diff options
| author | Simon McVittie <smcv@debian.org> | 2016-05-06 20:10:19 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2016-05-06 20:10:19 +0100 |
| commit | 26d4641d02eeea87c2c061ecf24f9846d97cb780 (patch) | |
| tree | 27048a2f8ee675bfd8c30ca9ced8c0f951936289 /doc/news/version_3.20160506.mdwn | |
| parent | 847c9f232efad6820cb7788994c2418a8cb89992 (diff) | |
| download | ikiwiki-26d4641d02eeea87c2c061ecf24f9846d97cb780.tar ikiwiki-26d4641d02eeea87c2c061ecf24f9846d97cb780.tar.gz | |
Announce 3.20160506
Diffstat (limited to 'doc/news/version_3.20160506.mdwn')
| -rw-r--r-- | doc/news/version_3.20160506.mdwn | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn new file mode 100644 index 000000000..650588c6e --- /dev/null +++ b/doc/news/version_3.20160506.mdwn @@ -0,0 +1,45 @@ +News for ikiwiki 3.20160506: + + To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities, + the `[[!img]]` directive is now restricted to these common web formats by + default: + * JPEG (`.jpg`, `.jpeg`) + * PNG (`.png`) + * GIF (`.gif`) + * SVG (`.svg`) + (In particular, by default resizing PDF files is no longer allowed.) + Additionally, resized SVG files are displayed in the browser as SVG + instead of being converted to PNG. + If all users who can attach images are fully trusted, this restriction + can be removed with the new img\_allowed\_formats setup option. + See [[ikiwiki/directive/img]] for more details. + +ikiwiki 3.20160506 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * [ [[Simon McVittie|smcv]] ] + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed\_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + * d/control: use https for Homepage + * d/control: add Vcs-Browser + * [ [[Joey Hess|joey]] ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + * loginselector: When only openid and emailauth are enabled, but + passwordauth is not, avoid showing a "Other" box which opens an + empty form. + * [ [[Amitai Schlair|schmonz]] ] + * mdwn: Process .md like .mdwn, but disallow web creation. + * [ Florian Wagner ] + * git: Correctly handle filenames starting with a dash in add/rm/mv."""]] |