Announce 3.20160506

diff --git a/doc/news/version_3.20150107.mdwn b/doc/news/version_3.20150107.mdwn
deleted file mode 100644 (file)
index 7cae042..0000000
--- a/doc/news/version_3.20150107.mdwn
+++ /dev/null
@@ -1,44 +0,0 @@
-ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-  [ [[Joey Hess|joey]] ]
-
-  * Added ikiwiki-comment program.
-  * Add missing build-depends on `libcgi-formbuilder-perl`, needed for
-    `t/relativity.t`
-  * openid: Stop suppressing the email field on the Preferences page.
-  * Set Debian package maintainer to Simon McVittie as I'm retiring from
-    Debian.
-
-  [ [[Simon McVittie|smcv]] ]
-
-  * calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
-    can mostly supersede the `ikiwiki-calendar` command.
-    Thanks, Louis Paternault
-  * search: add more classes as a hook for CSS. Thanks, sajolida
-  * core: generate HTML5 by default, but keep avoiding new elements
-    like `<section>` that require specific browser support unless `html5` is
-    set to 1.
-  * Tell mobile browsers to draw our pages in a device-sized viewport,
-    not an 800-1000px viewport designed to emulate a desktop/laptop browser.
-  * Add new `responsive_layout` option which can be set to 0 if your custom
-    CSS only works in a large viewport.
-  * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
-    below 600px ("responsive layout") so that horizontal scrolling is not
-    needed on smartphone browsers or other small viewports.
-  * core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
-
-  [ [[Amitai Schlair|schmonz]] ]
-
-  * core: log a debug message before waiting for the lock.
-    Thanks, Mark Jason Dominus
-  * build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
-    Thanks, ttw
-  * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
-    Closes: [[!debbug 774441]]
-
-  [ [[Joey Hess|joey]] ]
-
-  * po: If msgmerge falls over on a problem po file, print a warning
-    message, but don't let this problem crash ikiwiki entirely.
-"""]]
-[[!meta date="2015-01-07 10:24:25 +0000"]]

diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
new file mode 100644 (file)
index 0000000..650588c
--- /dev/null
+++ b/doc/news/version_3.20160506.mdwn
@@ -0,0 +1,45 @@
+News for ikiwiki 3.20160506:
+
+   To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
+   the `[[!img]]` directive is now restricted to these common web formats by
+   default:
+   * JPEG (`.jpg`, `.jpeg`)
+   * PNG (`.png`)
+   * GIF (`.gif`)
+   * SVG (`.svg`)
+   (In particular, by default resizing PDF files is no longer allowed.)
+   Additionally, resized SVG files are displayed in the browser as SVG
+   instead of being converted to PNG.
+   If all users who can attach images are fully trusted, this restriction
+   can be removed with the new img\_allowed\_formats setup option.
+   See [[ikiwiki/directive/img]] for more details.
+
+ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ [[Simon McVittie|smcv]] ]
+   * HTML-escape error messages, in one case avoiding potential cross-site
+     scripting (OVE-20160505-0012)
+   * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+     - img: force common Web formats to be interpreted according to extension,
+       so that "allowed\_attachments: '*.jpg'" does what one might expect
+     - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+       CVE-2016-3714 and similar vulnerabilities
+     - img: check that the magic number matches what we would expect from
+       the extension before giving common formats to ImageMagick
+   * d/control: use https for Homepage
+   * d/control: add Vcs-Browser
+ * [ [[Joey Hess|joey]] ]
+   * img: Add back support for SVG images, bypassing ImageMagick and
+     simply passing the SVG through to the browser, which is supported by all
+     commonly used browsers these days.
+     SVG scaling by img directives has subtly changed; where before
+     size=wxh would preserve aspect ratio, this cannot be done when passing
+     them through and so specifying both a width and height can change
+     the SVG's aspect ratio.
+   * loginselector: When only openid and emailauth are enabled, but
+     passwordauth is not, avoid showing a "Other" box which opens an
+     empty form.
+ * [ [[Amitai Schlair|schmonz]] ]
+   * mdwn: Process .md like .mdwn, but disallow web creation.
+ * [ Florian Wagner ]
+   * git: Correctly handle filenames starting with a dash in add/rm/mv."""]]