diff options
author | Simon McVittie <smcv@debian.org> | 2017-10-01 17:16:28 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2017-10-01 17:16:33 +0100 |
commit | fddc543fa59bfd48868f32ff1c9b8c09913d9452 (patch) | |
tree | a62fa703f857ed083bf2868f29ec211f22bd70ea /doc | |
parent | 3729abd8db4bf4544899cd06d6044f7df013ddf7 (diff) | |
download | ikiwiki-fddc543fa59bfd48868f32ff1c9b8c09913d9452.tar ikiwiki-fddc543fa59bfd48868f32ff1c9b8c09913d9452.tar.gz |
Announce version 3.20171001
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/news/version_3.20161229.mdwn | 23 | ||||
-rw-r--r-- | doc/news/version_3.20171001.mdwn | 23 |
2 files changed, 23 insertions, 23 deletions
diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn deleted file mode 100644 index 365cb69d1..000000000 --- a/doc/news/version_3.20161229.mdwn +++ /dev/null @@ -1,23 +0,0 @@ -ikiwiki 3.20161229 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * Security: force CGI::FormBuilder->field to scalar context where - necessary, avoiding unintended function argument injection - analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to - forge commit metadata, but thankfully nothing more serious. - ([[!debcve CVE-2016-9646]]) - * Security: try revert operations in a temporary working tree before - approving them. Previously, automatic rename detection could result in - a revert writing outside the wiki srcdir or altering a file that the - reverting user should not be able to alter, an authorization bypass. - ([[!debcve CVE-2016-10026]] represents the original vulnerability.) - The incomplete fix released in 3.20161219 was not effective for git - versions prior to 2.8.0rc0. - ([[!debcve CVE-2016-9645]] represents that incomplete solution.) - * Add CVE references for CVE-2016-10026 - * Add automated test for using the CGI with git, including - CVE-2016-10026 - - Build-depend on libipc-run-perl for better build-time test coverage - * Add missing ikiwiki.setup for the manual test for CVE-2016-10026 - * git: don't issue a warning if the rcsinfo CGI parameter is undefined - * git: do not fail to commit changes with a recent git version - and an anonymous committer"""]] diff --git a/doc/news/version_3.20171001.mdwn b/doc/news/version_3.20171001.mdwn new file mode 100644 index 000000000..3d51b8776 --- /dev/null +++ b/doc/news/version_3.20171001.mdwn @@ -0,0 +1,23 @@ +ikiwiki 3.20171001 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * [ [[Joey Hess|joey]] ] + * htmlscrubber: Add support for the video tag's `loop` and `muted` + attributes. Those were not in the original html5 spec, but have been + added in the whatwg html living standard and have wide browser support. + * emailauth, passwordauth: Avoid leaving `cgisess_*` files in the + system temp directory. + * [ [[Simon McVittie|smcv]] ] + * core: Don't decode the result of `strftime` if it is already tagged as + UTF-8, as it might be since Perl >= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240)) + * img: Strip metadata from resized images when the deterministic config + option is set. Thanks, [[intrigeri]] + * receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit + declaration, potential misbehaviour on 64-bit platforms, and lack + of portability to non-GNU platforms + * t: Add a regression test for untrusted git push + * receive: Fix untrusted git push with git (>= 2.11) by passing through + the necessary environment variables to make the quarantine area work + * debian: Declare compliance with Debian Policy 4.1.1 + * [ [[Amitai Schleier|schmonz]] ] + * l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends + with a newline if and only if `msgid` does"""]] |