+ikiwiki (3.20141016.4) jessie-security; urgency=high
+
+ * Reference CVE-2016-4561 in 3.20141016.3 changelog
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to CVE-2014-1572.
+ - passwordauth: prevent authentication bypass via multiple name
+ parameters (CVE-2017-0356, OVE-20170111-0001)
+ - passwordauth: prevent userinfo forgery via repeated email
+ parameter (also CVE-2017-0356)
+ - comments, editpage: prevent commit metadata forgery
+ (CVE-2016-9646, OVE-20161226-0001)
+ - CGI, attachment, comments, editpage, notifyemail, passwordauth,
+ po, rename: harden against similar issues that are not believed
+ to be exploitable
+ * t/passwordauth.t: new automated test for CVE-2017-0356
+ * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
+ bugs, including one minor security vulnerability:
+ - Security: try revert operations before approving them. Previously,
+ automatic rename detection could result in a revert writing outside
+ the wiki srcdir or altering a file that the reverting user should not
+ be able to alter, an authorization bypass.
+ (CVE-2016-10026 represents the original vulnerability.)
+ The incomplete fix released in 3.20161219 was not effective for git
+ versions prior to 2.8.0rc0.
+ (CVE-2016-9645 represents that incomplete solution. Debian stable
+ was never vulnerable to this one.)
+ - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
+ file or directory" seen in the initial fixes for those security issues
+ - If no committer identity is known, set it to
+ "IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
+ in versions of git that require a non-trivial committer identity.
+ - Use git log --no-renames to generate recentchanges, fixing the git
+ test-case with git 2.9 (Closes: #835612)
+ - Don't issue a warning if the rcsinfo CGI parameter is undefined
+ - Do not fail to commit changes with a recent git version
+ and an anonymous committer
+ - Do not fail on filenames starting with a dash
+ (patch from Florian Wagner)
+ - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
+ * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
+ for using the CGI with git, including tests for CVE-2016-10026
+ - Build-depend on libipc-run-perl for better build-time test coverage
+ * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression
+ in 3.20141016.3:
+ - img: ignore the case of the extension when detecting image format,
+ fixing the regression that *.JPG etc. would not be displayed
+ (patch from Amitai Schleier)
+ * Backport tests' installed-test (autopkgtest) support from 3.20160121,
+ adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
+ - d/control: add enough build-dependencies to run all tests, except for
+ non-git VCSs
+
+ -- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2017 18:18:52 +0000
+
+ikiwiki (3.20141016.3) jessie-security; urgency=high
+
+ [ Simon McVittie ]
+ * img: stop ImageMagick trying to be clever if filenames contain a colon,
+ avoiding mis-processing
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (CVE-2016-4561, OVE-20160505-0012)
+ * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+ - img: force common Web formats to be interpreted according to extension,
+ so that "allowed_attachments: '*.jpg'" does what one might expect
+ - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+ CVE-2016-3714 and similar vulnerabilities
+ - img: check that the magic number matches what we would expect from
+ the extension before giving common formats to ImageMagick
+
+ [ Joey Hess ]
+ * img: Add back support for SVG images, bypassing ImageMagick and
+ simply passing the SVG through to the browser, which is supported by all
+ commonly used browsers these days.
+ SVG scaling by img directives has subtly changed; where before
+ size=wxh would preserve aspect ratio, this cannot be done when passing
+ them through and so specifying both a width and height can change
+ the SVG's aspect ratio.
+
+ -- Simon McVittie <smcv@debian.org> Fri, 06 May 2016 07:55:49 +0100
+
+ikiwiki (3.20141016.2) unstable; urgency=high
+
+ [ Joey Hess ]
+ * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
+
+ -- Simon McVittie <smcv@debian.org> Sun, 29 Mar 2015 22:28:15 +0100
+
+ikiwiki (3.20141016.1) unstable; urgency=medium
+
+ * Backport selected commits for Debian 8:
+
+ [ Joey Hess ]
+ * Add missing build-depends on libcgi-formbuilder-perl, needed for
+ t/relativity.t if libipc-run-perl is also installed
+ (buildds are unaffected by this)
+ * Set Debian package maintainer to Simon McVittie as I'm retiring from
+ Debian.
+
+ [ Amitai Schlair ]
+ * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
+ Closes: #774441
+
+ [ Simon McVittie ]
+ * Work around imagemagick Debian bug #771047 by using a non-blank SVG
+ for the regression test, to avoid FTBFS in current unstable
+ if inkscape is installed (buildds are unaffected by this)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 07 Jan 2015 11:08:35 +0000
+
ikiwiki (3.20141016) unstable; urgency=medium
[ Joey Hess ]