diff options
-rw-r--r-- | doc/news/version_2.43.mdwn | 8 | ||||
-rw-r--r-- | doc/news/version_2.48.mdwn | 24 |
2 files changed, 24 insertions, 8 deletions
diff --git a/doc/news/version_2.43.mdwn b/doc/news/version_2.43.mdwn deleted file mode 100644 index ce75b4c49..000000000 --- a/doc/news/version_2.43.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -ikiwiki 2.43 released with [[toggle text="these changes"]] -[[toggleable text=""" - * Fix missing import of escapeHTML in userlink. (Scott Bronson) - * Fix broken rcs\_update for bzr. (Scott Bronson) - * Use bzr --quiet to avoid it outputting stuff and messing up http headers. - (Scott Bronson) - * Give the full path to the hyperestraier helpfile in estseek.conf. - * Recommend a recent git-core for git init. Closes: [475609](http://bugs.debian.org/475609)"""]]
\ No newline at end of file diff --git a/doc/news/version_2.48.mdwn b/doc/news/version_2.48.mdwn new file mode 100644 index 000000000..c5e0e830d --- /dev/null +++ b/doc/news/version_2.48.mdwn @@ -0,0 +1,24 @@ +News for ikiwiki 2.48: + + If you allowed password based logins to your wiki, those passwords were + stored in cleartext in the userdb. To guard against exposing users' + passwords, I recommend you install the Authen::Passphrase perl module, and + then run `ikiwiki-transition hashpassword /path/to/srcdir` to replace all + existing cleartext passwords with strong (blowfish) hashes. + +ikiwiki 2.48 released with [[toggle text="these changes"]] +[[toggleable text=""" + * Fix security hole that occurred if openid and passwordauth were both + enabled. passwordauth would allow logging in as a known openid, with an + empty password. Closes: #[483770](http://bugs.debian.org/483770) + * Add rel=nofollow to edit links. This may prevent some spiders from + pounding on the cgi following edit links. + * passwordauth: If Authen::Passphrase is installed, use it to store + password hashes, crypted with Eksblowfish. + * `ikiwiki-transiition hashpassword /path/to/srcdir` can be used to + hash existing plaintext passwords. + * Passwords will no longer be mailed, but instead a password reset link. + * The password\_cost config setting is provided as a "more security" knob. + * teximg: Fix logurl. + * teximg: If the log isn't written, avoid ugly error messages. + * Updated French translation. Closes: #[478530](http://bugs.debian.org/478530)"""]]
\ No newline at end of file |