X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/bfc13b9070981ba3cd73b901af9c29a50ca0114d..f2253db46c049fad6a20622df5229079010cf784:/debian/changelog diff --git a/debian/changelog b/debian/changelog index a984aa4f2..60f278b43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,222 @@ -ikiwiki (3.20130904.2) UNRELEASED; urgency=low +ikiwiki (3.20141016.4) UNRELEASED; urgency=high + + * Reference CVE-2016-4561 in 3.20141016.3 changelog + * Security: force CGI::FormBuilder->field to scalar context where + necessary, avoiding unintended function argument injection + analogous to CVE-2014-1572. + - passwordauth: prevent authentication bypass via multiple name + parameters (OVE-20170111-0001) + - passwordauth: prevent userinfo forgery via repeated email + parameter (OVE-20170111-0001) + - comments, editpage: prevent commit metadata forgery + (CVE-2016-9646, OVE-20161226-0001) + - CGI, attachment, comments, editpage, notifyemail, passwordauth, + po, rename: harden against similar issues that are not believed + to be exploitable + * t/passwordauth.t: new automated test for OVE-20170111-0001 + * Backport IkiWiki::Plugin::img from 3.20160905 to fix a regression + in 3.20141016.3: + - img: ignore the case of the extension when detecting image format, + fixing the regression that *.JPG etc. would not be displayed + (patch from Amitai Schleier) + + -- Simon McVittie Wed, 11 Jan 2017 15:22:38 +0000 + +ikiwiki (3.20141016.3) jessie-security; urgency=high + + [ Simon McVittie ] + * img: stop ImageMagick trying to be clever if filenames contain a colon, + avoiding mis-processing + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + + [ Joey Hess ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + + -- Simon McVittie Fri, 06 May 2016 07:55:49 +0100 + +ikiwiki (3.20141016.2) unstable; urgency=high + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483) + + -- Simon McVittie Sun, 29 Mar 2015 22:28:15 +0100 + +ikiwiki (3.20141016.1) unstable; urgency=medium + + * Backport selected commits for Debian 8: + + [ Joey Hess ] + * Add missing build-depends on libcgi-formbuilder-perl, needed for + t/relativity.t if libipc-run-perl is also installed + (buildds are unaffected by this) + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + [ Simon McVittie ] + * Work around imagemagick Debian bug #771047 by using a non-blank SVG + for the regression test, to avoid FTBFS in current unstable + if inkscape is installed (buildds are unaffected by this) + + -- Simon McVittie Wed, 07 Jan 2015 11:08:35 +0000 + +ikiwiki (3.20141016) unstable; urgency=medium + + [ Joey Hess ] + * Fix crash that can occur when only_committed_changes is set and a + file is deleted from the underlay. + + [ Simon McVittie ] + * core: avoid dangerous use of CGI->param in list context, which led + to a security flaw in Bugzilla; as far as we can tell, ikiwiki + is not vulnerable to a similar attack, but it's best to be safe + * core: new reverse_proxy option prevents ikiwiki from trying to detect + how to make self-referential URLs by using the CGI environment variables, + for instance when it's deployed behind a HTTP reverse proxy + (Closes: #745759) + * core: the default User-Agent is now "ikiwiki/$version" to work around + ModSecurity rules assuming that only malware uses libwww-perl + * core: use protocol-relative URLs (e.g. //www.example.com/wiki) so that + https stays on https and http stays on http, particularly if the + html5 option is enabled + * core: avoid mixed content when a https cgiurl links to http static pages + on the same server (the static pages are assumed to be accessible via + https too) + * core: force the correct top URL in w3mmode + * google plugin: Use search form + * docwiki: replace Paypal and Flattr buttons with text links + * comments: don't record the IP address in the wiki if the user is + logged in via passwordauth or httpauth + * templates: add ARIA roles to some page elements, if html5 is enabled. + Thanks, Patrick + * debian: build-depend on libmagickcore-6.q16-2-extra | libmagickcore-extra + so we can thumbnail SVGs in the docwiki + * debian: explicitly depend and build-depend on libcgi-pm-perl + * debian: drop unused python-support dependency + * debian: rename debian/link to debian/links so the intended symlinks appear + * debian: fix some wrong paths in the copyright file + + -- Simon McVittie Thu, 16 Oct 2014 23:28:26 +0100 + +ikiwiki (3.20140916) unstable; urgency=low + + * Don't double-decode CGI submissions with Encode.pm >= 2.53, + fixing "Error: Cannot decode string with wide characters". + Thanks, Antoine Beaupré + * Avoid making trails depend on everything in the wiki by giving them + a better way to sort the pages + * Don't let users post comments that won't be displayed + * Fix encoding of Unicode strings in Python plugins. + Thanks, chrysn + * Improve performance and correctness of the [[!if]] directive + * Let [[!inline rootpage=foo postform=no]] disable the posting form + * Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322 + * Add UUID and TIME variables to edittemplate. Closes: #752827 + Thanks, Jonathon Anderson + * Display pages in linkmaps as their pagetitle (no underscore escapes). + Thanks, chrysn + * Fix aspect ratio when scaling small images, and add support for + converting SVG and PDF graphics to PNG. + Thanks, chrysn + - suggest ghostscript (required for PDF-to-PNG thumbnailing) + and libmagickcore-extra (required for SVG-to-PNG thumbnailing) + - build-depend on ghostscript so the test for scalable images can be run + * In the CGI wrapper, incorporate $config{ENV} into the environment + before executing Perl code, so that PERL5LIB can point to a + non-system-wide installation of IkiWiki. + Thanks, Lafayette Chamber Singers Webmaster + * filecheck: accept MIME types not containing ';' + * autoindex: index files in underlays if the resulting pages aren't + going to be committed. Closes: #611068 + * Add [[!templatebody]] directive so template pages don't have to be + simultaneously a valid template and valid HTML + * Add myself to Uploaders and release to Debian + + -- Simon McVittie Fri, 12 Sep 2014 21:23:58 +0100 + +ikiwiki (3.20140831) unstable; urgency=medium + + * Make --no-gettime work in initial build. Closes: #755075 + + -- Joey Hess Sun, 31 Aug 2014 14:17:24 -0700 + +ikiwiki (3.20140815) unstable; urgency=medium + + * Add google back to openid selector. Apparently this has gotten a stay + of execution until April 2015. (It may continue to work until 2017.) + * highlight: Add compatibility with highlight 3.18, while still supporting + 3.9+. Closes: #757679 + Thanks, David Bremner + * highlight: Add support for multiple language definition directories + Closes: #757680 + Thanks, David Bremner + + -- Joey Hess Fri, 15 Aug 2014 12:58:08 -0400 + +ikiwiki (3.20140613) unstable; urgency=medium + + * only_committed_changes could fail in a git repository merged + with git merge -s ours. + * Remove google from openid selector, per http://xkcd.com/1361/ + + -- Joey Hess Fri, 13 Jun 2014 10:09:10 -0400 + +ikiwiki (3.20140227) unstable; urgency=medium + + * Added useragent config setting. Closes: #737121 + Thanks, Tuomas Jormola + * po: Add html_lang_code and html_lang_dir template variables + for the language code and direction of text. + Thanks, Mesar Hameed + * Allow up to 8 levels of nested directives, rather than previous 3 + in directive infinite loop guard. + * git diffurl: Do not escape / in paths to changed files, in order to + interoperate with cgit (gitweb works either way) + Thanks, intrigeri. + * git: Explicity push master branch, as will be needed by git 2.0's + change to push.default=matching by default. + Thanks, smcv + * Deal with nasty issue with gettext clobbering $@ while printing + error message containing it. + Thanks, smcv + * Cleanup of the openid login widget, including replacing of hotlinked + images from openid providers with embedded, freely licensed artwork. + Thanks, smcv + * Improve templates testing. + Thanks, smcv + * python proxy: Avoid utf-8 related crash. + Thanks, Antoine Beaupré + * Special thanks to Simon McVittie for being the patchmeister for this + release. + + -- Joey Hess Thu, 27 Feb 2014 11:55:35 -0400 + +ikiwiki (3.20140125) unstable; urgency=medium + + * inline: Allow overriding the title of the feed. Closes: #735123 + Thanks, Christophe Rhodes + * osm: Escape name parameter. Closes: #731797 + + -- Joey Hess Sat, 25 Jan 2014 16:40:32 -0400 + +ikiwiki (3.20140102) unstable; urgency=low * aggregate: Improve display of post author. * poll: Fix behavior of poll buttons when inlined. @@ -18,8 +236,12 @@ ikiwiki (3.20130904.2) UNRELEASED; urgency=low corrupt themselves, which happens all too frequently). * osm: Remove invalid use of charset on embedded javascript tags. Closes: #731197 + * style.css: Add compatibility definitions for more block-level + html5 elements. Closes: #731199 + * aggregrate: Fix several bugs in handling of empty and colliding + titles when generating filenames. - -- Joey Hess Thu, 05 Sep 2013 10:01:10 -0400 + -- Joey Hess Thu, 02 Jan 2014 12:22:22 -0400 ikiwiki (3.20130904.1) unstable; urgency=low