From: Simon McVittie <smcv@debian.org>
Date: Thu, 29 Dec 2016 17:38:12 +0000 (+0000)
Subject: Merge branch 'master' into debian-jessie-backports
X-Git-Tag: debian/3.20170111_bpo8+1~5
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/a6e69822f68864512d49a954a4581511246f0e0b?ds=sidebyside

Merge branch 'master' into debian-jessie-backports
---

a6e69822f68864512d49a954a4581511246f0e0b
diff --cc debian/changelog
index d9782380d,cd7e158a7..c7eaf5aa4
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,12 -1,47 +1,56 @@@
+ ikiwiki (3.20161229) unstable; urgency=medium
+ 
+   * Security: force CGI::FormBuilder->field to scalar context where
+     necessary, avoiding unintended function argument injection
+     analogous to CVE-2014-1572. In ikiwiki this could be used to
+     forge commit metadata, but thankfully nothing more serious.
+     (CVE-2016-9646)
+   * Security: try revert operations in a temporary working tree before
+     approving them. Previously, automatic rename detection could result in
+     a revert writing outside the wiki srcdir or altering a file that the
+     reverting user should not be able to alter, an authorization bypass.
+     (CVE-2016-10026 represents the original vulnerability.)
+     The incomplete fix released in 3.20161219 was not effective for git
+     versions prior to 2.8.0rc0.
+     (CVE-2016-9645 represents that incomplete solution.)
+   * Add CVE references for CVE-2016-10026
+   * Add automated test for using the CGI with git, including
+     CVE-2016-10026
+     - Build-depend on libipc-run-perl for better build-time test coverage
+   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
+   * git: don't issue a warning if the rcsinfo CGI parameter is undefined
+   * git: do not fail to commit changes with a recent git version
+     and an anonymous committer
+ 
+  -- Simon McVittie <smcv@debian.org>  Thu, 29 Dec 2016 17:36:15 +0000
+ 
+ ikiwiki (3.20161219) unstable; urgency=medium
+ 
+   [ Joey Hess ]
+   * inline: Prevent creating a file named ".mdwn" when the
+     postform is submitted with an empty title.
+ 
+   [ Simon McVittie ]
+   * Security: tell `git revert` not to follow renames. If it does, then
+     renaming a file can result in a revert writing outside the wiki srcdir
+     or altering a file that the reverting user should not be able to alter,
+     an authorization bypass. Thanks, intrigeri. (CVE-2016-10026)
+   * cgitemplate: remove some dead code. Thanks, blipvert
+   * Restrict CSS matches against header class to not break
+     Pandoc tables with header rows. Thanks, karsk
+   * Make pagestats output more deterministic. Thanks, intrigeri
+ 
+  -- Simon McVittie <smcv@debian.org>  Mon, 19 Dec 2016 20:34:23 +0000
+ 
 +ikiwiki (3.20160905~bpo8+1) jessie-backports; urgency=medium
 +
 +  * Rebuild for jessie-backports
 +    - debian/tests/control: set INSTALLED_TESTS=1 here,
 +      pkg-perl-autopkgtest in jessie didn't support
 +      debian/tests/pkg-perl/smoke-env
 +
 + -- Simon McVittie <smcv@debian.org>  Mon, 05 Sep 2016 21:49:22 +0100
 +
  ikiwiki (3.20160905) unstable; urgency=medium
  
    [ Joey Hess ]