X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a1fda0b516cc4e85b7304838949df8fbe0044cf3..7269c9af3e55dc478792d8ea010ab9b794190a66:/debian/NEWS?ds=inline
diff --git a/debian/NEWS b/debian/NEWS
index d09b4d9be..e169658ea 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,39 @@
+ikiwiki (3.20160506) unstable; urgency=medium
+
+ To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+ the [[!img]] directive is now restricted to these common web formats by
+ default:
+
+ * JPEG (.jpg, .jpeg)
+ * PNG (.png)
+ * GIF (.gif)
+ * SVG (.svg)
+
+ (In particular, by default resizing PDF files is no longer allowed.)
+
+ Additionally, resized SVG files are displayed in the browser as SVG
+ instead of being converted to PNG.
+
+ If all users who can attach images are fully trusted, this restriction
+ can be removed with the new img_allowed_formats setup option.
+ See
+ or for
+ more details.
+
+ -- Simon McVittie Fri, 06 May 2016 07:49:56 +0100
+
+ikiwiki (3.20150610) unstable; urgency=low
+
+ The new "emailauth" plugin allows users to authenticate using an email
+ address, without otherwise creating an account.
+
+ The openid plugin now enables emailauth by default. Please include
+ emailauth in the disable_plugins setting if this is not desired.
+ Conversely, if emailauth is required on a wiki that does not enable
+ openid, you can list it in the enable_plugins setting.
+
+ -- Simon McVittie Wed, 10 Jun 2015 21:56:56 +0100
+
ikiwiki (3.20150107) experimental; urgency=medium
By default, this version of IkiWiki tells mobile browsers that its