Announce 3.20190228 and 3.20170111.1

1 files changed, 43 insertions, 0 deletions

diff --git a/doc/news/version_3.20190228.mdwn b/doc/news/version_3.20190228.mdwn
new file mode 100644
index 000000000..c26e8ad51
--- /dev/null
+++ b/doc/news/version_3.20190228.mdwn
@@ -0,0 +1,43 @@
+ikiwiki 3.20190228 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * aggregate: Use LWPx::ParanoidAgent if available.
+     Previously blogspam, openid and pinger used this module if available,
+     but aggregate did not. This prevents server-side request forgery or
+     local file disclosure, and mitigates denial of service when slow
+     "tarpit" URLs are accessed.
+     ([[!debcve CVE-2019-9187]])
+   * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
+     LWPx::ParanoidAgent is installed.
+     Previously, only aggregate would obey proxy configuration. If a proxy
+     is used, the proxy (not ikiwiki) is responsible for preventing attacks
+     like CVE-2019-9187.
+   * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
+     URLs.
+     Previously, these plugins would have allowed non-HTTP-based requests if
+     LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
+     file disclosure, and preventing other rarely-used URI schemes like
+     gopher mitigates request forgery attacks.
+   * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
+     recommended.
+     These plugins can request attacker-controlled URLs in some site
+     configurations.
+   * blogspam: Document LWPx::ParanoidAgent as desirable.
+     This plugin doesn't request attacker-controlled URLs, so it's
+     non-critical here.
+   * blogspam, openid, pinger: Consistently use cookiejar if configured.
+     Previously, these plugins would only obey this configuration if
+     LWPx::ParanoidAgent was not installed, but this appears to have been
+     unintended.
+   * po: Always filter .po files.
+     The po plugin in previous ikiwiki releases made the second and
+     subsequent filter call per (page, destpage) pair into a no-op,
+     apparently in an attempt to prevent *recursive* filtering (which as
+     far as we can tell can't happen anyway), with the undesired effect
+     of interpreting the raw .po file as page content (e.g. Markdown)
+     if it was inlined into the same page twice, which is apparently
+     something that tails.org does. Simplify this by deleting the code
+     that prevented repeated filtering. Thanks, intrigeri
+     (Closes: #[911356](http://bugs.debian.org/911356))"""]]
+
+ikiwiki 3.20170111.1 was also released, backporting the LWP-related
+changes from 3.20190228 to the branch used in Debian 9 'stretch'.