X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/fbfcea89f8e06426c73ab8ea369ca4cdc566db6f..6ea7d17f20c3e0805e8bcba49ea7e38aa28a8bca:/debian/changelog diff --git a/debian/changelog b/debian/changelog index c7e4b1d11..fc456b42d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,70 @@ +ikiwiki (3.20120629.3) UNRELEASED; urgency=medium + + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + * Update img plugin to version 3.20160506 to mitigate ImageMagick + vulnerabilities, including remote code execution (CVE-2016-3714): + - Never convert SVG images to PNG; simply pass them through to the + browser. This prevents exploitation of any ImageMagick SVG coder + vulnerabilities. (joeyh) + - Do not resize image formats other than JPEG, PNG, GIF unless + specifically configured to do so. This prevents exploitation + of any vulnerabilities in less common coders, such as MVG. (smcv) + - Do not resize JPEG, PNG, GIF, PDF images if their extensions do + not match their "magic numbers", because wiki admins might try to + restrict attachments by extension, but ImageMagick can base its + choice of coder on the magic number. Explicitly force the + obvious ImageMagick coder to be used. (smcv) + * Minor non-security changes resulting from that update, since + reverting them seems higher-risk than keeping them: + - Add PDF support, disabled by the above changes unless specifically + configured (chrysn) + - Only render one frame or page from animated GIF or multi-page PDF + (chrysn) + - Do not distort aspect ratio when resizing small images (chrysn) + - Use data: URLs to embed images in page previews (chrysn) + - Raise an error if the image's size cannot be determined (chrysn) + - Handle filenames containing a colon correctly (smcv) + * Add t/img.t regression test also taken from version 3.20160506 + (chrysn, joeyh, schmonz, smcv) + * debian/tests: add metadata to run the img test as an autopkgtest + + -- Simon McVittie Sun, 08 May 2016 15:33:51 +0100 + +ikiwiki (3.20120629.2) wheezy; urgency=medium + + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483; + CVE-2015-2793) + + -- Simon McVittie Mon, 06 Apr 2015 20:34:51 +0100 + +ikiwiki (3.20120629.1) wheezy; urgency=medium + + Backport blogspam plugin from experimental, because the version in + wheezy is no longer usable: + + [ Joey Hess ] + * Set Debian package maintainer to Simon McVittie as I'm retiring from + Debian. + + [ Amitai Schlair ] + * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). + Closes: #774441 + + -- Simon McVittie Sat, 17 Jan 2015 11:53:33 +0000 + +ikiwiki (3.20120629) unstable; urgency=low + + * mirrorlist: Add mirrorlist_use_cgi setting that avoids usedirs or + other config differences by linking to the mirror's CGI. (intrigeri) + + -- Joey Hess Fri, 29 Jun 2012 10:16:08 -0400 + ikiwiki (3.20120516) unstable; urgency=high * meta: Security fix; add missing sanitization of author and authorurl. - Thanks, Raúl Benencia + CVE-2012-0220 Thanks, Raúl Benencia -- Joey Hess Wed, 16 May 2012 19:51:27 -0400