Accepted ikiwiki 3.20190228-1 (source) into unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Feb 2019 23:04:42 +0000
Source: ikiwiki
Architecture: source
Version: 3.20190228-1
Distribution: unstable
Urgency: high
Maintainer: Simon McVittie <smcv@debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 911356
Changes:
 ikiwiki (3.20190228-1) unstable; urgency=high
 .
   * New upstream release
     - aggregate: Use LWPx::ParanoidAgent if available.
       Previously blogspam, openid and pinger used this module if available,
       but aggregate did not. This prevents server-side request forgery or
       local file disclosure, and mitigates denial of service when slow
       "tarpit" URLs are accessed.
       (CVE-2019-9187)
     - blogspam, openid, pinger: Use a HTTP proxy if configured, even if
       LWPx::ParanoidAgent is installed.
       Previously, only aggregate would obey proxy configuration. If a proxy
       is used, the proxy (not ikiwiki) is responsible for preventing attacks
       like CVE-2019-9187.
     - aggregate, blogspam, openid, pinger: Do not access non-http, non-https
       URLs.
       Previously, these plugins would have allowed non-HTTP-based requests if
       LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
       file disclosure, and preventing other rarely-used URI schemes like
       gopher mitigates request forgery attacks.
     - aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
       recommended.
       These plugins can request attacker-controlled URLs in some site
       configurations.
     - blogspam: Document LWPx::ParanoidAgent as desirable.
       This plugin doesn't request attacker-controlled URLs, so it's
       non-critical here.
     - blogspam, openid, pinger: Consistently use cookiejar if configured.
       Previously, these plugins would only obey this configuration if
       LWPx::ParanoidAgent was not installed, but this appears to have been
       unintended.
     - po: Always filter .po files.
       The po plugin in previous ikiwiki releases made the second and
       subsequent filter call per (page, destpage) pair into a no-op,
       apparently in an attempt to prevent *recursive* filtering (which as
       far as we can tell can't happen anyway), with the undesired effect
       of interpreting the raw .po file as page content (e.g. Markdown)
       if it was inlined into the same page twice, which is apparently
       something that tails.org does. Simplify this by deleting the code
       that prevented repeated filtering. Thanks, intrigeri
       (Closes: #911356)
Checksums-Sha1:
 23fbaf51ff241ee4a4217acad7ec314487d5cfc3 2522 ikiwiki_3.20190228-1.dsc
 46f5b0a1498c1e098fe248eae1f2e3f56b25dc2f 2672244 ikiwiki_3.20190228.orig.tar.xz
 3117a095beda469da00db825ea5d3862f507dbb9 86996 ikiwiki_3.20190228-1.debian.tar.xz
 4d0bde5b1ba48cd44057fae507dde5aee250e52c 4969 ikiwiki_3.20190228-1_source.buildinfo
Checksums-Sha256:
 963d9cc94926faddd17e21c10cc20b72e2d49280a7e61cf2986f8e20f6f6da60 2522 ikiwiki_3.20190228-1.dsc
 d07a4d0da60c3e4de698a4dc54d0445547e762b37f0d433b0d664d88155dfe9e 2672244 ikiwiki_3.20190228.orig.tar.xz
 0bc38826600d23b572fe03704b8f10cd13ec111cf6bcd94bf0d9d09f83d2e42d 86996 ikiwiki_3.20190228-1.debian.tar.xz
 10cb6aaf5ea89b43aac162abddc9b95e98c577ccb4e21d84321f8593b5f68c2d 4969 ikiwiki_3.20190228-1_source.buildinfo
Files:
 985468a47fdec9139ad07389d6b588d9 2522 web optional ikiwiki_3.20190228-1.dsc
 7d3b0b1fd375fc94b30b3397b260e61f 2672244 web optional ikiwiki_3.20190228.orig.tar.xz
 fb48c5068071da26b100da3b878b32c4 86996 web optional ikiwiki_3.20190228-1.debian.tar.xz
 3d736ea01b161e377cdad06461d87ad8 4969 web optional ikiwiki_3.20190228-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlx4Ig4ACgkQ4FrhR4+B
TE+YlBAAk/soeKca813hRM1csFMfb10nuy02w2rYLd9mU8iifN3qV0MpIp5xO+uU
N+kIaA3+9L70NyZA6Aovh+0V4ktjdIiyTw0l4/Ir+LDjeT0apq6Y6AMpw76x4wx+
7Yuifys3nmfHb0QzV5v/owjFFBHZYzOS9uJ/S9LNqF2j1rJXEzUhdonNK+A5sYp+
ih/94SpwV5eljMQQ5aII8dUGP/5KBopeCv4tuFPfMC2o7XxeVh/9/1gws74Krqpo
CeMWktcw82AT66IZkUcfEfiaxmcCYZeZKt+n9YQoCH7cySOQ8f+x/tz+Q1xciBHy
aH/yinIEBOYlUmOSNj8y1LqX1UPZBdZylsMiIrCItOeaEulxxKQLTsyjzTKSYMpr
hvo3FlXIK+dcP/dl4NB3tYjq+Veb/OxUQ6bcqy7ELXfjtyoSnUetOOO3L9+dIkYq
KJ7pBgRWdm5qTCUWkqu9Wdj/G7LKbFbwi/mnivD7zPGm9S0Joq6UhW83UZu2qSyp
UiWCU1W1UjG3uQnbQ+mZZfBM5O5BWDYvWStGVGyniTeDfIqfMHlnCby/vi2V/wFB
3S0fcui720SkPtyFTXCXp8KBWYAeUJQsjlZEYQuxUDDsQO3znl5yvV5LOyoOjoNq
cPKsUdrwGyrpszO3QfrcCVdrEHmb9dSz+CpRh3IJR7zxzfOwrVo=
=eBiv
-----END PGP SIGNATURE-----