ikiwiki (3.20200202.3-1) unstable; urgency=medium * New upstream release * d/salsa-ci.yml: Request standard CI on salsa.debian.org * d/rules: Unset LD_PRELOAD to run unit tests. In particular, this disables faketime(1), as used by reprotest, which otherwise causes t/git-cgi.t to fail because ikiwiki does not notice that a file has changed. * Use debhelper compat level 12 * Wrap long lines in 3.20100312 changelog entry * Set field Upstream-Name in debian/copyright. This is preferred over Name in d/upstream/metadata, apparently. * d/p/build-Don-t-install-an-empty-share-ikiwiki-examples-doc-e.patch: Don't install an empty /usr/share/ikiwiki/examples/doc/examples * Declare compliance with Debian Policy 4.5.0 * Declare that this package can build correctly without (fake)root -- Simon McVittie Thu, 13 Feb 2020 09:52:14 +0000 ikiwiki (3.20190228-1) unstable; urgency=high * New upstream release - aggregate: Use LWPx::ParanoidAgent if available. Previously blogspam, openid and pinger used this module if available, but aggregate did not. This prevents server-side request forgery or local file disclosure, and mitigates denial of service when slow "tarpit" URLs are accessed. (CVE-2019-9187) - blogspam, openid, pinger: Use a HTTP proxy if configured, even if LWPx::ParanoidAgent is installed. Previously, only aggregate would obey proxy configuration. If a proxy is used, the proxy (not ikiwiki) is responsible for preventing attacks like CVE-2019-9187. - aggregate, blogspam, openid, pinger: Do not access non-http, non-https URLs. Previously, these plugins would have allowed non-HTTP-based requests if LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local file disclosure, and preventing other rarely-used URI schemes like gopher mitigates request forgery attacks. - aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly recommended. These plugins can request attacker-controlled URLs in some site configurations. - blogspam: Document LWPx::ParanoidAgent as desirable. This plugin doesn't request attacker-controlled URLs, so it's non-critical here. - blogspam, openid, pinger: Consistently use cookiejar if configured. Previously, these plugins would only obey this configuration if LWPx::ParanoidAgent was not installed, but this appears to have been unintended. - po: Always filter .po files. The po plugin in previous ikiwiki releases made the second and subsequent filter call per (page, destpage) pair into a no-op, apparently in an attempt to prevent *recursive* filtering (which as far as we can tell can't happen anyway), with the undesired effect of interpreting the raw .po file as page content (e.g. Markdown) if it was inlined into the same page twice, which is apparently something that tails.org does. Simplify this by deleting the code that prevented repeated filtering. Thanks, intrigeri (Closes: #911356) -- Simon McVittie Tue, 26 Feb 2019 23:04:42 +0000 ikiwiki (3.20190207-1) unstable; urgency=medium [ Simon McVittie ] * New upstream release - Hide popup template content from documentation (Closes: #898836) [ Ondřej Nový ] * d/changelog: Remove trailing whitespaces [ Jelmer Vernooij ] * Allow Breezy as alternative to Bazaar. -- Simon McVittie Thu, 07 Feb 2019 11:13:08 +0000 ikiwiki (3.20180311-1) unstable; urgency=medium * New upstream release * (Build-)Depend on libmarkdown2 (>= 2.2), and opt-in to the new test that assumes that version -- Simon McVittie Sun, 11 Mar 2018 15:58:46 +0000 ikiwiki (3.20180228-1) unstable; urgency=medium * New upstream release - core: Don't send relative redirect URLs when behind a reverse proxy - core: Escape backticks etc. in directive error messages as HTML entities so that the error message is not subsequently parsed as Markdown - mdwn: Enable fenced code blocks, PHP Markdown Extra-style definition lists and GitHub-style extensions to HTML tag syntax when used with Discount >= 2.2.0 (Closes: #888055) - img: Fix auto-detection of image format (if enabled, which is strongly discouraged) with ImageMagick >= 6.9.8-3 - rst: Use Python 3 instead of Python 2 - build: `set -e` before each `for` loop, so that errors are reliably trapped - build: Use if/then instead of `||` so that the `-e` flag works - build: Ensure that pm_to_blib finishes before rewriting shebang lines - t: Make the img test pass with ImageMagick >= 6.9.8-3 (Closes: #891647) * Stop rewriting shebang lines of Python 3 scripts -- Simon McVittie Wed, 28 Feb 2018 10:48:32 +0000 ikiwiki (3.20180105-1) unstable; urgency=medium * Switch to non-native packaging - d/control: Move packaging from upstream git to salsa.debian.org - d/copyright: Set Source to https://ikiwiki.info/git/ - d/gbp.conf: Configure for a non-native package - d/source/format: set to 3.0 (quilt) - d/watch: Look for new releases in upstream git * New upstream release - d/copyright: Drop stanzas for files no longer shipped * Change rst plugin's interpreter from Python 2 to Python 3 * Remove unused Lintian overrides for duplicate word false positives * Declare compliance with Debian Policy 4.1.3 * Use recommended debhelper compat level 11 -- Simon McVittie Sat, 06 Jan 2018 23:20:11 +0000 ikiwiki (3.20171001) unstable; urgency=medium [ Joey Hess ] * htmlscrubber: Add support for the video tag's loop and muted attributes. Those were not in the original html5 spec, but have been added in the whatwg html living standard and have wide browser support. * emailauth, passwordauth: Avoid leaving cgisess_* files in the system temp directory. [ Simon McVittie ] * core: Don't decode the result of strftime if it is already tagged as UTF-8, as it might be since Perl >= 5.21.1. (Closes: #869240) * img: Strip metadata from resized images when the deterministic config option is set. Thanks, intrigeri * receive: Avoid asprintf() in IkiWiki::Receive, to avoid implicit declaration, potential misbehaviour on 64-bit platforms, and lack of portability to non-GNU platforms * t: Add a regression test for untrusted git push * receive: Fix untrusted git push with git (>= 2.11) by passing through the necessary environment variables to make the quarantine area work * debian: Declare compliance with Debian Policy 4.1.1 [ Amitai Schleier ] * l10n: Fix the build with po4a 0.52, by ensuring that msgstr ends with a newline if and only if msgid does -- Simon McVittie Sun, 01 Oct 2017 16:32:01 +0100 ikiwiki (3.20170622) unstable; urgency=medium * t/git-cgi.t: Wait 1 second before doing a revert that should work. This hopefully fixes a race condition in which the test failed around 6% of the time. (Closes: 862494) * Guard against set-but-empty REMOTE_USER CGI variable on misconfigured nginx servers, and in general treat sessions with a set-but-empty name as if they were not signed in. * When the CGI fails, print the error to stderr, not "Died" * mdwn: Don't mangle