X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/824cf7db1b96a16b080e284bc3ebf90c1f14a203..HEAD:/CHANGELOG

diff --git a/CHANGELOG b/CHANGELOG
index 5237ee7b8..a30a5de00 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,56 @@
-ikiwiki (3.20190208) UNRELEASED; urgency=medium
+ikiwiki (3.20200202.4) UNRELEASED; urgency=medium
 
+  * aggregate: When a feed has an enclosure that is an image, audio, or
+    video, include the enclosure in the generated page.
+  * aggregate: Also support feeds with media:content tags.
+
+ -- Joey Hess <id@joeyh.name>  Sat, 25 Dec 2021 12:41:34 -0400
+
+ikiwiki (3.20200202.3) upstream; urgency=medium
+
+  [ Amitai Schleier ]
+  * highlight: Adapt to API change in highlight >= 3.51
+  * mdwn: Fix inverted footnote configuration when MultiMarkdown is
+    enabled. Thanks, Giuseppe Bilotta
+
+  [ Joey Hess ]
+  * Updated German basewiki and directives translation from
+    Sebastian Kuhnert.
+  * Updated German program translation from
+    Sebastian Kuhnert.
+
+ -- Joey Hess <id@joeyh.name>  Sun, 02 Feb 2020 00:00:00 -0400
+
+ikiwiki (3.20190228) upstream; urgency=medium
+
+  * aggregate: Use LWPx::ParanoidAgent if available.
+    Previously blogspam, openid and pinger used this module if available,
+    but aggregate did not. This prevents server-side request forgery or
+    local file disclosure, and mitigates denial of service when slow
+    "tarpit" URLs are accessed.
+    (CVE-2019-9187)
+  * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
+    LWPx::ParanoidAgent is installed.
+    Previously, only aggregate would obey proxy configuration. If a proxy
+    is used, the proxy (not ikiwiki) is responsible for preventing attacks
+    like CVE-2019-9187.
+  * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
+    URLs.
+    Previously, these plugins would have allowed non-HTTP-based requests if
+    LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
+    file disclosure, and preventing other rarely-used URI schemes like
+    gopher mitigates request forgery attacks.
+  * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
+    recommended.
+    These plugins can request attacker-controlled URLs in some site
+    configurations.
+  * blogspam: Document LWPx::ParanoidAgent as desirable.
+    This plugin doesn't request attacker-controlled URLs, so it's
+    non-critical here.
+  * blogspam, openid, pinger: Consistently use cookiejar if configured.
+    Previously, these plugins would only obey this configuration if
+    LWPx::ParanoidAgent was not installed, but this appears to have been
+    unintended.
   * po: Always filter .po files.
     The po plugin in previous ikiwiki releases made the second and
     subsequent filter call per (page, destpage) pair into a no-op,
@@ -11,7 +62,7 @@ ikiwiki (3.20190208) UNRELEASED; urgency=medium
     that prevented repeated filtering. Thanks, intrigeri
     (Closes: #911356)
 
- -- Simon McVittie <smcv@debian.org>  Sun, 24 Feb 2019 17:11:39 +0000
+ -- Simon McVittie <smcv@debian.org>  Tue, 26 Feb 2019 21:05:49 +0000
 
 ikiwiki (3.20190207) upstream; urgency=medium