From dea96e51136ee44971f3e3dafad67f8a5e111c50 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Fri, 6 May 2016 07:49:45 +0100
Subject: Document the security fixes in this release

---
 debian/NEWS | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'debian/NEWS')

diff --git a/debian/NEWS b/debian/NEWS
index b2753c638..66b2b4299 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,27 @@
+ikiwiki (3.20160506) UNRELEASED; urgency=medium
+
+  To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities,
+  the [[!img]] directive is now restricted to these common web formats by
+  default:
+
+  * JPEG (.jpg, .jpeg)
+  * PNG (.png)
+  * GIF (.gif)
+  * SVG (.svg)
+
+  (In particular, by default resizing PDF files is no longer allowed.)
+
+  Additionally, resized SVG files are displayed in the browser as SVG
+  instead of being converted to PNG.
+
+  If all users who can attach images are fully trusted, this restriction
+  can be removed with the new img_allowed_formats setup option.
+  See <https://ikiwiki.info/ikiwiki/directive/img/>
+  or <file:///usr/share/doc/ikiwiki/html/ikiwiki/directive/img.html> for
+  more details.
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 06 May 2016 07:07:29 +0100
+
 ikiwiki (3.20150610) unstable; urgency=low
 
   The new "emailauth" plugin allows users to authenticate using an email
-- 
cgit v1.2.3