Format: 1.8 Date: Mon, 27 May 2019 12:17:36 -0400 Source: ikiwiki Architecture: source Version: 3.20190228-1~ubuntu18.04.1~ppa1 Distribution: bionic Urgency: high Maintainer: Simon McVittie Changed-By: Stephen Michael Kellat Closes: 898836 911356 Changes: ikiwiki (3.20190228-1~ubuntu18.04.1~ppa1) bionic; urgency=medium . * No-change backport to bionic . ikiwiki (3.20190228-1) unstable; urgency=high . * New upstream release - aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) - blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. - aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. - aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. - blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. - blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. - po: Always filter .po files. The po plugin in previous ikiwiki releases made the second and subsequent filter call per (page, destpage) pair into a no-op, apparently in an attempt to prevent *recursive* filtering (which as far as we can tell can't happen anyway), with the undesired effect of interpreting the raw .po file as page content (e.g. Markdown) if it was inlined into the same page twice, which is apparently something that tails.org does. Simplify this by deleting the code that prevented repeated filtering. Thanks, intrigeri (Closes: #911356) . ikiwiki (3.20190207-1) unstable; urgency=medium . [ Simon McVittie ] * New upstream release - Hide popup template content from documentation (Closes: #898836) . [ Ondřej Nový ] * d/changelog: Remove trailing whitespaces . [ Jelmer Vernooij ] * Allow Breezy as alternative to Bazaar. . ikiwiki (3.20180311-1) unstable; urgency=medium . * New upstream release * (Build-)Depend on libmarkdown2 (>= 2.2), and opt-in to the new test that assumes that version Checksums-Sha1: e8c54e784245f367fb6e85d2a52cbe42237c3429 2627 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.dsc 46f5b0a1498c1e098fe248eae1f2e3f56b25dc2f 2672244 ikiwiki_3.20190228.orig.tar.xz f847709deecf22ba1dbdc36c1b004a44fc2ce55d 87044 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.debian.tar.xz 7daf0777fde94d388766eef875b90054d3d2c702 5838 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1_source.buildinfo Checksums-Sha256: ca9dbb21cbc0190e546644b08fc5f9d7aa918744fbe004dd199576e15ae076d5 2627 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.dsc d07a4d0da60c3e4de698a4dc54d0445547e762b37f0d433b0d664d88155dfe9e 2672244 ikiwiki_3.20190228.orig.tar.xz e748d886b52d22b28d0699797da222c6c6ab674e78e62dc6144756d43a7accd4 87044 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.debian.tar.xz 69bc25cd22a693841018a4743c2dc9f9543c3ea385b50cf7ac162e1b737d40d0 5838 ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1_source.buildinfo Files: 8e3cb3c9b99b9b4a64ecdd9388e116fe 2627 web optional ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.dsc 7d3b0b1fd375fc94b30b3397b260e61f 2672244 web optional ikiwiki_3.20190228.orig.tar.xz d135486998406ee4552773a9b9964465 87044 web optional ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1.debian.tar.xz 71416264aeca99d0b722772e59a837b5 5838 web optional ikiwiki_3.20190228-1~ubuntu18.04.1~ppa1_source.buildinfo