-ikiwiki (3.20111230) UNRELEASED; urgency=low
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+ * Update img plugin to version 3.20160509 to mitigate ImageMagick
+ vulnerabilities, including remote code execution (CVE-2016-3714):
+ - Never convert SVG images to PNG; simply pass them through to the
+ browser. This prevents exploitation of any ImageMagick SVG coder
+ vulnerabilities. (joeyh)
+ - Do not resize image formats other than JPEG, PNG, GIF unless
+ specifically configured to do so. This prevents exploitation
+ of any vulnerabilities in less common coders, such as MVG.
+ (schmonz, smcv)
+ - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
+ not match their "magic numbers", because wiki admins might try to
+ restrict attachments by extension, but ImageMagick can base its
+ choice of coder on the magic number. Explicitly force the
+ obvious ImageMagick coder to be used. (smcv)
+ * Minor non-security changes resulting from that update, since
+ reverting them seems higher-risk than keeping them:
+ - Add PDF support, disabled by the above changes unless specifically
+ configured (chrysn)
+ - Only render one frame or page from animated GIF or multi-page PDF
+ (chrysn)
+ - Do not distort aspect ratio when resizing small images (chrysn)
+ - Use data: URLs to embed images in page previews (chrysn)
+ - Raise an error if the image's size cannot be determined (chrysn)
+ - Handle filenames containing a colon correctly (smcv)
+ * Add t/img.t regression test also taken from version 3.20160506
+ (chrysn, joeyh, schmonz, smcv)
+ * debian/tests: add metadata to run the img test as an autopkgtest
+
+ -- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 22:38:35 +0100
+
+ikiwiki (3.20120629.2) wheezy; urgency=medium
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483;
+ CVE-2015-2793)
+
+ -- Simon McVittie <smcv@debian.org> Mon, 06 Apr 2015 20:34:51 +0100
+
+ikiwiki (3.20120629.1) wheezy; urgency=medium
+
+ Backport blogspam plugin from experimental, because the version in
+ wheezy is no longer usable:
+
+ [ Joey Hess ]
+ * Set Debian package maintainer to Simon McVittie as I'm retiring from
+ Debian.
+
+ [ Amitai Schlair ]
+ * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
+ Closes: #774441
+
+ -- Simon McVittie <smcv@debian.org> Sat, 17 Jan 2015 11:53:33 +0000
+
+ikiwiki (3.20120629) unstable; urgency=low
+
+ * mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or
+ other config differences by linking to the mirror's CGI. (intrigeri)
+
+ -- Joey Hess <joeyh@debian.org> Fri, 29 Jun 2012 10:16:08 -0400
+
+ikiwiki (3.20120516) unstable; urgency=high
+
+ * meta: Security fix; add missing sanitization of author and authorurl.
+ CVE-2012-0220 Thanks, Raúl Benencia
+
+ -- Joey Hess <joeyh@debian.org> Wed, 16 May 2012 19:51:27 -0400
+
+ikiwiki (3.20120419) unstable; urgency=low
+
+ * Remove dead link from plugins/teximg. Closes: #664885
+ * inline: When the pagenames list includes pages that do not exist, skip
+ them.
+ * meta: Export author information in html <meta> tag. Closes: #664779
+ Thanks, Martin Michlmayr
+ * notifyemail: New plugin, sends email notifications about new and
+ changed pages, and allows subscribing to comments.
+ * Added a "changes" hook. Renamed the "change" hook to "rendered", but
+ the old hook name is called for now for back-compat.
+ * meta: Support keywords header. Closes: #664780
+ Thanks, Martin Michlmayr
+ * passwordauth: Fix url in password recovery email to be absolute.
+ * httpauth: When it's the only auth method, avoid a pointless and
+ confusing signin form, and go right to the httpauthurl.
+ * rename: Allow rename to be started not from the edit page; return to
+ the renamed page in this case.
+ * remove: Support removing of pages in the transient underlay. (smcv)
+ * inline, trail: The pagenames parameter is now a list of absolute
+ pagenames, not relative wikilink type names. This is necessary to fix
+ a bug, and makes pagenames more consistent with the pagespec used
+ in the pages parameter. (smcv)
+ * link: Fix renaming wikilinks that contain embedded urls.
+ * graphviz: Handle self-links.
+ * trail: Improve CSS, also display trail links at bottom of page,
+ and a bug fix. (smcv)
+
+ -- Joey Hess <joeyh@debian.org> Thu, 19 Apr 2012 15:32:07 -0400
+
+ikiwiki (3.20120319) unstable; urgency=low
+
+ * osm: New plugin to embed an OpenStreetMap into a wiki page.
+ Supports waypoints, tags, and can even draw paths matching
+ wikilinks between pages containing waypoints.
+ Thanks to Blars Blarson and Antoine Beaupré, as well as the worldwide
+ OpenStreetMap community for this utter awesomeness.
+ * trail: New plugin to add navigation trails through pages via Next and
+ Previous links. Trails can easily be added to existing inlines by setting
+ trail=yes in the inline.
+ Thanks to Simon McVittie for his persistance developing this feature.
+ * Fix a snail mail address. Closes: #659158
+ * openid-jquery.js: Update URL of Wordpress favicon. Closes: #660549
+ * Drop the version attribute on the generator tag in Atom feeds
+ to make builds more reproducible. Closes: #661569 (Paul Wise)
+ * shortcut: Support Wikipedia's form of url-encoding for unicode
+ characters, which involves mojibake. Closes: #661198
+ * Add a few missing jquery UI icons to attachment upload widget underlay.
+ * URI escape filename when generating the diffurl.
+ * Add build-affected hook. Used by trail.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 19 Mar 2012 14:24:43 -0400
+
+ikiwiki (3.20120202) unstable; urgency=low
+
+ * mdwn: Added nodiscount setting, which can be used to avoid using the
+ markdown discount engine, when maximum compatability is needed.
+ * Switch to YAML::XS to work around insanity in YAML::Mo. Closes: #657533
+ * cvs: Ensure text files are added in non-binary mode. (Amitai Schlair)
+ * cvs: Various cleanups and testing. (Amitai Schlair)
+ * calendar: Fix strftime encoding bug.
+ * shortcuts: Fixed a broken shortcut to wikipedia (accidentially
+ made into a shortcut to wikiMedia).
+ * Various portability improvements. (Amitai Schlair)
+
+ -- Joey Hess <joeyh@debian.org> Thu, 02 Feb 2012 21:42:40 -0400
+
+ikiwiki (3.20120115) unstable; urgency=low
+
+ * Make backlink(.) work. Thanks, Giuseppe Bilotta.
+ * mdwn: Workaround discount's eliding of <style> blocks.
+ * attachment: Fix utf-8 display bug.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 15 Jan 2012 16:19:25 -0400
+
+ikiwiki (3.20120109) unstable; urgency=low
* mdwn: Can use the discount markdown library, via the
Text::Markdown::Discount perl module. This is preferred if available
since it's the fastest currently supported markdown library, speeding up
- ikiwiki's rendering by a factor of 40.
+ ikiwiki's markdown rendering by a factor of 40.
(However, when multimarkdown is enabled, Text::Markdown::Multimarkdown
is still used.)
* On Debian, depend on libtext-markdown-discount.
- -- Joey Hess <joeyh@debian.org> Sun, 01 Jan 2012 16:22:24 -0400
+ -- Joey Hess <joeyh@debian.org> Mon, 09 Jan 2012 11:49:14 -0400
ikiwiki (3.20111229) unstable; urgency=low