Announce version 3.20171001

Signed-off-by: Simon McVittie <smcv@debian.org>
master
Simon McVittie 2017-10-01 17:16:28 +01:00
parent 3729abd8db
commit fddc543fa5
2 changed files with 23 additions and 23 deletions

View File

@ -1,23 +0,0 @@
ikiwiki 3.20161229 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* Security: force CGI::FormBuilder-&gt;field to scalar context where
necessary, avoiding unintended function argument injection
analogous to [[!debcve CVE-2014-1572]]. In ikiwiki this could be used to
forge commit metadata, but thankfully nothing more serious.
([[!debcve CVE-2016-9646]])
* Security: try revert operations in a temporary working tree before
approving them. Previously, automatic rename detection could result in
a revert writing outside the wiki srcdir or altering a file that the
reverting user should not be able to alter, an authorization bypass.
([[!debcve CVE-2016-10026]] represents the original vulnerability.)
The incomplete fix released in 3.20161219 was not effective for git
versions prior to 2.8.0rc0.
([[!debcve CVE-2016-9645]] represents that incomplete solution.)
* Add CVE references for CVE-2016-10026
* Add automated test for using the CGI with git, including
CVE-2016-10026
- Build-depend on libipc-run-perl for better build-time test coverage
* Add missing ikiwiki.setup for the manual test for CVE-2016-10026
* git: don't issue a warning if the rcsinfo CGI parameter is undefined
* git: do not fail to commit changes with a recent git version
and an anonymous committer"""]]

View File

@ -0,0 +1,23 @@
ikiwiki 3.20171001 released with [[!toggle text="these changes"]]
[[!toggleable text="""
* [ [[Joey Hess|joey]] ]
* htmlscrubber: Add support for the video tag's `loop` and `muted`
attributes. Those were not in the original html5 spec, but have been
added in the whatwg html living standard and have wide browser support.
* emailauth, passwordauth: Avoid leaving `cgisess_*` files in the
system temp directory.
* [ [[Simon McVittie|smcv]] ]
* core: Don't decode the result of `strftime` if it is already tagged as
UTF-8, as it might be since Perl &gt;= 5.21.1. (Closes: #[869240](http://bugs.debian.org/869240))
* img: Strip metadata from resized images when the deterministic config
option is set. Thanks, [[intrigeri]]
* receive: Avoid `asprintf()` in `IkiWiki::Receive`, to avoid implicit
declaration, potential misbehaviour on 64-bit platforms, and lack
of portability to non-GNU platforms
* t: Add a regression test for untrusted git push
* receive: Fix untrusted git push with git (&gt;= 2.11) by passing through
the necessary environment variables to make the quarantine area work
* debian: Declare compliance with Debian Policy 4.1.1
* [ [[Amitai Schleier|schmonz]] ]
* l10n: Fix the build with po4a 0.52, by ensuring that `msgstr` ends
with a newline if and only if `msgid` does"""]]