From 590d5c29b033eb7704df5538c8cc13d6eda66143 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 8 May 2016 16:31:08 +0100 Subject: [PATCH 1/1] 3.20120629+deb7u1 --- debian/NEWS | 22 ++++++++++++++++++++++ debian/changelog | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/debian/NEWS b/debian/NEWS index ff856e5f0..f7d76649d 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,25 @@ +ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium + + To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities, + the [[!img]] directive is now restricted to these common web formats by + default: + + * JPEG (.jpg, .jpeg) + * PNG (.png) + * GIF (.gif) + * SVG (.svg) + + (In particular, by default resizing PDF files is no longer allowed.) + + Additionally, resized SVG files are displayed in the browser as SVG + instead of being converted to PNG. + + If all users who can attach images are fully trusted, this restriction + can be removed with the new img_allowed_formats setup option. + See for more details. + + -- Simon McVittie Sun, 08 May 2016 16:30:55 +0100 + ikiwiki (3.20110122) unstable; urgency=low If you have custom CSS that uses "#feedlinks" or "#blogform", you will diff --git a/debian/changelog b/debian/changelog index fc456b42d..ce7a8b497 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (3.20120629.3) UNRELEASED; urgency=medium +ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium * HTML-escape error messages, in one case avoiding potential cross-site scripting (CVE-2016-4561, OVE-20160505-0012) @@ -29,7 +29,7 @@ ikiwiki (3.20120629.3) UNRELEASED; urgency=medium (chrysn, joeyh, schmonz, smcv) * debian/tests: add metadata to run the img test as an autopkgtest - -- Simon McVittie Sun, 08 May 2016 15:33:51 +0100 + -- Simon McVittie Sun, 08 May 2016 16:30:55 +0100 ikiwiki (3.20120629.2) wheezy; urgency=medium -- 2.39.5