summaryrefslogtreecommitdiff
path: root/doc/news/version_2.48.mdwn
blob: 76dbd7ddc340b20f590cae9df6fe9a60cdfd6e89 (plain)

This release fixes an important security hole, upgrade immediately.

News for ikiwiki 2.48:

If you allowed password based logins to your wiki, those passwords were stored in cleartext in the userdb. To guard against exposing users' passwords, I recommend you install the [[cpan Authen::Passphrase]] perl module, and then run ikiwiki-transition hashpassword /path/to/srcdir to replace all existing cleartext passwords with strong (blowfish) hashes.

ikiwiki 2.48 released with [[toggle text="these changes"]] [[toggleable text="""

  • Fix security hole that occurred if openid and passwordauth were both enabled. passwordauth would allow logging in as a known openid, with an empty password. Closes: #483770 (CVE-2008-0169)
  • Add rel=nofollow to edit links. This may prevent some spiders from pounding on the cgi following edit links.
  • passwordauth: If Authen::Passphrase is installed, use it to store password hashes, crypted with Eksblowfish.
  • ikiwiki-transiition hashpassword /path/to/srcdir can be used to hash existing plaintext passwords.
  • Passwords will no longer be mailed, but instead a password reset link.
  • The password_cost config setting is provided as a "more security" knob.
  • teximg: Fix logurl.
  • teximg: If the log isn't written, avoid ugly error messages.
  • Updated French translation. Closes: #478530"""]]