X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/37296bcb5a2a64626dc77083b75dd97d15faf948..6d6aa26a5ddfab9c9db48f2446a5fa2dd24c8423:/debian/changelog diff --git a/debian/changelog b/debian/changelog index 1e287264c..96a0121ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,110 @@ -ikiwiki (3.20141016) UNRELEASED; urgency=medium +ikiwiki (3.20141016.4) UNRELEASED; urgency=high + + * Reference CVE-2016-4561 in 3.20141016.3 changelog + * Security: force CGI::FormBuilder->field to scalar context where + necessary, avoiding unintended function argument injection + analogous to CVE-2014-1572. + - passwordauth: prevent authentication bypass via multiple name + parameters (OVE-20170111-0001) + - passwordauth: prevent userinfo forgery via repeated email + parameter (OVE-20170111-0001) + - comments, editpage: prevent commit metadata forgery + (CVE-2016-9646, OVE-20161226-0001) + - CGI, attachment, comments, editpage, notifyemail, passwordauth, + po, rename: harden against similar issues that are not believed + to be exploitable + * t/passwordauth.t: new automated test for OVE-20170111-0001 + * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following + bugs, including one minor security vulnerability: + - Security: try revert operations before approving them. Previously, + automatic rename detection could result in a revert writing outside + the wiki srcdir or altering a file that the reverting user should not + be able to alter, an authorization bypass. + (CVE-2016-10026 represents the original vulnerability.) + The incomplete fix released in 3.20161219 was not effective for git + versions prior to 2.8.0rc0. + (CVE-2016-9645 represents that incomplete solution. Debian stable + was never vulnerable to this one.) + - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such + file or directory" seen in the initial fixes for those security issues + - If no committer identity is known, set it to + "IkiWiki " in .git/config. This resolves commit errors + in versions of git that require a non-trivial committer identity. + - Use git log --no-renames to generate recentchanges, fixing the git + test-case with git 2.9 (Closes: #835612) + - Don't issue a warning if the rcsinfo CGI parameter is undefined + - Do not fail to commit changes with a recent git version + and an anonymous committer + - Do not fail on filenames starting with a dash + (patch from Florian Wagner) + - Don't add a redundant "--" and run "git rev-list ... -- -- ..." + * Backport t/git-cgi.t from 3.20170110 to have automated test coverage + for using the CGI with git, including tests for CVE-2016-10026 + - Build-depend on libipc-run-perl for better build-time test coverage + * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression + in 3.20141016.3: + - img: ignore the case of the extension when detecting image format, + fixing the regression that *.JPG etc. would not be displayed + (patch from Amitai Schleier) + + -- Simon McVittie Wed, 11 Jan 2017 15:22:38 +0000 + +ikiwiki (3.20141016.3) jessie-security; urgency=high + + [ Simon McVittie ] + * img: stop ImageMagick trying to be clever if filenames contain a colon, + avoiding mis-processing + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + + [ Joey Hess ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + + -- Simon McVittie Fri, 06 May 2016 07:55:49 +0100 + +ikiwiki (3.20141016.2) unstable; urgency=high + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483) + + -- Simon McVittie Sun, 29 Mar 2015 22:28:15 +0100 + +ikiwiki (3.20141016.1) unstable; urgency=medium + + * Backport selected commits for Debian 8: + + [ Joey Hess ] + * Add missing build-depends on libcgi-formbuilder-perl, needed for + t/relativity.t if libipc-run-perl is also installed + (buildds are unaffected by this) + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + [ Simon McVittie ] + * Work around imagemagick Debian bug #771047 by using a non-blank SVG + for the regression test, to avoid FTBFS in current unstable + if inkscape is installed (buildds are unaffected by this) + + -- Simon McVittie Wed, 07 Jan 2015 11:08:35 +0000 + +ikiwiki (3.20141016) unstable; urgency=medium [ Joey Hess ] * Fix crash that can occur when only_committed_changes is set and a @@ -31,8 +137,10 @@ ikiwiki (3.20141016) UNRELEASED; urgency=medium so we can thumbnail SVGs in the docwiki * debian: explicitly depend and build-depend on libcgi-pm-perl * debian: drop unused python-support dependency + * debian: rename debian/link to debian/links so the intended symlinks appear + * debian: fix some wrong paths in the copyright file - -- Simon McVittie Tue, 16 Sep 2014 11:21:16 +0100 + -- Simon McVittie Thu, 16 Oct 2014 23:28:26 +0100 ikiwiki (3.20140916) unstable; urgency=low