X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/a1fda0b516cc4e85b7304838949df8fbe0044cf3..e0efe7644d0081f3959622a07524023e53b4a806:/debian/NEWS?ds=inline diff --git a/debian/NEWS b/debian/NEWS index d09b4d9be..e169658ea 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,39 @@ +ikiwiki (3.20160506) unstable; urgency=medium + + To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities, + the [[!img]] directive is now restricted to these common web formats by + default: + + * JPEG (.jpg, .jpeg) + * PNG (.png) + * GIF (.gif) + * SVG (.svg) + + (In particular, by default resizing PDF files is no longer allowed.) + + Additionally, resized SVG files are displayed in the browser as SVG + instead of being converted to PNG. + + If all users who can attach images are fully trusted, this restriction + can be removed with the new img_allowed_formats setup option. + See + or for + more details. + + -- Simon McVittie Fri, 06 May 2016 07:49:56 +0100 + +ikiwiki (3.20150610) unstable; urgency=low + + The new "emailauth" plugin allows users to authenticate using an email + address, without otherwise creating an account. + + The openid plugin now enables emailauth by default. Please include + emailauth in the disable_plugins setting if this is not desired. + Conversely, if emailauth is required on a wiki that does not enable + openid, you can list it in the enable_plugins setting. + + -- Simon McVittie Wed, 10 Jun 2015 21:56:56 +0100 + ikiwiki (3.20150107) experimental; urgency=medium By default, this version of IkiWiki tells mobile browsers that its