From fddc543fa59bfd48868f32ff1c9b8c09913d9452 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 1 Oct 2017 17:16:28 +0100 Subject: Announce version 3.20171001 Signed-off-by: Simon McVittie --- doc/news/version_3.20161229.mdwn | 23 ----------------------- doc/news/version_3.20171001.mdwn | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 23 deletions(-) delete mode 100644 doc/news/version_3.20161229.mdwn create mode 100644 doc/news/version_3.20171001.mdwn (limited to 'doc/news') diff --git a/doc/news/version_3.20161229.mdwn b/doc/news/version_3.20161229.mdwn deleted file mode 100644 index 365cb69d1..000000000 --- a/doc/news/version_3.20161229.mdwn +++ /dev/null @@ -1,23 +0,0 @@ -ikiwiki 3.20161229 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * Security: force CGI::FormBuilder->field to scalar context where - necessary, avoiding unintended function argument injection - analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to - forge commit metadata, but thankfully nothing more serious. - ([[!debcve CVE-2016-9646]]) - * Security: try revert operations in a temporary working tree before - approving them. Previously, automatic rename detection could result in - a revert writing outside the wiki srcdir or altering a file that the - reverting user should not be able to alter, an authorization bypass. - ([[!debcve CVE-2016-10026]] represents the original vulnerability.) - The incomplete fix released in 3.20161219 was not effective for git - versions prior to 2.8.0rc0. - ([[!debcve CVE-2016-9645]] represents that incomplete solution.) - * Add CVE references for CVE-2016-10026 - * Add automated test for using the CGI with git, including - CVE-2016-10026 - - Build-depend on libipc-run-perl for better build-time test coverage - * Add missing ikiwiki.setup for the manual test for CVE-2016-10026 - * git: don't issue a warning if the rcsinfo CGI parameter is undefined - * git: do not fail to commit changes with a recent git version - and an anonymous committer"""]] diff --git a/doc/news/version_3.20171001.mdwn b/doc/news/version_3.20171001.mdwn new file mode 100644 index 000000000..3d51b8776 --- /dev/null +++ b/doc/news/version_3.20171001.mdwn @@ -0,0 +1,23 @@ +ikiwiki 3.20171001 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * [ [[Joey Hess|joey]] ] + * htmlscrubber: Add support for the video tag's `loop` and `muted` + attributes. Those were not in the original html5 spec, but have been + added in the whatwg html living standard and have wide browser support. + * emailauth, passwordauth: Avoid leaving `cgisess_*` files in the + system temp directory. + * [ [[Simon McVittie|smcv]] ] + * core: Don't decode the result of `strftime` if it is already tagged as + UTF-8, as it might be since Perl >= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240)) + * img: Strip metadata from resized images when the deterministic config + option is set. Thanks, [[intrigeri]] + * receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit + declaration, potential misbehaviour on 64-bit platforms, and lack + of portability to non-GNU platforms + * t: Add a regression test for untrusted git push + * receive: Fix untrusted git push with git (>= 2.11) by passing through + the necessary environment variables to make the quarantine area work + * debian: Declare compliance with Debian Policy 4.1.1 + * [ [[Amitai Schleier|schmonz]] ] + * l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends + with a newline if and only if `msgid` does"""]] -- cgit v1.2.3