-ikiwiki (3.20170109) UNRELEASED; urgency=medium
+ikiwiki (3.20170111.1) stretch-security; urgency=high
+
+ * aggregate: Use LWPx::ParanoidAgent if available.
+ Previously blogspam, openid and pinger used this module if available,
+ but aggregate did not. This prevents server-side request forgery or
+ local file disclosure, and mitigates denial of service when slow
+ "tarpit" URLs are accessed.
+ (CVE-2019-9187)
+ * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
+ LWPx::ParanoidAgent is installed.
+ Previously, only aggregate would obey proxy configuration. If a proxy
+ is used, the proxy (not ikiwiki) is responsible for preventing attacks
+ like CVE-2019-9187.
+ * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
+ URLs.
+ Previously, these plugins would have allowed non-HTTP-based requests if
+ LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
+ file disclosure, and preventing other rarely-used URI schemes like
+ gopher mitigates request forgery attacks.
+ * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
+ recommended.
+ These plugins can request attacker-controlled URLs in some site
+ configurations.
+ * blogspam: Document LWPx::ParanoidAgent as desirable.
+ This plugin doesn't request attacker-controlled URLs, so it's
+ non-critical here.
+ * blogspam, openid, pinger: Consistently use cookiejar if configured.
+ Previously, these plugins would only obey this configuration if
+ LWPx::ParanoidAgent was not installed, but this appears to have been
+ unintended.
+
+ -- Simon McVittie <smcv@debian.org> Tue, 26 Feb 2019 22:57:58 +0000
+
+ikiwiki (3.20170111) unstable; urgency=high
+
+ * passwordauth: prevent authentication bypass via multiple name
+ parameters (CVE-2017-0356, OVE-20170111-0001)
+ * passwordauth: avoid userinfo forgery via repeated email parameter
+ (also in the scope of CVE-2017-0356)
+ * CGI, attachment, passwordauth: harden against repeated parameters
+ (not believed to have been a vulnerability)
+ * remove: make it clearer that repeated page parameter is OK here
+ * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2017 18:16:53 +0000
+
+ikiwiki (3.20170110) unstable; urgency=medium
[ Amitai Schleier ]
* wrappers: Correctly escape quotes in git_wrapper_background_command
* d/ikiwiki.lintian-overrides: silence false positive spelling warning
for Moin Moin
* d/ikiwiki.doc-base: register the documentation with doc-base
+ * d/control: set libmagickcore-6.q16-3-extra as preferred
+ build-dependency, with virtual package libmagickcore-extra as an
+ alternative, to help autopkgtest to do the right thing
- -- Simon McVittie <smcv@debian.org> Mon, 09 Jan 2017 14:33:19 +0000
+ -- Simon McVittie <smcv@debian.org> Tue, 10 Jan 2017 13:22:01 +0000
ikiwiki (3.20161229.1) unstable; urgency=medium