-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Feb 2019 22:57:58 +0000
Source: ikiwiki
Binary: ikiwiki
Architecture: all
Version: 3.20170111.1
Distribution: stretch-security
Urgency: high
Maintainer: all Build Daemon (x86-bm-01) <buildd_all-x86-bm-01@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 ikiwiki    - wiki compiler
Changes:
 ikiwiki (3.20170111.1) stretch-security; urgency=high
 .
   * aggregate: Use LWPx::ParanoidAgent if available.
     Previously blogspam, openid and pinger used this module if available,
     but aggregate did not. This prevents server-side request forgery or
     local file disclosure, and mitigates denial of service when slow
     "tarpit" URLs are accessed.
     (CVE-2019-9187)
   * blogspam, openid, pinger: Use a HTTP proxy if configured, even if
     LWPx::ParanoidAgent is installed.
     Previously, only aggregate would obey proxy configuration. If a proxy
     is used, the proxy (not ikiwiki) is responsible for preventing attacks
     like CVE-2019-9187.
   * aggregate, blogspam, openid, pinger: Do not access non-http, non-https
     URLs.
     Previously, these plugins would have allowed non-HTTP-based requests if
     LWPx::ParanoidAgent was not installed. Preventing file URIs avoids local
     file disclosure, and preventing other rarely-used URI schemes like
     gopher mitigates request forgery attacks.
   * aggregate, openid, pinger: Document LWPx::ParanoidAgent as strongly
     recommended.
     These plugins can request attacker-controlled URLs in some site
     configurations.
   * blogspam: Document LWPx::ParanoidAgent as desirable.
     This plugin doesn't request attacker-controlled URLs, so it's
     non-critical here.
   * blogspam, openid, pinger: Consistently use cookiejar if configured.
     Previously, these plugins would only obey this configuration if
     LWPx::ParanoidAgent was not installed, but this appears to have been
     unintended.
Checksums-Sha1:
 97e0cd4ebb265c652a8b8ad2d21debaefc1d5b14 12305 ikiwiki_3.20170111.1_all.buildinfo
 689634784e6f5f965f164f11ae86a73a13ec468e 1416024 ikiwiki_3.20170111.1_all.deb
Checksums-Sha256:
 5c8b96aa0c52da6475a4dfd3eca0ef6f4515d961d86c6501e5887d22723eda4c 12305 ikiwiki_3.20170111.1_all.buildinfo
 6637539b19c2f0f5893e738d4c68e09b8c9f248c42532f8de7355bda1650aaca 1416024 ikiwiki_3.20170111.1_all.deb
Files:
 6c2f917a6888f1cfa119043cf3b68ef3 12305 web optional ikiwiki_3.20170111.1_all.buildinfo
 36ebdd1c75af62cfbb7598b2e24bbbc1 1416024 web optional ikiwiki_3.20170111.1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/XSEynQpzd2p2l7Dy9stMSJZEOoFAlx4NR4ACgkQy9stMSJZ
EOqIZQ/9FGo63k9NN5mZjeN2aEj/E2QGLmk27E/mPdmOzKOj/dZAyIOo0+SgN9nB
RUlv0GvfnXBfqjfS+FZy5mFLEpkn9q33qB/JhCpBIEH9rh+E/OAGNUn4FMST8ZId
NlKqC+bOGt1ajRfpaYBu/ixkRWEM+u/hwvUI3MWlKny7BqdA9icSTBXsuNvroZYk
uWnZ0pkzp2r3PRAg20FhscHNL+ABs3rlbo8SryRhWoxMltX/zPqb4nU2nfb6zbQd
MtUasXanHM85FtEgWwAjb13Awq1JtzMaSrvuPwqP6QaEWxvuuSSnoFui4i8ws3Jr
dNoIlphJDU5WiEERW/VOYlu37OKu9dSiZ4F33VSVeooygquzUf7b26lZ80ndKcFG
7hsI9pq4FTg9aSLmClVGSFbwv5E6x4G6vpM7ru3aLuZFQXwBoSgh+4SJXnXtzoTm
ZPMVd8Lu+oN/msyLFyU7TOfgP1kDP79Z8zsFmpWLY7XGzplfae2DFHKjiyF0vpMW
9+R7GVPByj9AKDjZbZegDASj26EuAY1vdGlYtoR/qWloVRjaap7xwYC7cK01W3oE
fo3E0F2VcZnl5A6lG+gk3Edv+L2RaRe4m5QSzlsxWGToK8ICl4yovjmdnlGspxCe
B7/7OYq9mdat9uQZJ4wKe6WLMyY1P86l4SdBFqsPXEo1Q0eYA+k=
=P5T9
-----END PGP SIGNATURE-----