From 21418d9a0a5749a11552f023b1b1d94796d0724a Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 28 Feb 2019 14:14:12 +0000 Subject: Announce 3.20190228 and 3.20170111.1 --- doc/news/version_3.20171001.mdwn | 23 --------------------- doc/news/version_3.20190228.mdwn | 43 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 23 deletions(-) delete mode 100644 doc/news/version_3.20171001.mdwn create mode 100644 doc/news/version_3.20190228.mdwn (limited to 'doc/news') diff --git a/doc/news/version_3.20171001.mdwn b/doc/news/version_3.20171001.mdwn deleted file mode 100644 index 3d51b8776..000000000 --- a/doc/news/version_3.20171001.mdwn +++ /dev/null @@ -1,23 +0,0 @@ -ikiwiki 3.20171001 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * [ [[Joey Hess|joey]] ] - * htmlscrubber: Add support for the video tag's `loop` and `muted` - attributes. Those were not in the original html5 spec, but have been - added in the whatwg html living standard and have wide browser support. - * emailauth, passwordauth: Avoid leaving `cgisess_*` files in the - system temp directory. - * [ [[Simon McVittie|smcv]] ] - * core: Don't decode the result of `strftime` if it is already tagged as - UTF-8, as it might be since Perl >= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240)) - * img: Strip metadata from resized images when the deterministic config - option is set. Thanks, [[intrigeri]] - * receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit - declaration, potential misbehaviour on 64-bit platforms, and lack - of portability to non-GNU platforms - * t: Add a regression test for untrusted git push - * receive: Fix untrusted git push with git (>= 2.11) by passing through - the necessary environment variables to make the quarantine area work - * debian: Declare compliance with Debian Policy 4.1.1 - * [ [[Amitai Schleier|schmonz]] ] - * l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends - with a newline if and only if `msgid` does"""]] diff --git a/doc/news/version_3.20190228.mdwn b/doc/news/version_3.20190228.mdwn new file mode 100644 index 000000000..c26e8ad51 --- /dev/null +++ b/doc/news/version_3.20190228.mdwn @@ -0,0 +1,43 @@ +ikiwiki 3.20190228 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * aggregate: Use LWPx::ParanoidAgent if available. + Previously blogspam, openid and pinger used this module if available, + but aggregate did not. This prevents server-side request forgery or + local file disclosure, and mitigates denial of service when slow + "tarpit" URLs are accessed. + ([[!debcve CVE-2019-9187]]) + * blogspam, openid, pinger: Use a HTTP proxy if configured, even if + LWPx::ParanoidAgent is installed. + Previously, only aggregate would obey proxy configuration. If a proxy + is used, the proxy (not ikiwiki) is responsible for preventing attacks + like CVE-2019-9187. + * aggregate, blogspam, openid, pinger: Do not access non-http, non-https + URLs. + Previously, these plugins would have allowed non-HTTP-based requests if + LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local + file disclosure, and preventing other rarely-used URI schemes like + gopher mitigates request forgery attacks. + * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly + recommended. + These plugins can request attacker-controlled URLs in some site + configurations. + * blogspam: Document LWPx::ParanoidAgent as desirable. + This plugin doesn't request attacker-controlled URLs, so it's + non-critical here. + * blogspam, openid, pinger: Consistently use cookiejar if configured. + Previously, these plugins would only obey this configuration if + LWPx::ParanoidAgent was not installed, but this appears to have been + unintended. + * po: Always filter .po files. + The po plugin in previous ikiwiki releases made the second and + subsequent filter call per (page, destpage) pair into a no-op, + apparently in an attempt to prevent *recursive* filtering (which as + far as we can tell can't happen anyway), with the undesired effect + of interpreting the raw .po file as page content (e.g. Markdown) + if it was inlined into the same page twice, which is apparently + something that tails.org does. Simplify this by deleting the code + that prevented repeated filtering. Thanks, intrigeri + (Closes: #[911356](http://bugs.debian.org/911356))"""]] + +ikiwiki 3.20170111.1 was also released, backporting the LWP-related +changes from 3.20190228 to the branch used in Debian 9 'stretch'. -- cgit v1.2.3