X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/bcfba8cdb50dcaca9faa182955825670efb15852..b84854289f508404f15612328b89ad0627569f49:/debian/changelog

diff --git a/debian/changelog b/debian/changelog
index 919814f2f..f0e617731 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,29 @@ ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
 
   * HTML-escape error messages, in one case avoiding potential cross-site
     scripting (CVE-2016-4561, OVE-20160505-0012)
+  * Update img plugin to version 3.20160506 to mitigate ImageMagick
+    vulnerabilities, including remote code execution (CVE-2016-3714):
+    - Never convert SVG images to PNG; simply pass them through to the
+      browser. This prevents exploitation of any ImageMagick SVG coder
+      vulnerabilities. (joeyh)
+    - Do not resize image formats other than JPEG, PNG, GIF unless
+      specifically configured to do so. This prevents exploitation
+      of any vulnerabilities in less common coders, such as MVG. (smcv)
+    - Do not resize JPEG, PNG, GIF, PDF images if their extensions do
+      not match their "magic numbers", because wiki admins might try to
+      restrict attachments by extension, but ImageMagick can base its
+      choice of coder on the magic number. Explicitly force the
+      obvious ImageMagick coder to be used. (smcv)
+  * Minor non-security changes resulting from that update, since
+    reverting them seems higher-risk than keeping them:
+    - Add PDF support, disabled by the above changes unless specifically
+      configured (chrysn)
+    - Only render one frame or page from animated GIF or multi-page PDF
+      (chrysn)
+    - Do not distort aspect ratio when resizing small images (chrysn)
+    - Use data: URLs to embed images in page previews (chrysn)
+    - Raise an error if the image's size cannot be determined (chrysn)
+    - Handle filenames containing a colon correctly (smcv)
 
  -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 15:33:51 +0100