-ikiwiki (3.20161220) UNRELEASED; urgency=medium
+ikiwiki (3.20161229) unstable; urgency=medium
* Security: force CGI::FormBuilder->field to scalar context where
necessary, avoiding unintended function argument injection
* git: do not fail to commit changes with a recent git version
and an anonymous committer
- -- Simon McVittie <smcv@debian.org> Wed, 21 Dec 2016 13:03:07 +0000
+ -- Simon McVittie <smcv@debian.org> Thu, 29 Dec 2016 17:36:15 +0000
ikiwiki (3.20161219) unstable; urgency=medium
+++ /dev/null
-ikiwiki 3.20160121 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ [[Amitai Schlair|schmonz]] ]
- * [[plugins/meta]]: Fix `\[[!meta name=foo]]` by closing the open quote.
- * Avoid unescaped `{` in regular expressions
- * meta test: Add tests for many behaviors of the directive.
- * img test: Bail gracefully when [[!cpan ImageMagick]] is not present.
- * [ [[Joey Hess|joey]] ]
- * [[plugins/emailauth]]: Added `emailauth_sender` config.
- * Modified `page.tmpl` to to set html `lang=` and `dir=` when
- values have been specified for them, which the [[plugins/po|po plugin]] does.
- * Specifically license the javascript underlay under the permissive
- basewiki license.
- * [ [[Simon McVittie|smcv]] ]
- * [[plugins/git]]: if no committer identity is known, set it to
- `IkiWiki <ikiwiki.info>` in `.git/config`. This resolves commit errors
- in versions of git that require a non-trivial committer identity.
- * [[plugins/inline]], [[plugins/trail]]: rename `show`, `feedshow` parameters to `limit`, `feedlimit`
- (with backwards compatibility)
- * [[plugins/pagestats]]: add `show` option to show [[plugins/meta]] fields. Thanks, [[Louis|spalax]]
- * [[plugins/inline]]: force RSS `<comments>` to be a fully absolute URL as required
- by the W3C validator. Please use Atom feeds if relative URLs are
- desirable on your site.
- * [[plugins/inline]]: add `<atom:link rel="self">` to RSS feeds as recommended by
- the W3C validator
- * [[plugins/inline]]: do not produce links containing `/./` or `/../`
- * syslog: accept and encode UTF-8 messages
- * syslog: don't fail to log if the wiki name contains `%s`
- * Change dependencies from transitional package [[!debpkg perlmagick]]
- to [[!debpkg libimage-magick-perl]] (Closes: #[789221](http://bugs.debian.org/789221))
- * debian/copyright: update for the rename of `openid-selector` to
- `login-selector`
- * d/control: remove leading article from Description
- (lintian: description-synopsis-starts-with-article)
- * d/control: Standards-Version: 3.9.6, no changes required
- * Wrap and sort control files (`wrap-and-sort -abst`)
- * Silence "used only once: possible typo" warnings for variables
- that are part of modules' APIs
- * Run [[!debpkg autopkgtest]] tests using [[!debpkg autodep8]] and the pkg-perl team's
- infrastructure
- * Add enough build-dependencies to run all tests, except for
- non-git VCSs
- * tests: consistently use `done_testing` instead of `no_plan`
- * `t/img.t`: do not spuriously skip
- * img test: skip testing PDFs if unsupported
- * img test: use the right filenames when testing that deletion occurs"""]]
--- /dev/null
+ikiwiki 3.20161229 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * Security: force CGI::FormBuilder->field to scalar context where
+ necessary, avoiding unintended function argument injection
+ analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to
+ forge commit metadata, but thankfully nothing more serious.
+ ([[!cve CVE-2016-9646]])
+ * Security: try revert operations in a temporary working tree before
+ approving them. Previously, automatic rename detection could result in
+ a revert writing outside the wiki srcdir or altering a file that the
+ reverting user should not be able to alter, an authorization bypass.
+ ([[!cve CVE-2016-10026]] represents the original vulnerability.)
+ The incomplete fix released in 3.20161219 was not effective for git
+ versions prior to 2.8.0rc0.
+ ([[!cve CVE-2016-9645]] represents that incomplete solution.)
+ * Add CVE references for CVE-2016-10026
+ * Add automated test for using the CGI with git, including
+ CVE-2016-10026
+ - Build-depend on libipc-run-perl for better build-time test coverage
+ * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
+ * git: don't issue a warning if the rcsinfo CGI parameter is undefined
+ * git: do not fail to commit changes with a recent git version
+ and an anonymous committer"""]]