commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high

  * Team upload.
  * Backport version 2.8.0 from Bullseye.
  * Fix CVE-2022-33980:
    Apache Commons Configuration performs variable interpolation, allowing
    properties to be dynamically evaluated and expanded. Starting with version
    2.4 and continuing through 2.7, the set of default Lookup instances
    included interpolators that could result in arbitrary code execution or
    contact with remote servers. These lookups are: - "script" - execute
    expressions using the JVM script execution engine (javax.script) - "dns" -
    resolve dns records - "url" - load values from urls, including from remote
    servers Applications using the interpolation defaults in the affected
    versions may be vulnerable to remote code execution or unintentional
    contact with remote servers if untrusted configuration values are used.
    (Closes: #1014960)

 -- Markus Koschany <apo@debian.org>  Mon, 28 Nov 2022 10:52:07 +0100

commons-configuration2 (2.8.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.8.0 (Closes: #1014960)
    Addresses CVE-2022-33980
  * Bump Standards-Version to 4.6.1
  * Use debhelper-compat 13
  * Freshen years in debian/copyright
  * Update javax.servlet dependency to libservlet-api-java
  * Add build-dep on libhamcrest-java

 -- tony mancill <tmancill@debian.org>  Sat, 16 Jul 2022 09:53:15 -0700

commons-configuration2 (2.7-2) unstable; urgency=medium

  * Team upload.
  * Add commons-text.jar to the CLASSPATH. Without commons-text.jar packages
    like MediathekView will not work anymore. (Closes: #955755)

 -- Markus Koschany <apo@debian.org>  Sun, 05 Apr 2020 15:33:44 +0200

commons-configuration2 (2.7-1) unstable; urgency=medium

  * Team upload
  * Update debian/watch to repack as .xz and use https URL
  * New upstream version 2.7, CVE-2020-1953 (Closes: #954713)
  * Specify debhelper compat 12 via debhelper-compat dependency
  * Add build-dep on libcommons-text-java
  * Remove get-orig-source target from debian/rules
  * Set source and target in maven.properites to Java 8
  * Specify debhelper compat 12 via debhelper-compat dependency
  * Add build-dep on libcommons-text-java
  * Remove get-orig-source target from debian/rules
  * Set source and target in maven.properites to Java 8
  * Set "Rules-Requires-Root: no" in debian/control
  * Bump Standards-Version to 4.5.0
  * Freshen years in debian/copyright
  * Update Vcs URLs to point to Salsa
  * Ship NOTICE.txt with binary package

 -- tony mancill <tmancill@debian.org>  Sat, 28 Mar 2020 21:32:41 -0700

commons-configuration2 (2.2-1) unstable; urgency=medium

  * New upstream release
    - New dependency on libjackson2-databind-java and libyaml-snake-java
  * Standards-Version updated to 4.1.3

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 29 Dec 2017 23:12:51 +0100

commons-configuration2 (2.1.1-1) unstable; urgency=medium

  * Cloned the package as commons-configuration2
  * New upstream release
    - New dependency on libspring-context-java
    - Removed the dependency on commons-collections

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 28 Jun 2017 15:25:32 +0200

commons-configuration (1.10-5) unstable; urgency=medium

  * Removed the unused build dependency on ant
  * Standards-Version updated to 4.0.0
  * Switch to debhelper level 10
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 28 Jun 2017 13:59:09 +0200

commons-configuration (1.10-4) unstable; urgency=medium

  * Ignore the scm-publish plugin to fix the build failure with Maven 3
  * Build with the DH sequencer instead of CDBS
  * Suggest the optional dependencies instead of recommending them

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Dec 2015 09:00:26 +0100

commons-configuration (1.10-3) unstable; urgency=medium

  * Team upload.
  * Moved the package to Git
  * Add missing build-dep on libeasymock-java. (Closes: #797853)

 -- tony mancill <tmancill@debian.org>  Wed, 02 Sep 2015 21:48:55 -0700

commons-configuration (1.10-2) unstable; urgency=medium

  * Replaced the build dependency on libgnumail-java with libmail-java
  * Upgraded the dependency on the Servlet API (3.0 -> 3.1)
  * Updated Standards-Version to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 30 Sep 2014 09:16:31 +0200

commons-configuration (1.10-1) unstable; urgency=low

  * New upstream release
  * debian/control: Updated Standards-Version to 3.9.5 (no changes)
  * Build depend on debhelper >= 9

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 02 Nov 2013 07:38:45 +0100

commons-configuration (1.9-1) unstable; urgency=low

  * New upstream release (Closes: #675966)
  * debian/control:
    - Updated Standards-Version to 3.9.4 (no changes)
    - Use canonical URLs for the Vcs-* fields
    - Added new build dependencies (libjavacc-maven-plugin-java, junit4)
    - Upgraded the dependency on the Servlet API (2.5 -> 3.0)
    - Removed the dependency on the Activation Framework (glassfish-activation)
    - Replaced the dependency on glassfish-mail with libgnumail-java
    - Removed the unused dependencies:
      liblog4j1.2-java-doc, libmaven-assembly-plugin-java
    - Replaced the dependency on libcommons-jexl-java by libcommons-jexl2-java
  * debian/watch: Changed to point the official Apache distribution server
  * Removed the obsolete file debian/ant.properties
  * Installed the upstream changelog in the binary packages
  * Added the report plugins to maven.ignoreRules
  * Added the classpath attribute to the jar manifest

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 01 Jul 2013 16:29:44 +0200

commons-configuration (1.7-1) unstable; urgency=low

  * New upstream release:
    - Drop all previous patches.
    - Add B-D on libcommons-vfs-java (>= 2.0), libcommons-dbcp-java,
      libcommons-pool-java, glassfish-mail and glassfish-activation.
  * Bump Standards-Version 3.9.2: no changes needed.
  * d/copyright: Use DEP-5 format.
  * Switch to Maven build system:
    - Add B-D on maven-debian-helper
    - Use ${maven:Depends} and ${maven:OptionalDepends} for Depends
      and Recommends.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 11 Sep 2011 00:55:11 +0200

commons-configuration (1.6-6) unstable; urgency=low

  * Add myself as Uploaders.
  * Switch to servlet-api 2.5:
    - d/control: Update Build-Depends and Depends to libservlet2.5-java.
    - d/rules: Set DEB_JARS to servlet-api-2.5.
  * Use default-jdk for build.
  * d/control: Drop Depends on classpath-doc but
    add Recommends on default-jdk-doc. (Closes: #567269).
  * d/control: Fix Vcs-* to use anonymous connection.
  * d/control: Update Standards-Version to 3.9.2: no changes needed.
  * Bump debhelper compat level to 7.
  * d/control: Remove Suggests on java-virtual-machine.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sun, 04 Sep 2011 14:19:17 +0200

commons-configuration (1.6-5) unstable; urgency=low

  * Change Build-Depends: default-jdk-doc.
  * Convert copyright file to UTF-8.
  * Switch to source format 3.0.
  * Update Standards-Version: 3.8.4

 -- Torsten Werner <twerner@debian.org>  Sun, 11 Apr 2010 16:00:02 +0200

commons-configuration (1.6-4) unstable; urgency=low

  * Upload to unstable.

 -- Torsten Werner <twerner@debian.org>  Sun, 09 Aug 2009 10:41:44 +0200

commons-configuration (1.6-3) experimental; urgency=low

  * Update debian/control as previous version missed all my changes
  * Use openjdk-6-jdk for the build; add a Build-Depends on this
    package.

 -- Ludovic Claude <ludovic.claude@laposte.net>  Sun, 12 Jul 2009 23:20:28 +0100

commons-configuration (1.6-2) experimental; urgency=low

  [ Ludovic Claude ]
  * Change section to java, bump up Standards-Version to 3.8.1
  * Add the Maven POM to the package,
  * Add a Build-Depends-Indep dependency on maven-repo-helper
  * Use mh_installpom and mh_installjar to install the POM and the jar to the
    Maven repository
  * Add missing dependencies on the binary package
  * Add new java-doc package
  * Use default-jdk to build the package, otherwise javadoc generation fails

  [ Torsten Werner ]
  * Fix Build-Depends.
  * Upload to experimental.

 -- Torsten Werner <twerner@debian.org>  Sun, 12 Jul 2009 22:45:20 +0200

commons-configuration (1.6-1) unstable; urgency=low

  * new upstream release
  * Refresh our patches.

 -- Torsten Werner <twerner@debian.org>  Sat, 10 Jan 2009 12:54:01 +0100

commons-configuration (1.5-2) unstable; urgency=low

  * Change Maintainer to the pkg-java team.
  * Bump up Standards-Version: 3.8.0 (no changes needed).
  * Do no longer quote the full text of the Apache license in
    debian/copyright.

 -- Torsten Werner <twerner@debian.org>  Fri, 15 Aug 2008 01:39:18 +0200

commons-configuration (1.5-1) unstable; urgency=low

  * new upstream release
  * Move package to Alioth and add Vcs headers in debian/control.
  * Update all references to the homepage and download address to the new
    apache structure. (Closes: #450063)
  * Add target 'get-orig-source' to debian/rules.
  * Bumped up Standards-Version to 3.7.3; no changes needed.
  * Switch from kaffe to java-gcj-compat-dev.

 -- Torsten Werner <twerner@debian.org>  Sun, 09 Dec 2007 10:50:51 +0100

commons-configuration (1.4-2) unstable; urgency=low

  * Remove some of the Depends because one of them was wrong and the others
    might not be real Depends. (Closes: #425017)

 -- Torsten Werner <twerner@debian.org>  Fri, 18 May 2007 18:43:24 +0200

commons-configuration (1.4-1) unstable; urgency=low

  * Initial release (Closes: #420165)

 -- Torsten Werner <twerner@debian.org>  Fri, 20 Apr 2007 15:42:11 +0200