X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/e04cb1ffd39f64c7f3216dcd6b7a69308754bef0..84a0b15eb68917829267bacac005f2bcefee914a:/debian/changelog diff --git a/debian/changelog b/debian/changelog index 6499a40b1..6a3cb77c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,200 @@ -ikiwiki (3.20110716) UNRELEASED; urgency=low +ikiwiki (3.20120629.3) UNRELEASED; urgency=medium + + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Update img plugin to version 3.20160506 to mitigate ImageMagick + vulnerabilities, including remote code execution (CVE-2016-3714): + - Never convert SVG images to PNG; simply pass them through to the + browser. This prevents exploitation of any ImageMagick SVG coder + vulnerabilities. (joeyh) + - Do not resize image formats other than JPEG, PNG, GIF unless + specifically configured to do so. This prevents exploitation + of any vulnerabilities in less common coders, such as MVG. (smcv) + - Do not resize JPEG, PNG, GIF, PDF images if their extensions do + not match their "magic numbers", because wiki admins might try to + restrict attachments by extension, but ImageMagick can base its + choice of coder on the magic number. Explicitly force the + obvious ImageMagick coder to be used. (smcv) + * Minor non-security changes resulting from that update, since + reverting them seems higher-risk than keeping them: + - Add PDF support, disabled by the above changes unless specifically + configured (chrysn) + - Only render one frame or page from animated GIF or multi-page PDF + (chrysn) + - Do not distort aspect ratio when resizing small images (chrysn) + - Use data: URLs to embed images in page previews (chrysn) + - Raise an error if the image's size cannot be determined (chrysn) + - Handle filenames containing a colon correctly (smcv) + * Add t/img.t regression test also taken from version 3.20160506 + (chrysn, joeyh, schmonz, smcv) + + -- Simon McVittie <smcv@debian.org> Sun, 08 May 2016 15:33:51 +0100 + +ikiwiki (3.20120629.2) wheezy; urgency=medium + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483; + CVE-2015-2793) + + -- Simon McVittie <smcv@debian.org> Mon, 06 Apr 2015 20:34:51 +0100 + +ikiwiki (3.20120629.1) wheezy; urgency=medium + + Backport blogspam plugin from experimental, because the version in + wheezy is no longer usable: + + [ Joey Hess ] + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + -- Simon McVittie <smcv@debian.org> Sat, 17 Jan 2015 11:53:33 +0000 + +ikiwiki (3.20120629) unstable; urgency=low + + * mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or + other config differences by linking to the mirror's CGI. (intrigeri) + + -- Joey Hess <joeyh@debian.org> Fri, 29 Jun 2012 10:16:08 -0400 + +ikiwiki (3.20120516) unstable; urgency=high + + * meta: Security fix; add missing sanitization of author and authorurl. + CVE-2012-0220 Thanks, Raúl Benencia + + -- Joey Hess <joeyh@debian.org> Wed, 16 May 2012 19:51:27 -0400 + +ikiwiki (3.20120419) unstable; urgency=low + + * Remove dead link from plugins/teximg. Closes: #664885 + * inline: When the pagenames list includes pages that do not exist, skip + them. + * meta: Export author information in html <meta> tag. Closes: #664779 + Thanks, Martin Michlmayr + * notifyemail: New plugin, sends email notifications about new and + changed pages, and allows subscribing to comments. + * Added a "changes" hook. Renamed the "change" hook to "rendered", but + the old hook name is called for now for back-compat. + * meta: Support keywords header. Closes: #664780 + Thanks, Martin Michlmayr + * passwordauth: Fix url in password recovery email to be absolute. + * httpauth: When it's the only auth method, avoid a pointless and + confusing signin form, and go right to the httpauthurl. + * rename: Allow rename to be started not from the edit page; return to + the renamed page in this case. + * remove: Support removing of pages in the transient underlay. (smcv) + * inline, trail: The pagenames parameter is now a list of absolute + pagenames, not relative wikilink type names. This is necessary to fix + a bug, and makes pagenames more consistent with the pagespec used + in the pages parameter. (smcv) + * link: Fix renaming wikilinks that contain embedded urls. + * graphviz: Handle self-links. + * trail: Improve CSS, also display trail links at bottom of page, + and a bug fix. (smcv) + + -- Joey Hess <joeyh@debian.org> Thu, 19 Apr 2012 15:32:07 -0400 + +ikiwiki (3.20120319) unstable; urgency=low + + * osm: New plugin to embed an OpenStreetMap into a wiki page. + Supports waypoints, tags, and can even draw paths matching + wikilinks between pages containing waypoints. + Thanks to Blars Blarson and Antoine Beaupré, as well as the worldwide + OpenStreetMap community for this utter awesomeness. + * trail: New plugin to add navigation trails through pages via Next and + Previous links. Trails can easily be added to existing inlines by setting + trail=yes in the inline. + Thanks to Simon McVittie for his persistance developing this feature. + * Fix a snail mail address. Closes: #659158 + * openid-jquery.js: Update URL of Wordpress favicon. Closes: #660549 + * Drop the version attribute on the generator tag in Atom feeds + to make builds more reproducible. Closes: #661569 (Paul Wise) + * shortcut: Support Wikipedia's form of url-encoding for unicode + characters, which involves mojibake. Closes: #661198 + * Add a few missing jquery UI icons to attachment upload widget underlay. + * URI escape filename when generating the diffurl. + * Add build-affected hook. Used by trail. + + -- Joey Hess <joeyh@debian.org> Mon, 19 Mar 2012 14:24:43 -0400 + +ikiwiki (3.20120202) unstable; urgency=low + + * mdwn: Added nodiscount setting, which can be used to avoid using the + markdown discount engine, when maximum compatability is needed. + * Switch to YAML::XS to work around insanity in YAML::Mo. Closes: #657533 + * cvs: Ensure text files are added in non-binary mode. (Amitai Schlair) + * cvs: Various cleanups and testing. (Amitai Schlair) + * calendar: Fix strftime encoding bug. + * shortcuts: Fixed a broken shortcut to wikipedia (accidentially + made into a shortcut to wikiMedia). + * Various portability improvements. (Amitai Schlair) + + -- Joey Hess <joeyh@debian.org> Thu, 02 Feb 2012 21:42:40 -0400 + +ikiwiki (3.20120115) unstable; urgency=low + + * Make backlink(.) work. Thanks, Giuseppe Bilotta. + * mdwn: Workaround discount's eliding of <style> blocks. + * attachment: Fix utf-8 display bug. + + -- Joey Hess <joeyh@debian.org> Sun, 15 Jan 2012 16:19:25 -0400 + +ikiwiki (3.20120109) unstable; urgency=low + + * mdwn: Can use the discount markdown library, via the + Text::Markdown::Discount perl module. This is preferred if available + since it's the fastest currently supported markdown library, speeding up + ikiwiki's markdown rendering by a factor of 40. + (However, when multimarkdown is enabled, Text::Markdown::Multimarkdown + is still used.) + * On Debian, depend on libtext-markdown-discount. + + -- Joey Hess <joeyh@debian.org> Mon, 09 Jan 2012 11:49:14 -0400 + +ikiwiki (3.20111229) unstable; urgency=low + + * Consume all stdin when rcs_receive short-circuits, + to avoid git SIGPIPE race. + * Add path and path_natural sort orders (smcv) + * Test coverage can be checked with `make coverage` (smcv) + * tag: encode categories using numeric values. (tango) + + -- Joey Hess <joeyh@debian.org> Thu, 29 Dec 2011 12:00:53 -0400 + +ikiwiki (3.20111107) unstable; urgency=low + + * img: Bugfix to width/height tags for scaled down image when only + one dimension was provided. Thanks, Per Carlson. + * editpage: Fix FormattingHelp link on Discussion pages. + * The umask setting can now be set to private, group, or public, + avoiding the need to enter octal correctly which is particularly + difficult in yaml setup files. (smcv) + * graphviz: Support urls embedded in the graph, by having graphviz + generate an imagemap. + * graphviz: Support wikilinks embedded in the graph. + (Sponsored by The TOVA Company.) + + -- Joey Hess <joeyh@debian.org> Wed, 30 Nov 2011 16:31:48 -0400 + +ikiwiki (3.20111106) unstable; urgency=low + + * searchquery.tmpl: Track escaping change in upstream template. + Thanks Olly Betts for review. + * svn: Support subversion 1.7, which does not have .svn in each + subdirectory. + * rst: import docutils lazily, to avoid errors during ikiwiki --setup. + Closes: #637604 (Thanks, smcv) + * Make the setup automator create YAML formatted files. + * Fix handling of discussion page creation links to make discussion pages + in the right place and with the right case. Broken by page case + preservation feature added in 3.20110707. + + -- Joey Hess <joeyh@debian.org> Sun, 06 Nov 2011 16:27:29 -0400 + +ikiwiki (3.20110905) unstable; urgency=low * mercurial: Openid nicknames are now used when committing. (Daniel Andersson) * mercurial: Implement rcs_commit_staged so comments, attachments, etc @@ -8,8 +204,30 @@ ikiwiki (3.20110716) UNRELEASED; urgency=low (Daniel Andersson) * mercurial: Make both rcs_getctime and rcs_getmtime fast. (Daniel Andersson) * mercurial: Implement rcs_diff. (Daniel Andersson) - - -- Joey Hess <joeyh@debian.org> Tue, 19 Jul 2011 11:22:52 -0400 + * po: Add `LANG_CODE` and `LANG_NAME` template variables. (intrigeri) + * Fix typo in Danish translation of shortcuts page that caused exponential + regexp blowup. + * Fix escaping of html entities in permalinks. + * Fix escaping of html entities in tag names. + * Avoid using named capture groups in heredoc code for oldperl compatibility. + * Put in a workaround for #622591, by ensuring Search::Xapian gets loaded + before Image::Magick. + * Add unminified jquery js and css files to source. + * Update to jquery 1.6.2, and jquery-ui 1.8.14. + * Use lockf rather than flock when taking the cgilock, for better + portability. + * search: Fix encoding bug in calculation of maximum term size. + * inline: When indexing internal pages for searching, use the url of + the inlining page. + * Fix comments testsuite to not rely on Date::Parse's ability to + parse the date Columbus discovered America. Closes: #640350 + * Avoid warning message when generating setup file if highlight + is not installed. Closes: #637606 + * Promote RPC::XML to a Recommends, since it's used by auto-blog.setup. + Closes: #637603 + * Fix web revert of a file deletion. + + -- Joey Hess <joeyh@debian.org> Mon, 05 Sep 2011 14:53:00 -0400 ikiwiki (3.20110715) unstable; urgency=low