diff options
| author | Simon McVittie <smcv@debian.org> | 2019-02-26 21:06:45 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2019-02-26 23:01:54 +0000 |
| commit | 25c69da42cd4a34f2ec2777f932ad91f753e79b2 (patch) | |
| tree | 220cbcb9931e8e9c2b6f6f53b4a9b5c9eca3fb61 /CHANGELOG | |
| parent | 9a275b2f1846d7268c71a740975447e269383849 (diff) | |
| download | ikiwiki-25c69da42cd4a34f2ec2777f932ad91f753e79b2.tar ikiwiki-25c69da42cd4a34f2ec2777f932ad91f753e79b2.tar.gz | |
Prepare 3.20190228 for future release
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 34 |
1 files changed, 31 insertions, 3 deletions
@@ -1,5 +1,33 @@ -ikiwiki (3.20190208) UNRELEASED; urgency=medium - +ikiwiki (3.20190228) upstream; urgency=medium + + * aggregate: Use LWPx::ParanoidAgent if available. + Previously blogspam, openid and pinger used this module if available, + but aggregate did not. This prevents server-side request forgery or + local file disclosure, and mitigates denial of service when slow + "tarpit" URLs are accessed. + (CVE-2019-9187) + * blogspam, openid, pinger: Use a HTTP proxy if configured, even if + LWPx::ParanoidAgent is installed. + Previously, only aggregate would obey proxy configuration. If a proxy + is used, the proxy (not ikiwiki) is responsible for preventing attacks + like CVE-2019-9187. + * aggregate, blogspam, openid, pinger: Do not access non-http, non-https + URLs. + Previously, these plugins would have allowed non-HTTP-based requests if + LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local + file disclosure, and preventing other rarely-used URI schemes like + gopher mitigates request forgery attacks. + * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly + recommended. + These plugins can request attacker-controlled URLs in some site + configurations. + * blogspam: Document LWPx::ParanoidAgent as desirable. + This plugin doesn't request attacker-controlled URLs, so it's + non-critical here. + * blogspam, openid, pinger: Consistently use cookiejar if configured. + Previously, these plugins would only obey this configuration if + LWPx::ParanoidAgent was not installed, but this appears to have been + unintended. * po: Always filter .po files. The po plugin in previous ikiwiki releases made the second and subsequent filter call per (page, destpage) pair into a no-op, @@ -11,7 +39,7 @@ ikiwiki (3.20190208) UNRELEASED; urgency=medium that prevented repeated filtering. Thanks, intrigeri (Closes: #911356) - -- Simon McVittie <smcv@debian.org> Sun, 24 Feb 2019 17:11:39 +0000 + -- Simon McVittie <smcv@debian.org> Tue, 26 Feb 2019 21:05:49 +0000 ikiwiki (3.20190207) upstream; urgency=medium |