ANN: pandoc 3.1.6
5 views
Skip to first unread message
John MacFarlane
Jul 21, 2023, 11:40:35 AM7/21/23
to pandoc-...@googlegroups.com, pandoc-...@googlegroups.com
I'm pleased to announce the release of pandoc 3.1.6,
available in the usual places:
Binary packages & changelog:
https://github.com/jgm/pandoc/releases/tag/3.1.6
Source & API documentation:
http://hackage.haskell.org/package/pandoc-3.1.6
Changes of note:
This release fixes a new variant of the vulnerability described in
CVE-2023-35936. Guilhem Moulin noticed that the fix in 3.1.4 to
CVE-2023-35936 was incomplete. An attacker could get around it by
double-encoding the malicious extension to create or override
arbitrary files.
A regression on short boolean arguments has also been fixed.
In 3.1.5 boolean arguments were allowed an optional argument
(`true|false`). This broke the ability to used fused short
arguments, e.g. '-somyfile.html' == '-s -o myfile.html'. This
commit restores that while keeping support for optional boolean
arguments.
--embed-resources now uses inline SVG instead of data URIs for SVG
images in HTML5.
The docx reader will now use the SVG version of an image if present
rather than the PNG fallback.
The typst reader fixes a regression in recognition of display math
and has many bug fixes from improvements in typst-hs.
Release binaries are now compiled on ghc 9.2, since compiling on 9.4
led to "illegal instruction" errors on some older hardware.
(The cause of this is still not clear, but the change seems to
have fixed the problem.)
See the changelog for other changes and fuller details.
available in the usual places:
Binary packages & changelog:
https://github.com/jgm/pandoc/releases/tag/3.1.6
Source & API documentation:
http://hackage.haskell.org/package/pandoc-3.1.6
Changes of note:
This release fixes a new variant of the vulnerability described in
CVE-2023-35936. Guilhem Moulin noticed that the fix in 3.1.4 to
CVE-2023-35936 was incomplete. An attacker could get around it by
double-encoding the malicious extension to create or override
arbitrary files.
A regression on short boolean arguments has also been fixed.
In 3.1.5 boolean arguments were allowed an optional argument
(`true|false`). This broke the ability to used fused short
arguments, e.g. '-somyfile.html' == '-s -o myfile.html'. This
commit restores that while keeping support for optional boolean
arguments.
--embed-resources now uses inline SVG instead of data URIs for SVG
images in HTML5.
The docx reader will now use the SVG version of an image if present
rather than the PNG fallback.
The typst reader fixes a regression in recognition of display math
and has many bug fixes from improvements in typst-hs.
Release binaries are now compiled on ghc 9.2, since compiling on 9.4
led to "illegal instruction" errors on some older hardware.
(The cause of this is still not clear, but the change seems to
have fixed the problem.)
See the changelog for other changes and fuller details.
Reply all
Reply to author
Forward
0 new messages