X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/de26e4ade127bc356aa92c3488eb155ed183151b..aa06b950eaa6bbdd20813ac08d4383219a09ab97:/debian/changelog?ds=sidebyside diff --git a/debian/changelog b/debian/changelog index 77e640f72..14045a961 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,17 @@ -ikiwiki (3.20170109) UNRELEASED; urgency=medium +ikiwiki (3.20170111) unstable; urgency=high + + * passwordauth: prevent authentication bypass via multiple name + parameters (CVE-2017-0356, OVE-20170111-0001) + * passwordauth: avoid userinfo forgery via repeated email parameter + (also in the scope of CVE-2017-0356) + * CGI, attachment, passwordauth: harden against repeated parameters + (not believed to have been a vulnerability) + * remove: make it clearer that repeated page parameter is OK here + * t/passwordauth.t: new automated test for passwordauth + + -- Simon McVittie Wed, 11 Jan 2017 18:16:53 +0000 + +ikiwiki (3.20170110) unstable; urgency=medium [ Amitai Schleier ] * wrappers: Correctly escape quotes in git_wrapper_background_command @@ -31,8 +44,17 @@ ikiwiki (3.20170109) UNRELEASED; urgency=medium * d/source/lintian-overrides: override obsolete-url-in-packaging for OpenID Selector, which does not seem to have any more current URL (and in any case our version is a fork) - - -- Simon McVittie Mon, 09 Jan 2017 14:33:19 +0000 + * docwiki.setup: exclude TourBusStop from offline documentation. + It does not make much sense there. + * d/ikiwiki.lintian-overrides: override script-not-executable warnings + * d/ikiwiki.lintian-overrides: silence false positive spelling warning + for Moin Moin + * d/ikiwiki.doc-base: register the documentation with doc-base + * d/control: set libmagickcore-6.q16-3-extra as preferred + build-dependency, with virtual package libmagickcore-extra as an + alternative, to help autopkgtest to do the right thing + + -- Simon McVittie Tue, 10 Jan 2017 13:22:01 +0000 ikiwiki (3.20161229.1) unstable; urgency=medium