aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-05-06 20:10:19 +0100
committerSimon McVittie <smcv@debian.org>2016-05-06 20:10:19 +0100
commit26d4641d02eeea87c2c061ecf24f9846d97cb780 (patch)
tree27048a2f8ee675bfd8c30ca9ced8c0f951936289 /doc
parent847c9f232efad6820cb7788994c2418a8cb89992 (diff)
downloadikiwiki-26d4641d02eeea87c2c061ecf24f9846d97cb780.tar
ikiwiki-26d4641d02eeea87c2c061ecf24f9846d97cb780.tar.gz
Announce 3.20160506
Diffstat (limited to 'doc')
-rw-r--r--doc/news/version_3.20150107.mdwn44
-rw-r--r--doc/news/version_3.20160506.mdwn45
2 files changed, 45 insertions, 44 deletions
diff --git a/doc/news/version_3.20150107.mdwn b/doc/news/version_3.20150107.mdwn
deleted file mode 100644
index 7cae042ac..000000000
--- a/doc/news/version_3.20150107.mdwn
+++ /dev/null
@@ -1,44 +0,0 @@
-ikiwiki 3.20150107 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- [ [[Joey Hess|joey]] ]
-
- * Added ikiwiki-comment program.
- * Add missing build-depends on `libcgi-formbuilder-perl`, needed for
- `t/relativity.t`
- * openid: Stop suppressing the email field on the Preferences page.
- * Set Debian package maintainer to Simon McVittie as I'm retiring from
- Debian.
-
- [ [[Simon McVittie|smcv]] ]
-
- * calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh`
- can mostly supersede the `ikiwiki-calendar` command.
- Thanks, Louis Paternault
- * search: add more classes as a hook for CSS. Thanks, sajolida
- * core: generate HTML5 by default, but keep avoiding new elements
- like `<section>` that require specific browser support unless `html5` is
- set to 1.
- * Tell mobile browsers to draw our pages in a device-sized viewport,
- not an 800-1000px viewport designed to emulate a desktop/laptop browser.
- * Add new `responsive_layout` option which can be set to 0 if your custom
- CSS only works in a large viewport.
- * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout
- below 600px ("responsive layout") so that horizontal scrolling is not
- needed on smartphone browsers or other small viewports.
- * core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault
-
- [ [[Amitai Schlair|schmonz]] ]
-
- * core: log a debug message before waiting for the lock.
- Thanks, Mark Jason Dominus
- * build: in po/Makefile, use the same `$(MAKE)` as the rest of the build.
- Thanks, ttw
- * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd).
- Closes: [[!debbug 774441]]
-
- [ [[Joey Hess|joey]] ]
-
- * po: If msgmerge falls over on a problem po file, print a warning
- message, but don't let this problem crash ikiwiki entirely.
-"""]]
-[[!meta date="2015-01-07 10:24:25 +0000"]]
diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn
new file mode 100644
index 000000000..650588c6e
--- /dev/null
+++ b/doc/news/version_3.20160506.mdwn
@@ -0,0 +1,45 @@
+News for ikiwiki 3.20160506:
+
+ To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities,
+ the `[[!img]]` directive is now restricted to these common web formats by
+ default:
+ * JPEG (`.jpg`, `.jpeg`)
+ * PNG (`.png`)
+ * GIF (`.gif`)
+ * SVG (`.svg`)
+ (In particular, by default resizing PDF files is no longer allowed.)
+ Additionally, resized SVG files are displayed in the browser as SVG
+ instead of being converted to PNG.
+ If all users who can attach images are fully trusted, this restriction
+ can be removed with the new img\_allowed\_formats setup option.
+ See [[ikiwiki/directive/img]] for more details.
+
+ikiwiki 3.20160506 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ [[Simon McVittie|smcv]] ]
+ * HTML-escape error messages, in one case avoiding potential cross-site
+ scripting (OVE-20160505-0012)
+ * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
+ - img: force common Web formats to be interpreted according to extension,
+ so that "allowed\_attachments: '*.jpg'" does what one might expect
+ - img: restrict to JPEG, PNG and GIF images by default, again mitigating
+ CVE-2016-3714 and similar vulnerabilities
+ - img: check that the magic number matches what we would expect from
+ the extension before giving common formats to ImageMagick
+ * d/control: use https for Homepage
+ * d/control: add Vcs-Browser
+ * [ [[Joey Hess|joey]] ]
+ * img: Add back support for SVG images, bypassing ImageMagick and
+ simply passing the SVG through to the browser, which is supported by all
+ commonly used browsers these days.
+ SVG scaling by img directives has subtly changed; where before
+ size=wxh would preserve aspect ratio, this cannot be done when passing
+ them through and so specifying both a width and height can change
+ the SVG's aspect ratio.
+ * loginselector: When only openid and emailauth are enabled, but
+ passwordauth is not, avoid showing a "Other" box which opens an
+ empty form.
+ * [ [[Amitai Schlair|schmonz]] ]
+ * mdwn: Process .md like .mdwn, but disallow web creation.
+ * [ Florian Wagner ]
+ * git: Correctly handle filenames starting with a dash in add/rm/mv."""]]