+ikiwiki (3.20141016.4) UNRELEASED; urgency=high
+
+ * Reference CVE-2016-4561 in 3.20141016.3 changelog
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572.
+ - passwordauth: prevent authentication bypass via multiple name
+ parameters (OVE-20170111-0001)
+ - passwordauth: prevent userinfo forgery via repeated email
+ parameter (OVE-20170111-0001)
+ - comments, editpage: prevent commit metadata forgery
+ (CVE-2016-9646, OVE-20161226-0001)
+ - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+ po, rename: harden against similar issues that are not believed
+ to be exploitable
+ * t/passwordauth.t: new automated test for OVE-20170111-0001
+ * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression
+ in 3.20141016.3:
+ - img: ignore the case of the extension when detecting image format,
+ fixing the regression that *.JPG etc. would not be displayed
+ (patch from Amitai Schleier)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2017 15:22:38 +0000
+
ikiwiki (3.20141016.3) jessie-security; urgency=high
[ Simon McVittie ]