3.20161229

debian/changelog

@@ -1,4 +1,4 @@
-ikiwiki (3.20161220) UNRELEASED; urgency=medium
+ikiwiki (3.20161229) unstable; urgency=medium
 
   * Security: force CGI::FormBuilder->field to scalar context where
     necessary, avoiding unintended function argument injection
@@ -22,7 +22,7 @@ ikiwiki (3.20161220) UNRELEASED; urgency=medium
   * git: do not fail to commit changes with a recent git version
     and an anonymous committer
 
- -- Simon McVittie <smcv@debian.org>  Wed, 21 Dec 2016 13:03:07 +0000
+ -- Simon McVittie <smcv@debian.org>  Thu, 29 Dec 2016 17:36:15 +0000
 
 ikiwiki (3.20161219) unstable; urgency=medium
 

doc/news/version_3.20160121.mdwn

@@ -1,46 +0,0 @@
-ikiwiki 3.20160121 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
- * [ [[Amitai Schlair|schmonz]] ]
-   * [[plugins/meta]]: Fix `\[[!meta name=foo]]` by closing the open quote.
-   * Avoid unescaped `{` in regular expressions
-   * meta test: Add tests for many behaviors of the directive.
-   * img test: Bail gracefully when [[!cpan ImageMagick]] is not present.
- * [ [[Joey Hess|joey]] ]
-   * [[plugins/emailauth]]: Added `emailauth_sender` config.
-   * Modified `page.tmpl` to to set html `lang=` and `dir=` when
-     values have been specified for them, which the [[plugins/po|po plugin]] does.
-   * Specifically license the javascript underlay under the permissive
-     basewiki license.
- * [ [[Simon McVittie|smcv]] ]
-   * [[plugins/git]]: if no committer identity is known, set it to
-     `IkiWiki <ikiwiki.info>` in `.git/config`. This resolves commit errors
-     in versions of git that require a non-trivial committer identity.
-   * [[plugins/inline]], [[plugins/trail]]: rename `show`, `feedshow` parameters to `limit`, `feedlimit`
-     (with backwards compatibility)
-   * [[plugins/pagestats]]: add `show` option to show [[plugins/meta]] fields. Thanks, [[Louis|spalax]]
-   * [[plugins/inline]]: force RSS `<comments>` to be a fully absolute URL as required
-     by the W3C validator. Please use Atom feeds if relative URLs are
-     desirable on your site.
-   * [[plugins/inline]]: add `<atom:link rel="self">` to RSS feeds as recommended by
-     the W3C validator
-   * [[plugins/inline]]: do not produce links containing `/./` or `/../`
-   * syslog: accept and encode UTF-8 messages
-   * syslog: don't fail to log if the wiki name contains `%s`
-   * Change dependencies from transitional package [[!debpkg perlmagick]]
-     to [[!debpkg libimage-magick-perl]] (Closes: #[789221](http://bugs.debian.org/789221))
-   * debian/copyright: update for the rename of `openid-selector` to
-     `login-selector`
-   * d/control: remove leading article from Description
-     (lintian: description-synopsis-starts-with-article)
-   * d/control: Standards-Version: 3.9.6, no changes required
-   * Wrap and sort control files (`wrap-and-sort -abst`)
-   * Silence "used only once: possible typo" warnings for variables
-     that are part of modules' APIs
-   * Run [[!debpkg autopkgtest]] tests using [[!debpkg autodep8]] and the pkg-perl team's
-     infrastructure
-   * Add enough build-dependencies to run all tests, except for
-     non-git VCSs
-   * tests: consistently use `done_testing` instead of `no_plan`
-   * `t/img.t`: do not spuriously skip
-   * img test: skip testing PDFs if unsupported
-   * img test: use the right filenames when testing that deletion occurs"""]]

doc/news/version_3.20161229.mdwn

@@ -0,0 +1,23 @@
+ikiwiki 3.20161229 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Security: force CGI::FormBuilder->field to scalar context where
+     necessary, avoiding unintended function argument injection
+     analogous to [[!cve CVE-2014-1572]]. In ikiwiki this could be used to
+     forge commit metadata, but thankfully nothing more serious.
+     ([[!cve CVE-2016-9646]])
+   * Security: try revert operations in a temporary working tree before
+     approving them. Previously, automatic rename detection could result in
+     a revert writing outside the wiki srcdir or altering a file that the
+     reverting user should not be able to alter, an authorization bypass.
+     ([[!cve CVE-2016-10026]] represents the original vulnerability.)
+     The incomplete fix released in 3.20161219 was not effective for git
+     versions prior to 2.8.0rc0.
+     ([[!cve CVE-2016-9645]] represents that incomplete solution.)
+   * Add CVE references for CVE-2016-10026
+   * Add automated test for using the CGI with git, including
+     CVE-2016-10026
+     - Build-depend on libipc-run-perl for better build-time test coverage
+   * Add missing ikiwiki.setup for the manual test for CVE-2016-10026
+   * git: don't issue a warning if the rcsinfo CGI parameter is undefined
+   * git: do not fail to commit changes with a recent git version
+     and an anonymous committer"""]]