X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/bb7877707ef730c7fdab01509ac6a9cc9eb252d1..590d5c29b033eb7704df5538c8cc13d6eda66143:/debian/NEWS

diff --git a/debian/NEWS b/debian/NEWS
index e65a15457..f7d76649d 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,13 +1,51 @@
-ikiwiki (3.20100505) UNRELEASED; urgency=low
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
 
-  There is a significant change to the page.tmpl template in this version.
-  If you have locally modified versions of that template, you will need
-  to update it to contain the following in the HTML <head>:
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/> for more details.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+
+ikiwiki (3.20110122) unstable; urgency=low
+
+  If you have custom CSS that uses "#feedlinks" or "#blogform", you will
+  need to change it to instead use ".feedlinks" and ".blogform"
+
+ -- Joey Hess <joeyh@debian.org>  Fri, 14 Jan 2011 14:34:54 -0400
+
+ikiwiki (3.20100515) unstable; urgency=low
+
+  There are two significant changes to the page.tmpl template in this version.
+  If you have a locally modified version of that template, you will need to
+  update it at least to contain the following in the HTML <head>:
 
     <TMPL_IF DYNAMIC>
     <TMPL_IF FORCEBASEURL><base href="<TMPL_VAR FORCEBASEURL>" /><TMPL_ELSE>
     <TMPL_IF BASEURL><base href="<TMPL_VAR BASEURL>" /></TMPL_IF>
     </TMPL_IF>
+    </TMPL_IF>
+
+  Also, the footer should be wrapped in <TMPL_UNLESS DYNAMIC> ... </TMPL_UNLESS>
+  
+  There is a new "comment()" pagespec, that can be used to match a
+  comment on a page. It is recommended it be used instead of the old
+  method of using a pagespec such as "internal(comment_*)" to match
+  things that looked like comments. The old pagespec will now also match
+  comments that are held for moderation; likely not what you want.
 
   There have also been some changes to the style.css in this version,
   particularly to support the new openid selector. If you have a modified