-git VCSs
+ * Split CFLAGS into words when building wrapper, fixing build-time test
+ failure. Closes: #682237 (patch from Joey Hess, backported from
+ 3.20120630)
+ * In the CGI wrapper, incorporate $config{ENV} into the environment
+ before executing Perl code, so that PERL5LIB can point to a
+ non-system-wide installation of IkiWiki. Some build-time tests rely
+ on this, in particular t/git-cgi.t.
+ (patch from Lafayette Chamber Singers Webmaster, backported from
+ 3.20140916)
+
+ [ Emilio Pozuelo Monfort ]
+ * Upload to wheezy-security.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Tue, 31 Jan 2017 19:00:50 +0100
+
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+ * Update img plugin to version 3.20160509 to mitigate ImageMagick
+ vulnerabilities, including remote code execution (CVE-2016-3714):
+ - Never convert SVG images to PNG; simply pass them through to the
+ browser. This prevents exploitation of any ImageMagick SVG coder
+ vulnerabilities. (joeyh)
+ - Do not resize image formats other than JPEG, PNG, GIF unless
+ specifically configured to do so. This prevents exploitation
+ of any vulnerabilities in less common coders, such as MVG.
+ (schmonz, smcv)
+ - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
+ not match their "magic numbers", because wiki admins might try to
+ restrict attachments by extension, but ImageMagick can base its
+ choice of coder on the magic number. Explicitly force the
+ obvious ImageMagick coder to be used. (smcv)
+ * Minor non-security changes resulting from that update, since
+ reverting them seems higher-risk than keeping them:
+ - Add PDF support, disabled by the above changes unless specifically
+ configured (chrysn)
+ - Only render one frame or page from animated GIF or multi-page PDF
+ (chrysn)
+ - Do not distort aspect ratio when resizing small images (chrysn)
+ - Use data: URLs to embed images in page previews (chrysn)
+ - Raise an error if the image's size cannot be determined (chrysn)
+ - Handle filenames containing a colon correctly (smcv)
+ * Add t/img.t regression test also taken from version 3.20160506
+ (chrysn, joeyh, schmonz, smcv)
+ * debian/tests: add metadata to run the img test as an autopkgtest
+
+ -- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 22:38:35 +0100
+
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+ CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org> Mon, 06 Apr 2015 20:34:51 +0100
+
+ikiwiki (3.20120629.1) wheezy; urgency=medium
+
+ Backport blogspam plugin from experimental, because the version in
+ wheezy is no longer usable:
+
+ [ Joey Hess ]
+ * Set Debian package maintainer to Simon McVittie as I'm retiring from
+ Debian.
+
+ [ Amitai Schlair ]
+ * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
+ Closes: #774441
+
+ -- Simon McVittie <smcv@debian.org> Sat, 17 Jan 2015 11:53:33 +0000
+
+ikiwiki (3.20120629) unstable; urgency=low
+
+ * mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or
+ other config differences by linking to the mirror's CGI. (intrigeri)
+
+ -- Joey Hess <joeyh@debian.org> Fri, 29 Jun 2012 10:16:08 -0400
+
+ikiwiki (3.20120516) unstable; urgency=high
+
+ * meta: Security fix; add missing sanitization of author and authorurl.
+ CVE-2012-0220 Thanks, Raúl Benencia
+
+ -- Joey Hess <joeyh@debian.org> Wed, 16 May 2012 19:51:27 -0400
+
+ikiwiki (3.20120419) unstable; urgency=low
+
+ * Remove dead link from plugins/teximg. Closes: #664885
+ * inline: When the pagenames list includes pages that do not exist, skip
+ them.
+ * meta: Export author information in html <meta> tag. Closes: #664779
+ Thanks, Martin Michlmayr
+ * notifyemail: New plugin, sends email notifications about new and
+ changed pages, and allows subscribing to comments.
+ * Added a "changes" hook. Renamed the "change" hook to "rendered", but
+ the old hook name is called for now for back-compat.
+ * meta: Support keywords header. Closes: #664780
+ Thanks, Martin Michlmayr
+ * passwordauth: Fix url in password recovery email to be absolute.
+ * httpauth: When it's the only auth method, avoid a pointless and
+ confusing signin form, and go right to the httpauthurl.
+ * rename: Allow rename to be started not from the edit page; return to
+ the renamed page in this case.
+ * remove: Support removing of pages in the transient underlay. (smcv)
+ * inline, trail: The pagenames parameter is now a list of absolute
+ pagenames, not relative wikilink type names. This is necessary to fix
+ a bug, and makes pagenames more consistent with the pagespec used
+ in the pages parameter. (smcv)
+ * link: Fix renaming wikilinks that contain embedded urls.
+ * graphviz: Handle self-links.
+ * trail: Improve CSS, also display trail links at bottom of page,
+ and a bug fix. (smcv)
+
+ -- Joey Hess <joeyh@debian.org> Thu, 19 Apr 2012 15:32:07 -0400
+
+ikiwiki (3.20120319) unstable; urgency=low
- * Fix a snail mail address. Closes: #659158
- * openid-jquery.js: Update URL of Wordpress favicon. Closes: #660549
- * Drop the version attribute on the generator tag in Atom feeds
- to make builds more reproducible. Closes: #661569 (Paul Wise)
- * shortcut: Support Wikipedia's form of url-encoding for unicode
- characters, which involves mojibake. Closes: #661198
* osm: New plugin to embed an OpenStreetMap into a wiki page.
Supports waypoints, tags, and can even draw paths matching
wikilinks between pages containing waypoints.
Thanks to Blars Blarson and Antoine Beaupré, as well as the worldwide
OpenStreetMap community for this utter awesomeness.
- * Add a few missing jquery UI icons to attachment upload widget underlay.
- * URI escape filename when generating the diffurl.
* trail: New plugin to add navigation trails through pages via Next and
Previous links. Trails can easily be added to existing inlines by setting
trail=yes in the inline.
Thanks to Simon McVittie for his persistance developing this feature.
+ * Fix a snail mail address. Closes: #659158
+ * openid-jquery.js: Update URL of Wordpress favicon. Closes: #660549
+ * Drop the version attribute on the generator tag in Atom feeds
+ to make builds more reproducible. Closes: #661569 (Paul Wise)
+ * shortcut: Support Wikipedia's form of url-encoding for unicode
+ characters, which involves mojibake. Closes: #661198
+ * Add a few missing jquery UI icons to attachment upload widget underlay.
+ * URI escape filename when generating the diffurl.
* Add build-affected hook. Used by trail.
- -- Joey Hess <joeyh@debian.org> Wed, 08 Feb 2012 16:07:00 -0400
+ -- Joey Hess <joeyh@debian.org> Mon, 19 Mar 2012 14:24:43 -0400
ikiwiki (3.20120202) unstable; urgency=low