3.20120629+deb7u1

diff --git a/debian/NEWS b/debian/NEWS
index ff856e5f06c91b6c0d0bda3d6ad44439a3838783..f7d76649d6c403dc2c7379c23c1be4f653f06977 100644 (file)
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
+
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/> for more details.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
+
 ikiwiki (3.20110122) unstable; urgency=low
 
   If you have custom CSS that uses "#feedlinks" or "#blogform", you will

diff --git a/debian/changelog b/debian/changelog
index fc456b42d9d7f9f7c2521806d74bfb143ce0d260..ce7a8b49771d59fe8c3bbfcd4bd06bca2c3bd0ad 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
+ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium
 
   * HTML-escape error messages, in one case avoiding potential cross-site
     scripting (CVE-2016-4561, OVE-20160505-0012)
@@ -29,7 +29,7 @@ ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
     (chrysn, joeyh, schmonz, smcv)
   * debian/tests: add metadata to run the img test as an autopkgtest
 
- -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 15:33:51 +0100
+ -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 16:30:55 +0100
 
 ikiwiki (3.20120629.2) wheezy; urgency=medium