+++ /dev/null
-ikiwiki 3.20171001 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ [[Joey Hess|joey]] ]
- * htmlscrubber: Add support for the video tag's `loop` and `muted`
- attributes. Those were not in the original html5 spec, but have been
- added in the whatwg html living standard and have wide browser support.
- * emailauth, passwordauth: Avoid leaving `cgisess_*` files in the
- system temp directory.
- * [ [[Simon McVittie|smcv]] ]
- * core: Don't decode the result of `strftime` if it is already tagged as
- UTF-8, as it might be since Perl >= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240))
- * img: Strip metadata from resized images when the deterministic config
- option is set. Thanks, [[intrigeri]]
- * receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit
- declaration, potential misbehaviour on 64-bit platforms, and lack
- of portability to non-GNU platforms
- * t: Add a regression test for untrusted git push
- * receive: Fix untrusted git push with git (>= 2.11) by passing through
- the necessary environment variables to make the quarantine area work
- * debian: Declare compliance with Debian Policy 4.1.1
- * [ [[Amitai Schleier|schmonz]] ]
- * l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends
- with a newline if and only if `msgid` does"""]]
--- /dev/null
+ikiwiki 3.20190228 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * aggregate: Use LWPx::ParanoidAgent if available.
+ Previously blogspam, openid and pinger used this module if available,
+ but aggregate did not. This prevents server-side request forgery or
+ local file disclosure, and mitigates denial of service when slow
+ "tarpit" URLs are accessed.
+ ([[!debcve CVE-2019-9187]])
+ * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
+ LWPx::ParanoidAgent is installed.
+ Previously, only aggregate would obey proxy configuration. If a proxy
+ is used, the proxy (not ikiwiki) is responsible for preventing attacks
+ like CVE-2019-9187.
+ * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
+ URLs.
+ Previously, these plugins would have allowed non-HTTP-based requests if
+ LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
+ file disclosure, and preventing other rarely-used URI schemes like
+ gopher mitigates request forgery attacks.
+ * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
+ recommended.
+ These plugins can request attacker-controlled URLs in some site
+ configurations.
+ * blogspam: Document LWPx::ParanoidAgent as desirable.
+ This plugin doesn't request attacker-controlled URLs, so it's
+ non-critical here.
+ * blogspam, openid, pinger: Consistently use cookiejar if configured.
+ Previously, these plugins would only obey this configuration if
+ LWPx::ParanoidAgent was not installed, but this appears to have been
+ unintended.
+ * po: Always filter .po files.
+ The po plugin in previous ikiwiki releases made the second and
+ subsequent filter call per (page, destpage) pair into a no-op,
+ apparently in an attempt to prevent *recursive* filtering (which as
+ far as we can tell can't happen anyway), with the undesired effect
+ of interpreting the raw .po file as page content (e.g. Markdown)
+ if it was inlined into the same page twice, which is apparently
+ something that tails.org does. Simplify this by deleting the code
+ that prevented repeated filtering. Thanks, intrigeri
+ (Closes: #[911356](http://bugs.debian.org/911356))"""]]
+
+ikiwiki 3.20170111.1 was also released, backporting the LWP-related
+changes from 3.20190228 to the branch used in Debian 9 'stretch'.