-ikiwiki (3.20160122) UNRELEASED; urgency=medium
+ikiwiki (3.20160506) unstable; urgency=medium
[ Simon McVittie ]
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (OVE-20160505-0012)
+ * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+ - img: force common Web formats to be interpreted according to extension,
+ so that "allowed_attachments: '*.jpg'" does what one might expect
+ - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+ CVE-2016-3714 and similar vulnerabilities
+ - img: check that the magic number matches what we would expect from
+ the extension before giving common formats to ImageMagick
* d/control: use https for Homepage
* d/control: add Vcs-Browser
[ Joey Hess ]
+ * img: Add back support for SVG images, bypassing ImageMagick and
+ simply passing the SVG through to the browser, which is supported by all
+ commonly used browsers these days.
+ SVG scaling by img directives has subtly changed; where before
+ size=wxh would preserve aspect ratio, this cannot be done when passing
+ them through and so specifying both a width and height can change
+ the SVG's aspect ratio.
* loginselector: When only openid and emailauth are enabled, but
passwordauth is not, avoid showing a "Other" box which opens an
empty form.
[ Amitai Schlair ]
* mdwn: Process .md like .mdwn, but disallow web creation.
- -- Simon McVittie <smcv@debian.org> Thu, 21 Jan 2016 22:34:04 +0000
+ [ Florian Wagner ]
+ * git: Correctly handle filenames starting with a dash in add/rm/mv.
+
+ -- Simon McVittie <smcv@debian.org> Fri, 06 May 2016 07:54:26 +0100
ikiwiki (3.20160121) unstable; urgency=medium