X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/53cbfb4b5a794b23fc932c8f0b59b2714e3c4678..1d1776b1ff3abbb40f6127ffb82f0c7a7b84ba14:/CHANGELOG diff --git a/CHANGELOG b/CHANGELOG index 1fa0a7c92..a30a5de00 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,70 @@ -ikiwiki (3.20180312) UNRELEASED; urgency=medium +ikiwiki (3.20200202.4) UNRELEASED; urgency=medium + + * aggregate: When a feed has an enclosure that is an image, audio, or + video, include the enclosure in the generated page. + * aggregate: Also support feeds with media:content tags. + + -- Joey Hess Sat, 25 Dec 2021 12:41:34 -0400 + +ikiwiki (3.20200202.3) upstream; urgency=medium + + [ Amitai Schleier ] + * highlight: Adapt to API change in highlight >= 3.51 + * mdwn: Fix inverted footnote configuration when MultiMarkdown is + enabled. Thanks, Giuseppe Bilotta + + [ Joey Hess ] + * Updated German basewiki and directives translation from + Sebastian Kuhnert. + * Updated German program translation from + Sebastian Kuhnert. + + -- Joey Hess Sun, 02 Feb 2020 00:00:00 -0400 + +ikiwiki (3.20190228) upstream; urgency=medium + + * aggregate: Use LWPx::ParanoidAgent if available. + Previously blogspam, openid and pinger used this module if available, + but aggregate did not. This prevents server-side request forgery or + local file disclosure, and mitigates denial of service when slow + "tarpit" URLs are accessed. + (CVE-2019-9187) + * blogspam, openid, pinger: Use a HTTP proxy if configured, even if + LWPx::ParanoidAgent is installed. + Previously, only aggregate would obey proxy configuration. If a proxy + is used, the proxy (not ikiwiki) is responsible for preventing attacks + like CVE-2019-9187. + * aggregate, blogspam, openid, pinger: Do not access non-http, non-https + URLs. + Previously, these plugins would have allowed non-HTTP-based requests if + LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local + file disclosure, and preventing other rarely-used URI schemes like + gopher mitigates request forgery attacks. + * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly + recommended. + These plugins can request attacker-controlled URLs in some site + configurations. + * blogspam: Document LWPx::ParanoidAgent as desirable. + This plugin doesn't request attacker-controlled URLs, so it's + non-critical here. + * blogspam, openid, pinger: Consistently use cookiejar if configured. + Previously, these plugins would only obey this configuration if + LWPx::ParanoidAgent was not installed, but this appears to have been + unintended. + * po: Always filter .po files. + The po plugin in previous ikiwiki releases made the second and + subsequent filter call per (page, destpage) pair into a no-op, + apparently in an attempt to prevent *recursive* filtering (which as + far as we can tell can't happen anyway), with the undesired effect + of interpreting the raw .po file as page content (e.g. Markdown) + if it was inlined into the same page twice, which is apparently + something that tails.org does. Simplify this by deleting the code + that prevented repeated filtering. Thanks, intrigeri + (Closes: #911356) + + -- Simon McVittie Tue, 26 Feb 2019 21:05:49 +0000 + +ikiwiki (3.20190207) upstream; urgency=medium [ Amitai Schleier ] * graph: Add an optional "file" parameter @@ -35,7 +101,7 @@ ikiwiki (3.20180312) UNRELEASED; urgency=medium * poll: Added postlink and posttrail options for better multi-page polls. * Fix permalink to comments. - -- Simon McVittie Wed, 16 May 2018 13:09:27 +0100 + -- Simon McVittie Thu, 07 Feb 2019 11:07:44 +0000 ikiwiki (3.20180311) upstream; urgency=medium