+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+ * Update img plugin to version 3.20160506 to mitigate ImageMagick
+ vulnerabilities, including remote code execution (CVE-2016-3714):
+ - Never convert SVG images to PNG; simply pass them through to the
+ browser. This prevents exploitation of any ImageMagick SVG coder
+ vulnerabilities. (joeyh)
+ - Do not resize image formats other than JPEG, PNG, GIF unless
+ specifically configured to do so. This prevents exploitation
+ of any vulnerabilities in less common coders, such as MVG. (smcv)
+ - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
+ not match their "magic numbers", because wiki admins might try to
+ restrict attachments by extension, but ImageMagick can base its
+ choice of coder on the magic number. Explicitly force the
+ obvious ImageMagick coder to be used. (smcv)
+ * Minor non-security changes resulting from that update, since
+ reverting them seems higher-risk than keeping them:
+ - Add PDF support, disabled by the above changes unless specifically
+ configured (chrysn)
+ - Only render one frame or page from animated GIF or multi-page PDF
+ (chrysn)
+ - Do not distort aspect ratio when resizing small images (chrysn)
+ - Use data: URLs to embed images in page previews (chrysn)
+ - Raise an error if the image's size cannot be determined (chrysn)
+ - Handle filenames containing a colon correctly (smcv)
+ * Add t/img.t regression test also taken from version 3.20160506
+ (chrysn, joeyh, schmonz, smcv)
+ * debian/tests: add metadata to run the img test as an autopkgtest
+
+ -- Simon McVittie <smcv@debian.org> Sun, 08 May 2016 16:30:55 +0100
+
ikiwiki (3.20120629.2) wheezy; urgency=medium
[ Joey Hess ]