From 26d4641d02eeea87c2c061ecf24f9846d97cb780 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 6 May 2016 20:10:19 +0100 Subject: Announce 3.20160506 --- doc/news/version_3.20150107.mdwn | 44 --------------------------------------- doc/news/version_3.20160506.mdwn | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 44 deletions(-) delete mode 100644 doc/news/version_3.20150107.mdwn create mode 100644 doc/news/version_3.20160506.mdwn (limited to 'doc/news') diff --git a/doc/news/version_3.20150107.mdwn b/doc/news/version_3.20150107.mdwn deleted file mode 100644 index 7cae042ac..000000000 --- a/doc/news/version_3.20150107.mdwn +++ /dev/null @@ -1,44 +0,0 @@ -ikiwiki 3.20150107 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - [ [[Joey Hess|joey]] ] - - * Added ikiwiki-comment program. - * Add missing build-depends on `libcgi-formbuilder-perl`, needed for - `t/relativity.t` - * openid: Stop suppressing the email field on the Preferences page. - * Set Debian package maintainer to Simon McVittie as I'm retiring from - Debian. - - [ [[Simon McVittie|smcv]] ] - - * calendar: add `calendar_autocreate` option, with which `ikiwiki --refresh` - can mostly supersede the `ikiwiki-calendar` command. - Thanks, Louis Paternault - * search: add more classes as a hook for CSS. Thanks, sajolida - * core: generate HTML5 by default, but keep avoiding new elements - like `
` that require specific browser support unless `html5` is - set to 1. - * Tell mobile browsers to draw our pages in a device-sized viewport, - not an 800-1000px viewport designed to emulate a desktop/laptop browser. - * Add new `responsive_layout` option which can be set to 0 if your custom - CSS only works in a large viewport. - * style.css, actiontabs, blueview, goldtype, monochrome: adjust layout - below 600px ("responsive layout") so that horizontal scrolling is not - needed on smartphone browsers or other small viewports. - * core: new `libdirs` option alongside `libdir`. Thanks, Louis Paternault - - [ [[Amitai Schlair|schmonz]] ] - - * core: log a debug message before waiting for the lock. - Thanks, Mark Jason Dominus - * build: in po/Makefile, use the same `$(MAKE)` as the rest of the build. - Thanks, ttw - * blogspam: use the 2.0 JSON API (the 1.0 XML-RPC API has been EOL'd). - Closes: [[!debbug 774441]] - - [ [[Joey Hess|joey]] ] - - * po: If msgmerge falls over on a problem po file, print a warning - message, but don't let this problem crash ikiwiki entirely. -"""]] -[[!meta date="2015-01-07 10:24:25 +0000"]] diff --git a/doc/news/version_3.20160506.mdwn b/doc/news/version_3.20160506.mdwn new file mode 100644 index 000000000..650588c6e --- /dev/null +++ b/doc/news/version_3.20160506.mdwn @@ -0,0 +1,45 @@ +News for ikiwiki 3.20160506: + + To mitigate [[!cve CVE-2016-3714]] and similar ImageMagick security vulnerabilities, + the `[[!img]]` directive is now restricted to these common web formats by + default: + * JPEG (`.jpg`, `.jpeg`) + * PNG (`.png`) + * GIF (`.gif`) + * SVG (`.svg`) + (In particular, by default resizing PDF files is no longer allowed.) + Additionally, resized SVG files are displayed in the browser as SVG + instead of being converted to PNG. + If all users who can attach images are fully trusted, this restriction + can be removed with the new img\_allowed\_formats setup option. + See [[ikiwiki/directive/img]] for more details. + +ikiwiki 3.20160506 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * [ [[Simon McVittie|smcv]] ] + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (OVE-20160505-0012) + * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714: + - img: force common Web formats to be interpreted according to extension, + so that "allowed\_attachments: '*.jpg'" does what one might expect + - img: restrict to JPEG, PNG and GIF images by default, again mitigating + CVE-2016-3714 and similar vulnerabilities + - img: check that the magic number matches what we would expect from + the extension before giving common formats to ImageMagick + * d/control: use https for Homepage + * d/control: add Vcs-Browser + * [ [[Joey Hess|joey]] ] + * img: Add back support for SVG images, bypassing ImageMagick and + simply passing the SVG through to the browser, which is supported by all + commonly used browsers these days. + SVG scaling by img directives has subtly changed; where before + size=wxh would preserve aspect ratio, this cannot be done when passing + them through and so specifying both a width and height can change + the SVG's aspect ratio. + * loginselector: When only openid and emailauth are enabled, but + passwordauth is not, avoid showing a "Other" box which opens an + empty form. + * [ [[Amitai Schlair|schmonz]] ] + * mdwn: Process .md like .mdwn, but disallow web creation. + * [ Florian Wagner ] + * git: Correctly handle filenames starting with a dash in add/rm/mv."""]] -- cgit v1.2.3