X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/7173ef1b1315196903c7d05d664688cd65d324a0..d4894526ae2e09d9093bc3d734c41807bf5ec2df:/debian/changelog?ds=sidebyside diff --git a/debian/changelog b/debian/changelog index e9eb2704b..b3e7e559b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,364 @@ -ikiwiki (3.20121213) UNRELEASED; urgency=low +ikiwiki (3.20141016.4) jessie-security; urgency=high + + * Reference CVE-2016-4561 in 3.20141016.3 changelog + * Security: force CGI::FormBuilder->field to scalar context where + necessary, avoiding unintended function argument injection + analogous to CVE-2014-1572. + - passwordauth: prevent authentication bypass via multiple name + parameters (CVE-2017-0356, OVE-20170111-0001) + - passwordauth: prevent userinfo forgery via repeated email + parameter (also CVE-2017-0356) + - comments, editpage: prevent commit metadata forgery + (CVE-2016-9646, OVE-20161226-0001) + - CGI, attachment, comments, editpage, notifyemail, passwordauth, + po, rename: harden against similar issues that are not believed + to be exploitable + * t/passwordauth.t: new automated test for CVE-2017-0356 + * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following + bugs, including one minor security vulnerability: + - Security: try revert operations before approving them. Previously, + automatic rename detection could result in a revert writing outside + the wiki srcdir or altering a file that the reverting user should not + be able to alter, an authorization bypass. + (CVE-2016-10026 represents the original vulnerability.) + The incomplete fix released in 3.20161219 was not effective for git + versions prior to 2.8.0rc0. + (CVE-2016-9645 represents that incomplete solution. Debian stable + was never vulnerable to this one.) + - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such + file or directory" seen in the initial fixes for those security issues + - If no committer identity is known, set it to + "IkiWiki " in .git/config. This resolves commit errors + in versions of git that require a non-trivial committer identity. + - Use git log --no-renames to generate recentchanges, fixing the git + test-case with git 2.9 (Closes: #835612) + - Don't issue a warning if the rcsinfo CGI parameter is undefined + - Do not fail to commit changes with a recent git version + and an anonymous committer + - Do not fail on filenames starting with a dash + (patch from Florian Wagner) + - Don't add a redundant "--" and run "git rev-list ... -- -- ..." + * Backport t/git-cgi.t from 3.20170110 to have automated test coverage + for using the CGI with git, including tests for CVE-2016-10026 + - Build-depend on libipc-run-perl for better build-time test coverage + * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression + in 3.20141016.3: + - img: ignore the case of the extension when detecting image format, + fixing the regression that *.JPG etc. would not be displayed + (patch from Amitai Schleier) + * Backport tests' installed-test (autopkgtest) support from 3.20160121, + adjusted for compatibility with the older pkg-perl-autopkgtest in jessie + - d/control: add enough build-dependencies to run all tests, except for + non-git VCSs + + -- Simon McVittie Wed, 11 Jan 2017 18:18:52 +0000 + +ikiwiki (3.20141016.3) jessie-security; urgency=high + + [ Simon McVittie ] + * img: stop ImageMagick trying to be clever if filenames contain a colon, + avoiding mis-processing + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + + [ Joey Hess ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + + -- Simon McVittie Fri, 06 May 2016 07:55:49 +0100 + +ikiwiki (3.20141016.2) unstable; urgency=high + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483) + + -- Simon McVittie Sun, 29 Mar 2015 22:28:15 +0100 + +ikiwiki (3.20141016.1) unstable; urgency=medium + + * Backport selected commits for Debian 8: + + [ Joey Hess ] + * Add missing build-depends on libcgi-formbuilder-perl, needed for + t/relativity.t if libipc-run-perl is also installed + (buildds are unaffected by this) + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + [ Simon McVittie ] + * Work around imagemagick Debian bug #771047 by using a non-blank SVG + for the regression test, to avoid FTBFS in current unstable + if inkscape is installed (buildds are unaffected by this) + + -- Simon McVittie Wed, 07 Jan 2015 11:08:35 +0000 + +ikiwiki (3.20141016) unstable; urgency=medium + + [ Joey Hess ] + * Fix crash that can occur when only_committed_changes is set and a + file is deleted from the underlay. + + [ Simon McVittie ] + * core: avoid dangerous use of CGI->param in list context, which led + to a security flaw in Bugzilla; as far as we can tell, ikiwiki + is not vulnerable to a similar attack, but it's best to be safe + * core: new reverse_proxy option prevents ikiwiki from trying to detect + how to make self-referential URLs by using the CGI environment variables, + for instance when it's deployed behind a HTTP reverse proxy + (Closes: #745759) + * core: the default User-Agent is now "ikiwiki/$version" to work around + ModSecurity rules assuming that only malware uses libwww-perl + * core: use protocol-relative URLs (e.g. //www.example.com/wiki) so that + https stays on https and http stays on http, particularly if the + html5 option is enabled + * core: avoid mixed content when a https cgiurl links to http static pages + on the same server (the static pages are assumed to be accessible via + https too) + * core: force the correct top URL in w3mmode + * google plugin: Use search form + * docwiki: replace Paypal and Flattr buttons with text links + * comments: don't record the IP address in the wiki if the user is + logged in via passwordauth or httpauth + * templates: add ARIA roles to some page elements, if html5 is enabled. + Thanks, Patrick + * debian: build-depend on libmagickcore-6.q16-2-extra | libmagickcore-extra + so we can thumbnail SVGs in the docwiki + * debian: explicitly depend and build-depend on libcgi-pm-perl + * debian: drop unused python-support dependency + * debian: rename debian/link to debian/links so the intended symlinks appear + * debian: fix some wrong paths in the copyright file + + -- Simon McVittie Thu, 16 Oct 2014 23:28:26 +0100 + +ikiwiki (3.20140916) unstable; urgency=low + + * Don't double-decode CGI submissions with Encode.pm >= 2.53, + fixing "Error: Cannot decode string with wide characters". + Thanks, Antoine Beaupré + * Avoid making trails depend on everything in the wiki by giving them + a better way to sort the pages + * Don't let users post comments that won't be displayed + * Fix encoding of Unicode strings in Python plugins. + Thanks, chrysn + * Improve performance and correctness of the [[!if]] directive + * Let [[!inline rootpage=foo postform=no]] disable the posting form + * Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322 + * Add UUID and TIME variables to edittemplate. Closes: #752827 + Thanks, Jonathon Anderson + * Display pages in linkmaps as their pagetitle (no underscore escapes). + Thanks, chrysn + * Fix aspect ratio when scaling small images, and add support for + converting SVG and PDF graphics to PNG. + Thanks, chrysn + - suggest ghostscript (required for PDF-to-PNG thumbnailing) + and libmagickcore-extra (required for SVG-to-PNG thumbnailing) + - build-depend on ghostscript so the test for scalable images can be run + * In the CGI wrapper, incorporate $config{ENV} into the environment + before executing Perl code, so that PERL5LIB can point to a + non-system-wide installation of IkiWiki. + Thanks, Lafayette Chamber Singers Webmaster + * filecheck: accept MIME types not containing ';' + * autoindex: index files in underlays if the resulting pages aren't + going to be committed. Closes: #611068 + * Add [[!templatebody]] directive so template pages don't have to be + simultaneously a valid template and valid HTML + * Add myself to Uploaders and release to Debian + + -- Simon McVittie Fri, 12 Sep 2014 21:23:58 +0100 + +ikiwiki (3.20140831) unstable; urgency=medium + + * Make --no-gettime work in initial build. Closes: #755075 + + -- Joey Hess Sun, 31 Aug 2014 14:17:24 -0700 + +ikiwiki (3.20140815) unstable; urgency=medium + + * Add google back to openid selector. Apparently this has gotten a stay + of execution until April 2015. (It may continue to work until 2017.) + * highlight: Add compatibility with highlight 3.18, while still supporting + 3.9+. Closes: #757679 + Thanks, David Bremner + * highlight: Add support for multiple language definition directories + Closes: #757680 + Thanks, David Bremner + + -- Joey Hess Fri, 15 Aug 2014 12:58:08 -0400 + +ikiwiki (3.20140613) unstable; urgency=medium + + * only_committed_changes could fail in a git repository merged + with git merge -s ours. + * Remove google from openid selector, per http://xkcd.com/1361/ + + -- Joey Hess Fri, 13 Jun 2014 10:09:10 -0400 + +ikiwiki (3.20140227) unstable; urgency=medium + + * Added useragent config setting. Closes: #737121 + Thanks, Tuomas Jormola + * po: Add html_lang_code and html_lang_dir template variables + for the language code and direction of text. + Thanks, Mesar Hameed + * Allow up to 8 levels of nested directives, rather than previous 3 + in directive infinite loop guard. + * git diffurl: Do not escape / in paths to changed files, in order to + interoperate with cgit (gitweb works either way) + Thanks, intrigeri. + * git: Explicity push master branch, as will be needed by git 2.0's + change to push.default=matching by default. + Thanks, smcv + * Deal with nasty issue with gettext clobbering $@ while printing + error message containing it. + Thanks, smcv + * Cleanup of the openid login widget, including replacing of hotlinked + images from openid providers with embedded, freely licensed artwork. + Thanks, smcv + * Improve templates testing. + Thanks, smcv + * python proxy: Avoid utf-8 related crash. + Thanks, Antoine Beaupré + * Special thanks to Simon McVittie for being the patchmeister for this + release. + + -- Joey Hess Thu, 27 Feb 2014 11:55:35 -0400 + +ikiwiki (3.20140125) unstable; urgency=medium + + * inline: Allow overriding the title of the feed. Closes: #735123 + Thanks, Christophe Rhodes + * osm: Escape name parameter. Closes: #731797 + + -- Joey Hess Sat, 25 Jan 2014 16:40:32 -0400 + +ikiwiki (3.20140102) unstable; urgency=low + + * aggregate: Improve display of post author. + * poll: Fix behavior of poll buttons when inlined. + * Fixed unncessary tight loop hash copy in saveindex where a pointer + can be used instead. Can speed up refreshes by nearly 50% in some + circumstances. + * Optimized loadindex by caching the page name in the index. + * Added only_committed_changes config setting, which speeds up wiki + refresh by querying git to find the files that were changed, rather + than looking at the work tree. Not enabled by default as it can + break some setups where not all files get committed to git. + * comments: Write pending moderation comments to the transient underlay + to avoid conflict with only_committed_changes. + * search: Added google_search option, which makes it search google + rather than using the internal xapain database. + (googlesearch plugin is too hard to turn on when xapain databases + corrupt themselves, which happens all too frequently). + * osm: Remove invalid use of charset on embedded javascript tags. + Closes: #731197 + * style.css: Add compatibility definitions for more block-level + html5 elements. Closes: #731199 + * aggregrate: Fix several bugs in handling of empty and colliding + titles when generating filenames. + + -- Joey Hess Thu, 02 Jan 2014 12:22:22 -0400 + +ikiwiki (3.20130904.1) unstable; urgency=low + + * Fix cookiejar default setting. + + -- Joey Hess Wed, 04 Sep 2013 10:15:37 -0400 + +ikiwiki (3.20130904) unstable; urgency=low + + * calendar: Display the popup mouseover when there is only 1 page for a + given day, for better UI consistency. + * meta: Can now be used to add an enclosure to a page, which is a fancier + way to do podcasting than just inlining the media files directly; + this way you can write a post about the podcast episode with show notes, + author information, etc. + (schmonz) + * aggregate: Show author in addition to feedname, if different. + (schmonz) + * Consistently configure LWP::UserAgent to allow use of http_proxy + and no_proxy environment variables, as well as ~/.ikiwiki/cookies + (schmonz) + * Fix test suite to work with perl 5.18. Closes: #719969 + + -- Joey Hess Wed, 04 Sep 2013 08:54:31 -0400 + +ikiwiki (3.20130711) unstable; urgency=low + + * Deal with git behavior change in 1.7.2 and newer that broke support + for commits with an empty commit message. + * Pass --no-edit when used with git 1.7.8 and newer. + + -- Joey Hess Wed, 10 Jul 2013 21:49:23 -0400 + +ikiwiki (3.20130710) unstable; urgency=low + + * blogspam: Fix encoding issue in RPC::XML call. + Thanks, Changaco + * comments: The formats allowed to be used in comments can be configured + using comments_allowformats. + Thanks, Michal Sojka + * calendar: When there are multiple pages for a given day, they're + displayed in a popup on mouseover. + Thanks, Louis + * osm: Remove trailing slash from KML maps icon. + * page.tmpl: omit searchform, trails, sidebar and most metadata in CGI + (smcv) + * openid: Automatically upgrade openid_realm to https when + accessed via https. + * The ip() pagespec can now contain glob characters to match eg, a subnet + full of spammers. + * Fix crash that could occur when a needsbuild hook returned a file + that does not exist. + * Fix python proxy to not crash when fed unicode data in getstate + and setstate. + Thanks, chrysn + * Fix committing attachments when using svn. + + -- Joey Hess Wed, 10 Jul 2013 17:45:40 -0400 + +ikiwiki (3.20130518) unstable; urgency=low + + * Fix test suite to not fail when XML::Twig is not installed. + Closes: #707436 + * theme: Now can be used in all templates when + a theme is enabled. + * notifyemail: Fix bug that caused duplicate emails to be sent when + site was rebuilt. + * bzr: bzr rm no longer has a --force option, remove + + -- Joey Hess Sat, 18 May 2013 16:28:21 -0400 + +ikiwiki (3.20130504) unstable; urgency=low + + * Allow dots in directive parameter names. (tango) + * Add missing plugin section, and deal with missing sections with a warning. + * Detect plugins with a broken getsetup and warn. + * map: Correct reversion introduced in version 3.20110225 that could + generate invalid html. (smcv) + * Makefile.PL: overwrite theme style.css instead of appending + (Thanks, Mikko Rapeli) + * meta: Fix anchors used to link to the page's license and copyright. + Closes: #706437 + + -- Joey Hess Sat, 04 May 2013 23:47:21 -0400 + +ikiwiki (3.20130212) unstable; urgency=low * htmlscrubber: Allow the bitcoin URI scheme. * htmlscrubber: Allow the URI schemes of major VCS's. @@ -8,8 +368,16 @@ ikiwiki (3.20121213) UNRELEASED; urgency=low and the page defining the trail. Thanks, smcv. * opendiscussion: Don't allow editing discussion pages if discussion pages are disabled. (smcv) - - -- Joey Hess Sat, 22 Dec 2012 16:15:24 -0400 + * poll: Add expandable option to allow users to easily add new choices to + a poll. + * trail: Avoid massive slowdown caused by pagetemplate hook when displaying + dynamic cgi pages, which cannot use trail anyway. + * Deal with empty diffurl in configuration. + * cvs: Various fixes. (schmonz) + * highlight: Now adds a span with class highlight- around + highlighted content, allowing for language-specific css styling. + + -- Joey Hess Tue, 12 Feb 2013 21:48:02 -0400 ikiwiki (3.20121212) unstable; urgency=low