Log Message:
Update to 3.20160506. From the changelog:

  [ Simon McVittie ]
  * img: stop ImageMagick trying to be clever if filenames contain a colon,
    avoiding mis-processing
  * HTML-escape error messages, in one case avoiding potential cross-site
    scripting (OVE-20160505-0012)
  * Mitigate ImageMagick vulnerabilities such as CVE-2016-3714:
    - img: force common Web formats to be interpreted according to extension,
      so that "allowed_attachments: '*.jpg'" does what one might expect
    - img: restrict to JPEG, PNG and GIF images by default, again mitigating
      CVE-2016-3714 and similar vulnerabilities
    - img: check that the magic number matches what we would expect from
      the extension before giving common formats to ImageMagick
  * d/control: use https for Homepage
  * d/control: add Vcs-Browser

  [ Joey Hess ]
  * img: Add back support for SVG images, bypassing ImageMagick and
    simply passing the SVG through to the browser, which is supported by all
    commonly used browsers these days.
    SVG scaling by img directives has subtly changed; where before
    size=wxh would preserve aspect ratio, this cannot be done when passing
    them through and so specifying both a width and height can change
    the SVG's aspect ratio.
  * loginselector: When only openid and emailauth are enabled, but
    passwordauth is not, avoid showing a "Other" box which opens an
    empty form.

  [ Amitai Schlair ]
  * mdwn: Process .md like .mdwn, but disallow web creation.

  [ Florian Wagner ]
  * git: Correctly handle filenames starting with a dash in add/rm/mv.

 -- Simon McVittie <smcv@debian.org>  Fri, 06 May 2016 07:54:26 +0100