X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/da371733b53f564ec8dd349009a126552daaf84a..1226d9f144310876080c077a9c45bd2257829a32:/debian/NEWS

diff --git a/debian/NEWS b/debian/NEWS
index c53dbc068..c8a35093e 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,4 +1,26 @@
-ikiwiki (3.20110114) UNRELEASED; urgency=low
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/> for more details.
+
+ -- Simon McVittie <smcv@debian.org>  Mon, 09 May 2016 22:38:35 +0100
+
+ikiwiki (3.20110122) unstable; urgency=low
 
   If you have custom CSS that uses "#feedlinks" or "#blogform", you will
   need to change it to instead use ".feedlinks" and ".blogform"