X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/93930176422d27cb3f18de9e8569545e228da192..838c1b5aec17ad90a894f21c12bb58adb5225276:/debian/changelog diff --git a/debian/changelog b/debian/changelog index ba22c917d..b0036db8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,56 @@ -ikiwiki (3.20141016.1) UNRELEASED; urgency=medium +ikiwiki (3.20141016.4) UNRELEASED; urgency=medium + + [ Amitai Schlair ] + * img: ignore the case of the extension when detecting image format, + fixing the regression that *.JPG etc. would not be displayed + since 3.20141016.3 + + [ Simon McVittie ] + * Add CVE-2016-4561 reference to 3.20141016.3 changelog + + -- Simon McVittie <smcv@debian.org> Mon, 09 May 2016 22:35:16 +0100 + +ikiwiki (3.20141016.3) jessie-security; urgency=high + + [ Simon McVittie ] + * img: stop ImageMagick trying to be clever if filenames contain a colon, + avoiding mis-processing + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + + [ Joey Hess ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + + -- Simon McVittie <smcv@debian.org> Fri, 06 May 2016 07:55:49 +0100 + +ikiwiki (3.20141016.2) unstable; urgency=high + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483) + + -- Simon McVittie <smcv@debian.org> Sun, 29 Mar 2015 22:28:15 +0100 + +ikiwiki (3.20141016.1) unstable; urgency=medium + + * Backport selected commits for Debian 8: [ Joey Hess ] * Add missing build-depends on libcgi-formbuilder-perl, needed for - t/relativity.t + t/relativity.t if libipc-run-perl is also installed + (buildds are unaffected by this) * Set Debian package maintainer to Simon McVittie as I'm retiring from Debian. @@ -10,7 +58,12 @@ ikiwiki (3.20141016.1) UNRELEASED; urgency=medium * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). Closes: #774441 - -- Joey Hess <joeyh@debian.org> Mon, 20 Oct 2014 12:04:49 -0400 + [ Simon McVittie ] + * Work around imagemagick Debian bug #771047 by using a non-blank SVG + for the regression test, to avoid FTBFS in current unstable + if inkscape is installed (buildds are unaffected by this) + + -- Simon McVittie <smcv@debian.org> Wed, 07 Jan 2015 11:08:35 +0000 ikiwiki (3.20141016) unstable; urgency=medium