diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-28 14:14:12 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-28 14:15:39 +0000 |
commit | 21418d9a0a5749a11552f023b1b1d94796d0724a (patch) | |
tree | b46dc909c7ec9c3a7a9858405e1c264b3148ccd3 /doc/news/version_3.20190228.mdwn | |
parent | 8d7a1e8d9c854ac0f7646debbaf4362b194e9033 (diff) | |
download | ikiwiki-21418d9a0a5749a11552f023b1b1d94796d0724a.tar ikiwiki-21418d9a0a5749a11552f023b1b1d94796d0724a.tar.gz |
Announce 3.20190228 and 3.20170111.1
Diffstat (limited to 'doc/news/version_3.20190228.mdwn')
-rw-r--r-- | doc/news/version_3.20190228.mdwn | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/doc/news/version_3.20190228.mdwn b/doc/news/version_3.20190228.mdwn new file mode 100644 index 000000000..c26e8ad51 --- /dev/null +++ b/doc/news/version_3.20190228.mdwn @@ -0,0 +1,43 @@ +ikiwiki 3.20190228 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * aggregate: Use LWPx::ParanoidAgent if available. + Previously blogspam, openid and pinger used this module if available, + but aggregate did not. This prevents server-side request forgery or + local file disclosure, and mitigates denial of service when slow + "tarpit" URLs are accessed. + ([[!debcve CVE-2019-9187]]) + * blogspam, openid, pinger: Use a HTTP proxy if configured, even if + LWPx::ParanoidAgent is installed. + Previously, only aggregate would obey proxy configuration. If a proxy + is used, the proxy (not ikiwiki) is responsible for preventing attacks + like CVE-2019-9187. + * aggregate, blogspam, openid, pinger: Do not access non-http, non-https + URLs. + Previously, these plugins would have allowed non-HTTP-based requests if + LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local + file disclosure, and preventing other rarely-used URI schemes like + gopher mitigates request forgery attacks. + * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly + recommended. + These plugins can request attacker-controlled URLs in some site + configurations. + * blogspam: Document LWPx::ParanoidAgent as desirable. + This plugin doesn't request attacker-controlled URLs, so it's + non-critical here. + * blogspam, openid, pinger: Consistently use cookiejar if configured. + Previously, these plugins would only obey this configuration if + LWPx::ParanoidAgent was not installed, but this appears to have been + unintended. + * po: Always filter .po files. + The po plugin in previous ikiwiki releases made the second and + subsequent filter call per (page, destpage) pair into a no-op, + apparently in an attempt to prevent *recursive* filtering (which as + far as we can tell can't happen anyway), with the undesired effect + of interpreting the raw .po file as page content (e.g. Markdown) + if it was inlined into the same page twice, which is apparently + something that tails.org does. Simplify this by deleting the code + that prevented repeated filtering. Thanks, intrigeri + (Closes: #[911356](http://bugs.debian.org/911356))"""]] + +ikiwiki 3.20170111.1 was also released, backporting the LWP-related +changes from 3.20190228 to the branch used in Debian 9 'stretch'. |