-
ikiwiki (3.20170111.1) stretch-security; urgency=high
* aggregate: Use LWPx::ParanoidAgent if available.
Previously blogspam, openid and pinger used this module if available,
but aggregate did not. This prevents server-side request forgery or
local file disclosure, and mitigates denial of service when slow
"tarpit" URLs are accessed.
(CVE-2019-9187)
* blogspam, openid, pinger: Use a HTTP proxy if configured, even if
LWPx::ParanoidAgent is installed.
Previously, only aggregate would obey proxy configuration. If a proxy
is used, the proxy (not ikiwiki) is responsible for preventing attacks
like CVE-2019-9187.
* aggregate, blogspam, openid, pinger: Do not access non-http, non-https
URLs.
Previously, these plugins would have allowed non-HTTP-based requests if
LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
file disclosure, and preventing other rarely-used URI schemes like
gopher mitigates request forgery attacks.
* aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
recommended.
These plugins can request attacker-controlled URLs in some site
configurations.
* blogspam: Document LWPx::ParanoidAgent as desirable.
This plugin doesn't request attacker-controlled URLs, so it's
non-critical here.
* blogspam, openid, pinger: Consistently use cookiejar if configured.
Previously, these plugins would only obey this configuration if
LWPx::ParanoidAgent was not installed, but this appears to have been
unintended.
-- Simon McVittie <email address hidden> Tue, 26 Feb 2019 22:57:58 +0000
-
ikiwiki (3.20170111) unstable; urgency=high
* passwordauth: prevent authentication bypass via multiple name
parameters (CVE-2017-0356, OVE-20170111-0001)
* passwordauth: avoid userinfo forgery via repeated email parameter
(also in the scope of CVE-2017-0356)
* CGI, attachment, passwordauth: harden against repeated parameters
(not believed to have been a vulnerability)
* remove: make it clearer that repeated page parameter is OK here
* t/passwordauth.t: new automated test for passwordauth
-- Simon McVittie <email address hidden> Wed, 11 Jan 2017 18:16:53 +0000
-
ikiwiki (3.20161229.1) unstable; urgency=medium
* git: Attribute reverts to the user doing the revert, not the wiki
itself.
* git: Do not disable the commit hook while preparing a revert.
-- Simon McVittie <email address hidden> Thu, 29 Dec 2016 20:46:24 +0000
-
ikiwiki (3.20160905) unstable; urgency=medium
[ Joey Hess ]
* Fix installation when prefix includes a string metacharacter.
Thanks, Sam Hathaway.
[ Simon McVittie ]
* Use git log --no-renames to generate recentchanges, fixing the git
test-case with git 2.9 (Closes: #835612)
-- Simon McVittie <email address hidden> Mon, 05 Sep 2016 21:26:19 +0100
-
ikiwiki (3.20160728) unstable; urgency=medium
* Explicitly remove current working directory from Perl's library
search path, mitigating CVE-2016-1238 (see #588017)
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
-- Simon McVittie <email address hidden> Thu, 28 Jul 2016 10:41:56 +0100
-
ikiwiki (3.20160509) unstable; urgency=high
[ Amitai Schlair ]
* img: ignore the case of the extension when detecting image format,
fixing the regression that *.JPG etc. would not be displayed
since 3.20160506
[ Simon McVittie ]
* img: parse img_allowed_formats case-insensitively, as was done in
3.20141016.3
* inline: restore backwards compat for show=-1 syntax, which
worked before 3.20160121
* Remove a spurious changelog entry from 3.20160506 (the relevant
change was already in 3.20150614)
* Add CVE-2016-4561 reference to 3.20160506 changelog
* Set high urgency to get the CVE-2016-4561 fix and CVE-2016-3714
mitigation into testing
-- Simon McVittie <email address hidden> Mon, 09 May 2016 21:57:09 +0100
-
ikiwiki (3.20160121) unstable; urgency=medium
[ Amitai Schlair ]
* meta: Fix [[!meta name=foo]] by closing the open quote.
* Avoid unescaped "{" in regular expressions
* meta test: Add tests for many behaviors of the directive.
* img test: Bail gracefully when ImageMagick is not present.
[ Joey Hess ]
* emailauth: Added emailauth_sender config.
* Modified page.tmpl to to set html lang= and dir= when
values have been specified for them, which the po plugin does.
* Specifically license the javascript underlay under the permissive
basewiki license.
[ Simon McVittie ]
* git: if no committer identity is known, set it to
"IkiWiki <ikiwiki.info>" in .git/config. This resolves commit errors
in versions of git that require a non-trivial committer identity.
* inline, trail: rename show, feedshow parameters to limit, feedlimit
(with backwards compatibility)
* pagestats: add "show" option to show meta fields. Thanks, Louis
* inline: force RSS <comments> to be a fully absolute URL as required
by the W3C validator. Please use Atom feeds if relative URLs are
desirable on your site.
* inline: add <atom:link rel="self"> to RSS feeds as recommended by
the W3C validator
* inline: do not produce links containing /./ or /../
* syslog: accept and encode UTF-8 messages
* syslog: don't fail to log if the wiki name contains %s
* Change dependencies from transitional package perlmagick
to libimage-magick-perl (Closes: #789221)
* debian/copyright: update for the rename of openid-selector to
login-selector
* d/control: remove leading article from Description
(lintian: description-synopsis-starts-with-article)
* d/control: Standards-Version: 3.9.6, no changes required
* Wrap and sort control files (wrap-and-sort -abst)
* Silence "used only once: possible typo" warnings for variables
that are part of modules' APIs
* Run autopkgtest tests using autodep8 and the pkg-perl team's
infrastructure
* Add enough build-dependencies to run all tests, except for
non-git VCSs
* tests: consistently use done_testing instead of no_plan
* t/img.t: do not spuriously skip
* img test: skip testing PDFs if unsupported
* img test: use the right filenames when testing that deletion occurs
-- Simon McVittie <email address hidden> Thu, 21 Jan 2016 09:53:07 +0000
-
ikiwiki (3.20150614) unstable; urgency=medium
* inline: change default sort order from age to "age title" for
determinism, partially fixing deterministic build for git-annex,
ikiwiki-hosting etc. (Closes: #785757)
* img: avoid ImageMagick misinterpreting filenames containing a colon
* img test: set old timestamp on source file that will change, so that
the test will pass even if it takes less than 1 second
-- Simon McVittie <email address hidden> Sun, 14 Jun 2015 18:13:23 +0100
-
ikiwiki (3.20150610) unstable; urgency=low
[ Joey Hess ]
* New emailauth plugin lets users log in, without any registration,
by simply clicking on a link in an email.
* Re-remove google from openid selector; their openid provider is
gone for good.
* Make the openid selector display "Password" instead of "Other"
when appropriate, so users are more likely to click on it when
they don't have an openid.
* Converted openid-selector into a more generic loginselector helper
plugin.
* passwordauth: Don't allow registering accounts that look like openids.
* Make cgiurl output deterministic, not hash order. Closes: #785738
Thanks, Daniel Kahn Gillmor
[ Simon McVittie ]
* Do not enable emailauth by default, to avoid surprises on httpauth-only
sites. Enable it by default in openid instead, since it is essentially
a replacement for OpenIDs.
* Make the attachment plugin work with CGI.pm 4.x (Closes: #786586;
workaround for #786587 in libcgi-pm-perl)
* Add a public-domain email icon from tango-icon-theme
* Populate pagectime from either mtime or inode change time,
whichever is older, again for more reproducible builds
* debian: build the docwiki with LC_ALL=C.UTF-8 and TZ=UTC
* debian/copyright: consolidate permissive licenses
* debian/copyright: turn comments on provenance into Comment
* brokenlinks: sort the pages that link to the missing page, for
better reproducibility
* Add [[!meta date]] to news items and tips, since the git checkout
and build process can leave the checkout date in the tarball
release, leading to unstable sorting
* Sort backlinks deterministically, by falling back to sorting by href
if the link text is identical
* Add a $config{deterministic} option and use it for the docwiki
* haiku: if deterministic build is requested, return a hard-coded haiku
* polygen: if deterministic build is requested, use a well-known random seed
-- Simon McVittie <email address hidden> Wed, 10 Jun 2015 21:56:36 +0100
-
ikiwiki (3.20141016.2) unstable; urgency=high
[ Joey Hess ]
* Fix XSS in openid selector. Thanks, Raghav Bisht. (Closes: #781483)
-- Simon McVittie <email address hidden> Sun, 29 Mar 2015 22:28:15 +0100
