aboutsummaryrefslogtreecommitdiff
path: root/doc/news/version_2.48.mdwn
blob: 76dbd7ddc340b20f590cae9df6fe9a60cdfd6e89 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
**This release fixes an important security hole, upgrade immediately.**

News for ikiwiki 2.48:

   If you allowed password based logins to your wiki, those passwords were
   stored in cleartext in the userdb. To guard against exposing users'
   passwords, I recommend you install the [[cpan Authen::Passphrase]] perl module, and
   then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all
   existing cleartext passwords with strong (blowfish) hashes.

ikiwiki 2.48 released with [[toggle text="these changes"]]
[[toggleable text="""
   * Fix security hole that occurred if openid and passwordauth were both
     enabled. passwordauth would allow logging in as a known openid, with an
     empty password. Closes: #[483770](http://bugs.debian.org/483770)
     (CVE-2008-0169)
   * Add rel=nofollow to edit links. This may prevent some spiders from
     pounding on the cgi following edit links.
   * passwordauth: If Authen::Passphrase is installed, use it to store
     password hashes, crypted with Eksblowfish.
   * `ikiwiki-transiition hashpassword /path/to/srcdir` can be used to
     hash existing plaintext passwords.
   * Passwords will no longer be mailed, but instead a password reset link.
   * The password\_cost config setting is provided as a "more security" knob.
   * teximg: Fix logurl.
   * teximg: If the log isn't written, avoid ugly error messages.
   * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]]