From: Simon McVittie Date: Thu, 29 Dec 2016 17:37:51 +0000 (+0000) Subject: 3.20161229 X-Git-Tag: debian/3.20161229^0 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/287bb19883f9fba8d1b1257d010ba7e086e38df6?ds=sidebyside;hp=-c 3.20161229 --- 287bb19883f9fba8d1b1257d010ba7e086e38df6 diff --git a/debian/changelog b/debian/changelog index bc0480912..cd7e158a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (3.20161220) UNRELEASED; urgency=medium +ikiwiki (3.20161229) unstable; urgency=medium * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection @@ -22,7 +22,7 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium * git: do not fail to commit changes with a recent git version and an anonymous committer - -- Simon McVittie Wed, 21 Dec 2016 13:03:07 +0000 + -- Simon McVittie Thu, 29 Dec 2016 17:36:15 +0000 ikiwiki (3.20161219) unstable; urgency=medium diff --git a/doc/news/version_3.20160121.mdwn b/doc/news/version_3.20160121.mdwn deleted file mode 100644 index 2e727a63a..000000000 --- a/doc/news/version_3.20160121.mdwn +++ /dev/null @@ -1,46 +0,0 @@ -ikiwiki 3.20160121 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * [ [[Amitai Schlair|schmonz]] ] - * [[plugins/meta]]: Fix `\[[!meta name=foo]]` by closing the open quote. - * Avoid unescaped `{` in regular expressions - * meta test: Add tests for many behaviors of the directive. - * img test: Bail gracefully when [[!cpan ImageMagick]] is not present. - * [ [[Joey Hess|joey]] ] - * [[plugins/emailauth]]: Added `emailauth_sender` config. - * Modified `page.tmpl` to to set html `lang=` and `dir=` when - values have been specified for them, which the [[plugins/po|po plugin]] does. - * Specifically license the javascript underlay under the permissive - basewiki license. - * [ [[Simon McVittie|smcv]] ] - * [[plugins/git]]: if no committer identity is known, set it to - `IkiWiki ` in `.git/config`. This resolves commit errors - in versions of git that require a non-trivial committer identity. - * [[plugins/inline]], [[plugins/trail]]: rename `show`, `feedshow` parameters to `limit`, `feedlimit` - (with backwards compatibility) - * [[plugins/pagestats]]: add `show` option to show [[plugins/meta]] fields. Thanks, [[Louis|spalax]] - * [[plugins/inline]]: force RSS `` to be a fully absolute URL as required - by the W3C validator. Please use Atom feeds if relative URLs are - desirable on your site. - * [[plugins/inline]]: add `` to RSS feeds as recommended by - the W3C validator - * [[plugins/inline]]: do not produce links containing `/./` or `/../` - * syslog: accept and encode UTF-8 messages - * syslog: don't fail to log if the wiki name contains `%s` - * Change dependencies from transitional package [[!debpkg perlmagick]] - to [[!debpkg libimage-magick-perl]] (Closes: #[789221](http://bugs.debian.org/789221)) - * debian/copyright: update for the rename of `openid-selector` to - `login-selector` - * d/control: remove leading article from Description - (lintian: description-synopsis-starts-with-article) - * d/control: Standards-Version: 3.9.6, no changes required - * Wrap and sort control files (`wrap-and-sort -abst`) - * Silence "used only once: possible typo" warnings for variables - that are part of modules' APIs - * Run [[!debpkg autopkgtest]] tests using [[!debpkg autodep8]] and the pkg-perl team's - infrastructure - * Add enough build-dependencies to run all tests, except for - non-git VCSs - * tests: consistently use `done_testing` instead of `no_plan` - * `t/img.t`: do not spuriously skip - * img test: skip testing PDFs if unsupported - * img test: use the right filenames when testing that deletion occurs"""]] diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn new file mode 100644 index 000000000..7d96cedb9 --- /dev/null +++ b/doc/news/version_3.20161229.mdwn @@ -0,0 +1,23 @@ +ikiwiki 3.20161229 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Security: force CGI::FormBuilder->field to scalar context where + necessary, avoiding unintended function argument injection + analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to + forge commit metadata, but thankfully nothing more serious. + ([[!cve CVE-2016-9646]]) + * Security: try revert operations in a temporary working tree before + approving them. Previously, automatic rename detection could result in + a revert writing outside the wiki srcdir or altering a file that the + reverting user should not be able to alter, an authorization bypass. + ([[!cve CVE-2016-10026]] represents the original vulnerability.) + The incomplete fix released in 3.20161219 was not effective for git + versions prior to 2.8.0rc0. + ([[!cve CVE-2016-9645]] represents that incomplete solution.) + * Add CVE references for CVE-2016-10026 + * Add automated test for using the CGI with git, including + CVE-2016-10026 + - Build-depend on libipc-run-perl for better build-time test coverage + * Add missing ikiwiki.setup for the manual test for CVE-2016-10026 + * git: don't issue a warning if the rcsinfo CGI parameter is undefined + * git: do not fail to commit changes with a recent git version + and an anonymous committer"""]]