ANN: pandoc 3.1.4

ANN: pandoc 3.1.4

[John MacFarlane]

I'm pleased to announce the release of pandoc 3.1.4,
available in the usual places:

Binary packages & changelog:
https://github.com/jgm/pandoc/releases/tag/3.1.4

Source & API documentation:
http://hackage.haskell.org/package/pandoc-3.1.4

The main reason for this release is to fix a security vulnerability found by
Entroy C.  This vulnerability affects earlier versions of pandoc and is only
present when output is to a PDF or --extract-media is used. Using a specially
crafted data URI in an image element, an attacker can cause pandoc
to write files with arbitrary contents and filenames to locations outside of
the directory to which media is being extracted. Using --sandbox does not
mitigate this vulnerability (as documented, --sandbox only limits IO in
readers and writers and does not affect PDF production).

We recommend that all users upgrade.

In addition to this security fix, this release contains a number of
small improvements, described in the changelog.

There is one small API change: the `ScriptingWarning` constructor
has been added to `LogMessage`.

Thanks to all who contributed, especially new contributors Adelar da Silva
Queiróz, Norwid Behrnd, Per Christian Gaustad, ech0, and harabat. And thanks
especially to Entroy C for identifying the security issue.


-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/5745CF08-D504-4A1B-B061-B845F565453E%40gmail.com.