diff --git a/debian/changelog b/debian/changelog index 36a9701d9..14045a961 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -ikiwiki (3.20170111) UNRELEASED; urgency=medium +ikiwiki (3.20170111) unstable; urgency=high * passwordauth: prevent authentication bypass via multiple name parameters (CVE-2017-0356, OVE-20170111-0001) @@ -9,7 +9,7 @@ ikiwiki (3.20170111) UNRELEASED; urgency=medium * remove: make it clearer that repeated page parameter is OK here * t/passwordauth.t: new automated test for passwordauth - -- Simon McVittie Wed, 11 Jan 2017 18:12:05 +0000 + -- Simon McVittie Wed, 11 Jan 2017 18:16:53 +0000 ikiwiki (3.20170110) unstable; urgency=medium diff --git a/doc/news/version_3.20160905.mdwn b/doc/news/version_3.20160905.mdwn deleted file mode 100644 index 9bd925bf6..000000000 --- a/doc/news/version_3.20160905.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -ikiwiki 3.20160905 released with [[!toggle text="these changes"]] -[[!toggleable text=""" - * [ Joey Hess ] - * Fix installation when prefix includes a string metacharacter. - Thanks, Sam Hathaway. - * [ Simon McVittie ] - * Use git log --no-renames to generate recentchanges, fixing the git - test-case with git 2.9 (Closes: #[835612](http://bugs.debian.org/835612))"""]] \ No newline at end of file diff --git a/doc/news/version_3.20170111.mdwn b/doc/news/version_3.20170111.mdwn new file mode 100644 index 000000000..03b2ac2c4 --- /dev/null +++ b/doc/news/version_3.20170111.mdwn @@ -0,0 +1,10 @@ +ikiwiki 3.20170111 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * passwordauth: prevent authentication bypass via multiple name + parameters (CVE-2017-0356, OVE-20170111-0001) + * passwordauth: avoid userinfo forgery via repeated email parameter + (also in the scope of CVE-2017-0356) + * CGI, attachment, passwordauth: harden against repeated parameters + (not believed to have been a vulnerability) + * remove: make it clearer that repeated page parameter is OK here + * t/passwordauth.t: new automated test for passwordauth"""]] \ No newline at end of file diff --git a/ikiwiki.spec b/ikiwiki.spec index ec0849535..d9d0331e6 100644 --- a/ikiwiki.spec +++ b/ikiwiki.spec @@ -1,5 +1,5 @@ Name: ikiwiki -Version: 3.20161229.1 +Version: 3.20170111 Release: 1%{?dist} Summary: A wiki compiler diff --git a/po/ikiwiki.pot b/po/ikiwiki.pot index f515d7fd2..d7f16b649 100644 --- a/po/ikiwiki.pot +++ b/po/ikiwiki.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-12-29 20:46+0000\n" +"POT-Creation-Date: 2017-01-11 18:18+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -28,7 +28,7 @@ msgstr "" msgid "login failed, perhaps you need to turn on cookies?" msgstr "" -#: ../IkiWiki/CGI.pm:239 ../IkiWiki/CGI.pm:394 +#: ../IkiWiki/CGI.pm:239 ../IkiWiki/CGI.pm:395 msgid "Your login session has expired." msgstr "" @@ -44,15 +44,15 @@ msgstr "" msgid "Admin" msgstr "" -#: ../IkiWiki/CGI.pm:302 +#: ../IkiWiki/CGI.pm:303 msgid "Preferences saved." msgstr "" -#: ../IkiWiki/CGI.pm:357 +#: ../IkiWiki/CGI.pm:358 msgid "You are banned." msgstr "" -#: ../IkiWiki/CGI.pm:490 ../IkiWiki/CGI.pm:491 ../IkiWiki.pm:1653 +#: ../IkiWiki/CGI.pm:491 ../IkiWiki/CGI.pm:492 ../IkiWiki.pm:1653 msgid "Error" msgstr "" @@ -167,19 +167,19 @@ msgstr "" msgid "prohibited by allowed_attachments" msgstr "" -#: ../IkiWiki/Plugin/attachment.pm:234 +#: ../IkiWiki/Plugin/attachment.pm:235 msgid "bad attachment filename" msgstr "" -#: ../IkiWiki/Plugin/attachment.pm:307 +#: ../IkiWiki/Plugin/attachment.pm:308 msgid "attachment upload" msgstr "" -#: ../IkiWiki/Plugin/attachment.pm:358 +#: ../IkiWiki/Plugin/attachment.pm:359 msgid "this attachment is not yet saved" msgstr "" -#: ../IkiWiki/Plugin/attachment.pm:376 +#: ../IkiWiki/Plugin/attachment.pm:377 msgid "just uploaded" msgstr "" @@ -376,7 +376,7 @@ msgstr "" msgid "Invalid email address." msgstr "" -#: ../IkiWiki/Plugin/emailauth.pm:98 ../IkiWiki/Plugin/passwordauth.pm:377 +#: ../IkiWiki/Plugin/emailauth.pm:98 ../IkiWiki/Plugin/passwordauth.pm:380 msgid "Failed to send mail" msgstr "" @@ -418,25 +418,25 @@ msgstr "" msgid "%s is an attachment, not a page." msgstr "" -#: ../IkiWiki/Plugin/git.pm:929 ../IkiWiki/Plugin/git.pm:992 ../IkiWiki.pm:1873 +#: ../IkiWiki/Plugin/git.pm:933 ../IkiWiki/Plugin/git.pm:997 ../IkiWiki.pm:1873 #, perl-format msgid "you are not allowed to change %s" msgstr "" -#: ../IkiWiki/Plugin/git.pm:951 +#: ../IkiWiki/Plugin/git.pm:955 #, perl-format msgid "you cannot act on a file with mode %s" msgstr "" -#: ../IkiWiki/Plugin/git.pm:955 +#: ../IkiWiki/Plugin/git.pm:959 msgid "you are not allowed to change file modes" msgstr "" -#: ../IkiWiki/Plugin/git.pm:1029 +#: ../IkiWiki/Plugin/git.pm:1033 msgid "you are not allowed to revert a merge" msgstr "" -#: ../IkiWiki/Plugin/git.pm:1083 ../IkiWiki/Plugin/git.pm:1103 +#: ../IkiWiki/Plugin/git.pm:1085 ../IkiWiki/Plugin/git.pm:1104 #, perl-format msgid "Failed to revert commit %s" msgstr "" @@ -652,7 +652,7 @@ msgstr "" msgid "bad or missing template" msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:145 ../IkiWiki/Plugin/passwordauth.pm:343 +#: ../IkiWiki/Plugin/passwordauth.pm:145 ../IkiWiki/Plugin/passwordauth.pm:347 msgid "Error creating account." msgstr "" @@ -664,31 +664,31 @@ msgstr "" msgid "Create your user page" msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:340 +#: ../IkiWiki/Plugin/passwordauth.pm:344 msgid "Account creation successful. Now you can Login." msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:350 +#: ../IkiWiki/Plugin/passwordauth.pm:353 msgid "No email address, so cannot email password reset instructions." msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:379 +#: ../IkiWiki/Plugin/passwordauth.pm:382 msgid "You have been mailed password reset instructions." msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:414 +#: ../IkiWiki/Plugin/passwordauth.pm:418 msgid "incorrect password reset url" msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:417 +#: ../IkiWiki/Plugin/passwordauth.pm:421 msgid "password reset denied" msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:430 +#: ../IkiWiki/Plugin/passwordauth.pm:434 msgid "incorrect url" msgstr "" -#: ../IkiWiki/Plugin/passwordauth.pm:433 +#: ../IkiWiki/Plugin/passwordauth.pm:437 msgid "access denied" msgstr "" @@ -938,11 +938,11 @@ msgstr "" msgid "confirm removal of %s" msgstr "" -#: ../IkiWiki/Plugin/remove.pm:204 +#: ../IkiWiki/Plugin/remove.pm:206 msgid "Please select the attachments to remove." msgstr "" -#: ../IkiWiki/Plugin/remove.pm:264 +#: ../IkiWiki/Plugin/remove.pm:267 msgid "removed" msgstr ""