-ikiwiki (3.20161229.1) UNRELEASED; urgency=medium
+ikiwiki (3.20170622) unstable; urgency=medium
+
+ * t/git-cgi.t: Wait 1 second before doing a revert that should work.
+ This hopefully fixes a race condition in which the test failed
+ around 6% of the time. (Closes: 862494)
+ * Guard against set-but-empty REMOTE_USER CGI variable on
+ misconfigured nginx servers, and in general treat sessions with
+ a set-but-empty name as if they were not signed in.
+ * When the CGI fails, print the error to stderr, not "Died"
+ * mdwn: Don't mangle <style> into <elyts> under some circumstances
+ * mdwn: Enable footnotes by default when using the default Discount
+ implementation. A new mdwn_footnotes option can be used to disable
+ footnotes in MultiMarkdown and Discount.
+ * mdwn: Don't enable alphabetically labelled ordered lists by
+ default when using the default Discount implementation. A new
+ mdwn_alpha_list option can be used to restore the old
+ interpretation.
+ * osm: Convert savestate hook into a changes hook. savestate is not
+ the right place to write wiki content, and in particular this
+ breaks websetup if osm's dependencies are not installed, even
+ if the osm plugin is not actually enabled. (Closes: #719913)
+ * toc: if the heading is of the form <h1 id="...">, use that for
+ the link in the table of contents (but continue to generate
+ <a name="index42"></a> in case someone was relying on it)
+ * color: Do not leak markup into contexts that take only the plain
+ text, such as toc
+ * meta: Document [[!meta name="foo" content="bar"]]
+ * debian: Use preferred https URL for Format of debian/copyright
+ * debian: Declare compliance with Debian Policy 4.0.0
+
+ -- Simon McVittie <smcv@debian.org> Thu, 22 Jun 2017 09:24:57 +0100
+
+ikiwiki (3.20170111) unstable; urgency=high
+
+ * passwordauth: prevent authentication bypass via multiple name
+ parameters (CVE-2017-0356, OVE-20170111-0001)
+ * passwordauth: avoid userinfo forgery via repeated email parameter
+ (also in the scope of CVE-2017-0356)
+ * CGI, attachment, passwordauth: harden against repeated parameters
+ (not believed to have been a vulnerability)
+ * remove: make it clearer that repeated page parameter is OK here
+ * t/passwordauth.t: new automated test for passwordauth
+
+ -- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2017 18:16:53 +0000
+
+ikiwiki (3.20170110) unstable; urgency=medium
+
+ [ Amitai Schleier ]
+ * wrappers: Correctly escape quotes in git_wrapper_background_command
+
+ [ Simon McVittie ]
+ * git: use an explicit function parameter for the directory to work
+ in. Previously, we used global state that was not restored correctly
+ on catching exceptions, causing an unintended log message
+ "cannot chdir to .../ikiwiki-temp-working: No such file or directory"
+ with versions >= 3.20161229 when an attempt to revert a change fails
+ or is disallowed
+ * git: don't run "git rev-list ... -- -- ..." which would select the
+ wrong commits if a file named literally "--" is present in the
+ repository
+ * check_canchange: log "bad file name whatever", not literal string
+ "bad file name %s"
+ * t/git-cgi.t: fix a race condition that made the test fail
+ intermittently
+ * t/git-cgi.t: be more careful to provide a syntactically valid
+ author/committer name and email, hopefully fixing this test on
+ ci.debian.net
+ * templates, comments, passwordauth: use rel=nofollow microformat
+ for dynamic URLs
+ * templates: use rel=nofollow microformat for comment authors
+ * news: use Debian security tracker instead of MITRE for security
+ references. Thanks, anarcat
+ * Set package format to 3.0 (native)
+ * d/copyright: re-order to put more specific stanzas later, to get the
+ intended interpretation
+ * d/source/lintian-overrides: override obsolete-url-in-packaging for
+ OpenID Selector, which does not seem to have any more current URL
+ (and in any case our version is a fork)
+ * docwiki.setup: exclude TourBusStop from offline documentation.
+ It does not make much sense there.
+ * d/ikiwiki.lintian-overrides: override script-not-executable warnings
+ * d/ikiwiki.lintian-overrides: silence false positive spelling warning
+ for Moin Moin
+ * d/ikiwiki.doc-base: register the documentation with doc-base
+ * d/control: set libmagickcore-6.q16-3-extra as preferred
+ build-dependency, with virtual package libmagickcore-extra as an
+ alternative, to help autopkgtest to do the right thing
+
+ -- Simon McVittie <smcv@debian.org> Tue, 10 Jan 2017 13:22:01 +0000
+
+ikiwiki (3.20161229.1) unstable; urgency=medium
* git: Attribute reverts to the user doing the revert, not the wiki
itself.
* git: Do not disable the commit hook while preparing a revert.
- -- Simon McVittie <smcv@debian.org> Thu, 29 Dec 2016 20:35:51 +0000
+ -- Simon McVittie <smcv@debian.org> Thu, 29 Dec 2016 20:46:24 +0000
ikiwiki (3.20161229) unstable; urgency=medium