-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 09 May 2016 22:38:35 +0100 Source: ikiwiki Binary: ikiwiki Architecture: all source Version: 3.20120629.2+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Simon McVittie <smcv@debian.org> Changed-By: Simon McVittie <smcv@debian.org> Description: ikiwiki - a wiki compiler Changes: ikiwiki (3.20120629.2+deb7u1) wheezy-security; urgency=medium . * HTML-escape error messages, in one case avoiding potential cross-site scripting (CVE-2016-4561, OVE-20160505-0012) * Update img plugin to version 3.20160509 to mitigate ImageMagick vulnerabilities, including remote code execution (CVE-2016-3714): - Never convert SVG images to PNG; simply pass them through to the browser. This prevents exploitation of any ImageMagick SVG coder vulnerabilities. (joeyh) - Do not resize image formats other than JPEG, PNG, GIF unless specifically configured to do so. This prevents exploitation of any vulnerabilities in less common coders, such as MVG. (schmonz, smcv) - Do not resize JPEG, PNG, GIF, PDF images if their extensions do not match their "magic numbers", because wiki admins might try to restrict attachments by extension, but ImageMagick can base its choice of coder on the magic number. Explicitly force the obvious ImageMagick coder to be used. (smcv) * Minor non-security changes resulting from that update, since reverting them seems higher-risk than keeping them: - Add PDF support, disabled by the above changes unless specifically configured (chrysn) - Only render one frame or page from animated GIF or multi-page PDF (chrysn) - Do not distort aspect ratio when resizing small images (chrysn) - Use data: URLs to embed images in page previews (chrysn) - Raise an error if the image's size cannot be determined (chrysn) - Handle filenames containing a colon correctly (smcv) * Add t/img.t regression test also taken from version 3.20160506 (chrysn, joeyh, schmonz, smcv) * debian/tests: add metadata to run the img test as an autopkgtest Checksums-Sha1: f46cd8f9668b4c584683c32427d822a20118f37e 1853 ikiwiki_3.20120629.2+deb7u1.dsc 2acfcb2b7aeb8d13434a813977a29341b52cf3fa 2786046 ikiwiki_3.20120629.2+deb7u1.tar.gz 6c781ddd14070dcf9f664a79a760875ac79fe04b 1804326 ikiwiki_3.20120629.2+deb7u1_all.deb Checksums-Sha256: 8396d1e28cdc838000e94c04bbd0d1df02841c535eaa778ae269c2cf5ef6b5b7 1853 ikiwiki_3.20120629.2+deb7u1.dsc 2e8c494f3b1fbc9fcb12f03a6453f5ee37da7e83489ac3c23c630b602f1c7638 2786046 ikiwiki_3.20120629.2+deb7u1.tar.gz 259975640bf1d621b0c624a8305d93d6a813cbdc6a9919e3a9c9f4ac4c33522e 1804326 ikiwiki_3.20120629.2+deb7u1_all.deb Files: 5133ee90c2862a72c16986e7b8054c04 1853 web optional ikiwiki_3.20120629.2+deb7u1.dsc e59af543ba211f482de0fad663709f4f 2786046 web optional ikiwiki_3.20120629.2+deb7u1.tar.gz f3e41c0123af8a56b71fffb323497445 1804326 web optional ikiwiki_3.20120629.2+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXMQzxAAoJEE3o/ypjx8yQ6s8QAI2pIeKBSlJwYKYFso2sY65U Ti+rXJ6Cm1yvXNyLGhmvY9gMn33jov0XoFlvxot0r3ds8WWIxRZAMd47aiUgVlJJ BV6a8tXiEWrsXARv5KZHeoWj7HYMsP36Y4h/+QOY8uy0UtO8mm94QPLiVZotv1K6 QqBdTHuUyJHBl9DD1mbaergPb1JtSaqVPrHgWLCq7QS9UFvpUZKzuX8f2U07eTXM IiFF1bLfnxjbp9ucz4X4/TRL4/gCVlyo6FeoMEIkCUcjY++jxkton2yn0E2shLik yqhKdfuRtLdu267vEvch1uo/EvMsefNjdsM49lVAoiKPK4znw3lLhDltGq8iNI6O N7xyXSMXGDp/SdPoDq4diRZ5OUt7USFVd0ImRGTUMBC6uY2NPSdOsqNFsX+fru1Z i2NRCpfGfOzLkKDYlflccnB8TKetXqPWEQIENeJ58mq0nhPhiqB/5aht0D3pYCQb zrOILOcug4k/yeib7EXc2e28FBmvZSxHoMSfqhkuQB/f+7Sqh5MjJqlpWBQr1Iy3 gwo6Stbl4vcBbb+QlSzHE/0iMaEXLYdJNQXy6eNF+d8z4wgtOhz7ZqFfcgYZaMYW r2tynhATS8oNnoXsIw2qsWqhxl9gr8pVP4fd0EJs8Aj9qzzEC4rr4d00R8ddIUtY pnnBnOGHuasSLVqMuYDM =OAHu -----END PGP SIGNATURE-----