X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/4d1942d1ba73e39fd246cee6579f2d788ed2a0af..a44d943bbae6f1cb509e7564a8777406bcbb8609:/debian/NEWS
diff --git a/debian/NEWS b/debian/NEWS
index d0d74a167..f7d76649d 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,4 +1,26 @@
-ikiwiki (3.20110114) unstable; urgency=low
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+ To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+ the [[!img]] directive is now restricted to these common web formats by
+ default:
+
+ * JPEG (.jpg, .jpeg)
+ * PNG (.png)
+ * GIF (.gif)
+ * SVG (.svg)
+
+ (In particular, by default resizing PDF files is no longer allowed.)
+
+ Additionally, resized SVG files are displayed in the browser as SVG
+ instead of being converted to PNG.
+
+ If all users who can attach images are fully trusted, this restriction
+ can be removed with the new img_allowed_formats setup option.
+ See for more details.
+
+ -- Simon McVittie Sun, 08 May 2016 16:30:55 +0100
+
+ikiwiki (3.20110122) unstable; urgency=low
If you have custom CSS that uses "#feedlinks" or "#blogform", you will
need to change it to instead use ".feedlinks" and ".blogform"