aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2017-10-01 17:16:28 +0100
committerSimon McVittie <smcv@debian.org>2017-10-01 17:16:33 +0100
commitfddc543fa59bfd48868f32ff1c9b8c09913d9452 (patch)
treea62fa703f857ed083bf2868f29ec211f22bd70ea /doc
parent3729abd8db4bf4544899cd06d6044f7df013ddf7 (diff)
downloadikiwiki-fddc543fa59bfd48868f32ff1c9b8c09913d9452.tar
ikiwiki-fddc543fa59bfd48868f32ff1c9b8c09913d9452.tar.gz
Announce version 3.20171001
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc')
-rw-r--r--doc/news/version_3.20161229.mdwn23
-rw-r--r--doc/news/version_3.20171001.mdwn23
2 files changed, 23 insertions, 23 deletions
diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn
deleted file mode 100644
index 365cb69d1..000000000
--- a/doc/news/version_3.20161229.mdwn
+++ /dev/null
@@ -1,23 +0,0 @@
-ikiwiki 3.20161229 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * Security: force CGI::FormBuilder-&gt;field to scalar context where
- necessary, avoiding unintended function argument injection
- analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to
- forge commit metadata, but thankfully nothing more serious.
- ([[!debcve CVE-2016-9646]])
- * Security: try revert operations in a temporary working tree before
- approving them. Previously, automatic rename detection could result in
- a revert writing outside the wiki srcdir or altering a file that the
- reverting user should not be able to alter, an authorization bypass.
- ([[!debcve CVE-2016-10026]] represents the original vulnerability.)
- The incomplete fix released in 3.20161219 was not effective for git
- versions prior to 2.8.0rc0.
- ([[!debcve CVE-2016-9645]] represents that incomplete solution.)
- * Add CVE references for CVE-2016-10026
- * Add automated test for using the CGI with git, including
- CVE-2016-10026
- - Build-depend on libipc-run-perl for better build-time test coverage
- * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
- * git: don't issue a warning if the rcsinfo CGI parameter is undefined
- * git: do not fail to commit changes with a recent git version
- and an anonymous committer"""]]
diff --git a/doc/news/version_3.20171001.mdwn b/doc/news/version_3.20171001.mdwn
new file mode 100644
index 000000000..3d51b8776
--- /dev/null
+++ b/doc/news/version_3.20171001.mdwn
@@ -0,0 +1,23 @@
+ikiwiki 3.20171001 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * [ [[Joey Hess|joey]] ]
+ * htmlscrubber: Add support for the video tag's `loop` and `muted`
+ attributes. Those were not in the original html5 spec, but have been
+ added in the whatwg html living standard and have wide browser support.
+ * emailauth, passwordauth: Avoid leaving `cgisess_*` files in the
+ system temp directory.
+ * [ [[Simon McVittie|smcv]] ]
+ * core: Don't decode the result of `strftime` if it is already tagged as
+ UTF-8, as it might be since Perl &gt;= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240))
+ * img: Strip metadata from resized images when the deterministic config
+ option is set. Thanks, [[intrigeri]]
+ * receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit
+ declaration, potential misbehaviour on 64-bit platforms, and lack
+ of portability to non-GNU platforms
+ * t: Add a regression test for untrusted git push
+ * receive: Fix untrusted git push with git (&gt;= 2.11) by passing through
+ the necessary environment variables to make the quarantine area work
+ * debian: Declare compliance with Debian Policy 4.1.1
+ * [ [[Amitai Schleier|schmonz]] ]
+ * l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends
+ with a newline if and only if `msgid` does"""]]