-ikiwiki (3.20100611) UNRELEASED; urgency=low
+ikiwiki (3.20100815.9) stable-security; urgency=high
+
+ * meta: Security fix; add missing sanitization of author and authorurl.
+ CVE-2012-0220 Thanks, Raúl Benencia
+ * po: Make po4a warn, not error on a malformed document. (intrigeri)
+
+ -- Joey Hess <joeyh@debian.org> Wed, 16 May 2012 19:51:27 -0400
+
+ikiwiki (3.20100815.7) stable-security; urgency=high
+
+ * meta: Security fix; don't allow alternative stylesheets to be added on
+ pages where the htmlscrubber is enabled. CVE-2011-1401
+
+ -- Joey Hess <joeyh@debian.org> Mon, 28 Mar 2011 12:35:13 -0400
+
+ikiwiki (3.20100815.6) testing; urgency=low
+
+ * comments: Fix commenting, broken by security fix.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 24 Jan 2011 16:56:05 -0400
+
+ikiwiki (3.20100815.5) testing; urgency=low
+
+ * comments: Fix XSS security hole due to missing validation of page name.
+ CVE-2011-0428 (Thanks, Dave B.)
+
+ -- Joey Hess <joeyh@debian.org> Sat, 22 Jan 2011 11:02:59 -0400
+
+ikiwiki (3.20100815.4) testing; urgency=low
+
+ * meta: Fix calling of htmlscrubber to pass the page parameter.
+ The change of the htmlscrubber to look at page rather than destpage
+ caused htmlscrubber_skip to not work for meta directives.
+
+ -- Joey Hess <joeyh@debian.org> Mon, 29 Nov 2010 14:44:13 -0400
+
+ikiwiki (3.20100815.2) testing; urgency=low
+
+ * Bugfix-only cherry-pick release for Debian squeeze.
+ * Fix htmlscrubber_skip to be matched on the source page, not the page it is
+ inlined into. Should allow setting to "* and !comment(*)" to scrub
+ comments, but leave your blog posts unscrubbed, etc. CVE-2010-1673
+ * comments: Make postcomment() pagespec work when previewing a comment,
+ including during moderation. CVE-2010-1673
+ * comments: Make comment() pagespec also match comments that are being
+ posted. CVE-2010-1673
+ * openid: Syntax tweak to the javascript code to make it work with MSIE 7
+ (and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting
+ the bug and providing access to debug it.
+ * blogspam: Fix crash when content contained utf-8.
+ * external: Disable RPC::XML's "smart" encoding, which sent ints
+ for strings that contained only a number, fixing a longstanding crash
+ of the rst plugin.
+ * websetup: Fix saving of advanced mode changes.
+ * websetup: Fix defaults of checkboxes in advanced mode.
+ * Fix test suite failure on other side of date line.
+ * Set isPermaLink="no" for guids in rss feeds.
+ * sortnaturally: Added missing registration of checkconfig hook.
+
+ -- Joey Hess <joeyh@debian.org> Fri, 12 Nov 2010 11:09:39 -0400
+
+ikiwiki (3.20100815) unstable; urgency=medium
+
+ * Fix po test suite to not assume ikiwiki's underlay is already installed.
+ Closes: #593047
+
+ -- Joey Hess <joeyh@debian.org> Sun, 15 Aug 2010 11:42:55 -0400
+
+ikiwiki (3.20100804) unstable; urgency=low
+
+ * template: Fix dependency tracking. Broken in version 3.20100427.
+ * po: The po_slave_languages setting is now a list, so the order of
+ translated languages can be controlled. (intrigeri)
+ * git: Fix gitweb historyurl examples so "diff to current" links work.
+ (Thanks jrayhawk)
+ * meta: Allow syntax closer to html meta to be used.
+ * Add new disable hook, allowing plugins to perform cleanup after they
+ have been disabled.
+ * Use Digest::SHA built into perl rather than external Digest::SHA1
+ to simplify dependencies. Closes: #591040
+ * Fixes a bug that prevented matching deleted pages when using the page()
+ PageSpec.
+
+ -- Joey Hess <joeyh@debian.org> Wed, 04 Aug 2010 09:20:52 -0400
+
+ikiwiki (3.20100722) unstable; urgency=low
+
+ * img: Add a margin around images displayed by this directive.
+ * comments: Added commentmoderation directive for easy linking to the
+ comment moderation queue.
+ * aggregate: Write timestamp next aggregation can happen to
+ .ikiwiki/aggregatetime, to allow for more sophisticated cron jobs.
+ * Add --changesetup mode that allows easily changing options in a
+ setup file.
+ * openid: Fix handling of utf-8 nicknames.
+ * Clarified what the filter hook should be passed: Only be the raw,
+ complete text of a page. Not a snippet, or data read in from an
+ unrelated file.
+ * template: Do not pass filled in template through filter hook.
+ Avoids causing breakage in po plugin.
+ * color, comments, conditional, cutpaste, more, sidebar, toggle: Also
+ avoid unnecessary calls to filter hook.
+ * po: needstranslation() pagespec can have a percent specified.
+ * Drop Cache-Control must-revalidate (Firefox 3.5.10 does not seem to have
+ the caching problem that was added to work around). Closes: #588623
+ * Made much more robust in cases where multiple source files produce
+ conflicting files/directories in the destdir.
+ * Updated French translation from Philippe Batailler. Closes: #589423
+ * po: Fix selflink display on tranlsated pages. (intrigeri)
+ * Avoid showing 'Add a comment' link at the bottom of the comment post form.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 22 Jul 2010 16:49:05 -0400
+
+ikiwiki (3.20100704) unstable; urgency=low
+
+ * Changes to avoid display of ugly google openids, by displaying
+ a username taken from openid.
+ * API: Add new optional field nickname to rcs_recentchanges.
+ * API: rcs_commit and rcs_commit_staged are now passed named
+ parameters.
+ * openid: Store nickname based on username or email provided from
+ openid provider.
+ * git: Record the nickname from openid in the git author email.
+ * comment: Record the username from openid in the comment page.
+ * Fixed some confusion and bugginess about whether
+ rcs_getctime/rcs_getmtime were passed absolute or relative filenames.
+ (Make it relative like everything else.)
+ * hnb: Fixed broken use of mkstemp that had caused dangling temp files,
+ and prevented actually rendering hnb files.
+ * Use comment template on comments page of example blog.
+ * comment.tmpl: Fix up display when inline uses it to display a non-comment
+ page. (Such as a discussion page.)
+ * git: Added git_wrapper_background_command option. Can be used to eg,
+ make the git wrapper push to github in the background after ikiwiki
+ runs.
+ * po: Added needstranslation() pagespec. (intrigeri)
+ * po: Added support for .html source pages. (intrigeri)
+ * comment: Fix problem moderating comments of certian pages with utf-8
+ in their name.
+
+ -- Joey Hess <joeyh@debian.org> Sun, 04 Jul 2010 16:19:43 -0400
+
+ikiwiki (3.20100623) unstable; urgency=low
* openid: Add openid_realm and openid_cgiurl configuration options,
useful in a few edge case setups.
* edittemplate: Make silent mode not disable display when the template
page does not exist, so it can be easily created.
* edittemplate: Look for template pages under templates/ like everything
- else (still looks in old location for backwards compatability).
+ else (still looks in old location for backwards compatibility).
* attachment: When inserting links, insert img directives for images,
if that plugin is enabled.
* websetup: Allow enabling plugins listed in disable_plugins.
* Fix issues with combining unicode srcdirs and source files.
(Workaround bug #586045)
* Make --gettime be honored after initial setup.
- * git: Gix --gettime to properly support utf8 filenames.
+ * git: Fix --gettime to properly support utf8 filenames.
* attachment: Support Windows paths when taking basename of client-supplied
file name.
- * theme: New plugin, allows easily theming a site via the underlay.
+ * theme: New plugin, allows easily themeing a site via the underlay.
+ * Added actiontabs theme by Svend Sorensen.
+ * Added blueview theme by Bernd Zeimetz.
* mercurial: Fix buggy getctime code. Closes: #586279
+ * link: Enhanced to handle URLs and email addresses. (Bernd Zeimetz)
- -- Joey Hess <joeyh@debian.org> Fri, 11 Jun 2010 13:39:15 -0400
+ -- Joey Hess <joeyh@debian.org> Wed, 23 Jun 2010 14:10:26 -0400
ikiwiki (3.20100610) unstable; urgency=low