smarty3 (3.1.48-2) unstable; urgency=medium [ Tobias Frost ] * Team upload. * CVE-2024-35226 - PHP Code injection by untrusted template authors (Closes: #1072530) * Add simple testsuite to check against some CVEs. [ Debian Janitor ] * Set upstream metadata fields: Security-Contact. * Remove unnecessary get-orig-source-target. -- Tobias Frost Sun, 17 Nov 2024 11:03:04 +0100 smarty3 (3.1.48-1) unstable; urgency=medium * New upstream release. - CVE-2023-28447: Fix cross site scripting vulnerability in Javascript escaping. * debian/control: + Bump Standards-Version: to 4.6.2. No changes needed. * debian/copyright: + Update copyright attributions. -- Mike Gabriel Thu, 15 Jun 2023 16:10:44 +0200 smarty3 (3.1.47-2) unstable; urgency=medium * debian/control: + Bump versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-5~). * debian/rules: + Re-enable configfile/template parser/lexer generation. (Closes: #1022737). -- Mike Gabriel Tue, 25 Oct 2022 07:42:53 +0200 smarty3 (3.1.47-1) unstable; urgency=medium * New upstream release. - CVE-2018-25047: Prohibit XSS in libs/plugins/function.mailto.php. (Closes: #1019897). * debian/rules: + Disable configparser and templateparser creation temporarily. Use the files generated/provided by upstream for now.(Closes: #1021571). -- Mike Gabriel Mon, 24 Oct 2022 20:52:45 +0200 smarty3 (3.1.45-1) unstable; urgency=medium * New upstream release. - CVE-2021-21408: Prevent template authors from running restricted static php methods. (see smarty4 bug #1010375). - CVE-2021-29454: Prevent template authors from running arbitrary PHP code by crafting a malicious math string. (see smarty4 bug #1010375, as well). - CVE-2022-29221: Prevent template authors from injecting PHP code by choosing malicious filenames. (Closes: #1011758). * debian/watch: + Only watch 3.x versions of Smarty. * debian/control: + Bump Standards-Version: to 4.6.1. No changes needed. * debian/copyright: + Update copyright attributions. -- Mike Gabriel Mon, 30 May 2022 08:24:30 +0200 smarty3 (3.1.39-2) unstable; urgency=medium * debian/watch: + Fix Github watch URL. -- Mike Gabriel Thu, 29 Apr 2021 14:40:03 +0200 smarty3 (3.1.39-1) unstable; urgency=medium * New upstream release. * debian/copyright: + Update copyright attributions. -- Mike Gabriel Tue, 23 Feb 2021 11:41:59 +0100 smarty3 (3.1.38-1) unstable; urgency=medium * New upstream release. * debian/patches: + Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied upstream. -- Mike Gabriel Mon, 18 Jan 2021 17:20:40 +0100 smarty3 (3.1.36-2) unstable; urgency=medium * debian/control: + Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~). * debian/patches: + Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring lexer source functionally up-to-date with (manually edited) compiled version. (Closes: #977604). * debian/watch: + Switch to format version 4. -- Mike Gabriel Fri, 18 Dec 2020 14:53:44 +0000 smarty3 (3.1.36-1) unstable; urgency=medium * New upstream release. * debian/rules: + Stop creating Git snapshots, use upstream orig tarballs (generated from Github tags) instead. + Upstream changelog has been renamed to CHANGELOG.md. * debian/copyright: + Update copyright attributions. + Drop global Comment: field. No tarball repacking anymore. * debian/control: + Bump Standards-Version: to 4.5.1. No changes needed. + Bump DH compat level to version 13. * debian/upstream/metadata: + Add file. Comply with DEP-12. -- Mike Gabriel Mon, 07 Dec 2020 09:33:25 +0100 smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/control: + Bump Standards-Version: to 4.4.1. No changes needed. + Add Rules-Requires-Root: field and set it to "no". * debian/{control,compat}: + Switch to debhelper-compat notation. Bump DH comat level to version 12. -- Mike Gabriel Mon, 18 Nov 2019 10:49:54 +0100 smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium * New upstream release. - CVE-2018-16831: Don't bypass trusted directories with "../". (Closes: #908698). * debian/control: + Bump Standards-Version: to 4.2.1. No changes needed. -- Mike Gabriel Mon, 17 Sep 2018 13:04:18 +0200 smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/*: White-space clean-up at EOL. * debian/patches: + Drop 0001_CVE-2017-1000480.patch. Applied upstream. * debian/rules: + Avoid using dpkg-parsechangelog. * debian/copyright: + Update copyright attributions. + Use secure URI to obtain copyright references. + Add global Comment: field. Explain about brokenness of upstream tarballs. * debian/control: + Update Vcs-*: fields. Packaging Git has been migrated to salsa.debian.org. + Bump Standards-Version: to 4.1.4. No changes needed. * debian/{control,compat}: + Bump DH version level to 11. -- Mike Gabriel Sun, 27 May 2018 23:21:33 +0200 smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium * debian/patches: + Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes: #886460). -- Mike Gabriel Sun, 14 Jan 2018 11:13:16 +0100 smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium * Re-upload to Debian unstable to enforce package rebuild (as we don't have binNMUs for arch:all packages). * debian/control: + Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~). This is to assure correct lexer/parser generation which was broken by smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further reference. -- Mike Gabriel Tue, 21 Mar 2017 10:13:01 +0100 smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium * New upstream release. * debian/rules: + Self-pack orig tarball from Git commit, due to broken upstream tarball generation on Github. For details see: https://github.com/smarty-php/smarty/issues/325 * debian/copyright: + Update copyright attributions. -- Mike Gabriel Tue, 24 Jan 2017 21:17:51 +0100 smarty3 (3.1.30-1) unstable; urgency=medium * Upload to unstable. * Update versioned B-D: + smarty-lexert (>= 3.1.30+dfsg1-1~). -- Mike Gabriel Fri, 25 Nov 2016 19:52:30 +0100 smarty3 (3.1.30-1~exp1) experimental; urgency=medium * New upstream release. Upload to experimental for testing with GOsa, FusionDirectory and other web portals that depend on Smarty3. * debian/copyright: + Update copyright attributions. -- Mike Gabriel Thu, 20 Oct 2016 14:00:22 +0200 smarty3 (3.1.29-2) unstable; urgency=medium * Re-upload unchanged to unstable. -- Mike Gabriel Fri, 07 Oct 2016 14:03:44 +0200 smarty3 (3.1.29-1) experimental; urgency=medium * New upstream release. (Closes: #825250). * debian/smarty3-lexer: + Remove shipped-with .plex and .y files for template and configfile parser/lexer. This version uses smarty-lexer src:package at build time instead. * debian/control: + Add B-D pkg-php-tools (for dh_phpcomposer) + Versioned B-D: debhelper (>= 9). + Use encrypted URLs for Vcs-*: field. + Bump Standards: to 3.9.8. No changes needed. * debian/{control,rules}: + Create internal lexer and parser PHP code at package build time (using B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old trigger_error class API of Smarty.class.php. (Closes: #799282). * debian/smarty3.{install,docs}: + Use debhelper for installing bin:package files. * debian/compat: + Bump to DH version level 9. * debian/watch: + Upstream location has changed, now on Github. * debian/rules: + Use pure debhelper, with phpcomposer. + Make package build idempotent. * debian/copyright: + Update copyright attributions. -- Mike Gabriel Mon, 30 May 2016 14:03:16 +0200 smarty3 (3.1.21-1.1) unstable; urgency=medium * Non-maintainer upload in coordination with the maintainer. * Update depends and README.Debian for the php 7.0 transition. Thanks to Wolfgang Schweer for the patch! (Closes: #821660) -- Holger Levsen Mon, 23 May 2016 11:32:02 +0200 smarty3 (3.1.21-1) unstable; urgency=medium * New upstream release. (Closes: #765920). * debian/smarty3-lexer: + Add 4 files from smarty3 SVN that are used to generate some PHP files in the upstream tarball. See README.lexer for details. (Closes: #636148). * debian/copyright: + Add copyright information for debian/smarty3-lexer/*. + Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream- shipped COPYING.lib file more thoroughly. + Relicense debian/* under same license as upstream sources (LGPL-3+). * debian/control: + Bump Standards: to 3.9.6. No changes needed. -- Mike Gabriel Sun, 19 Oct 2014 23:45:18 +0200 smarty3 (3.1.19-1) unstable; urgency=medium * New upstream release. + Obtain upstream sources as zip files from upstream. Stop checking out SVN tags. This change drops three embedded PHP libraries and files with problematic PHP licenses. (Closes: #752614). * debian/control: + Alioth-canonicalize Vcs-Git field. + Bump Standards: to 3.9.5. No changes needed. * lintian: + Drop unused override: embedded-php-library. -- Mike Gabriel Mon, 04 Aug 2014 21:32:20 +0200 smarty3 (3.1.13-1) unstable; urgency=low * New upstream release. * /debian/control: + Use my DD address in Maintainer: field. + Bump Standards: to 3.9.4. No changes needed. * /debian/patches: + Drop patch: 001_escape-smarty-exception-messages.patch, included in new upstream release. -- Mike Gabriel Mon, 06 May 2013 10:19:14 +0200 smarty3 (3.1.10-2) unstable; urgency=low * Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch. Closes: #688153. -- Mike Gabriel Sat, 22 Sep 2012 21:32:58 +0200 smarty3 (3.1.10-1) unstable; urgency=low * New upstream release. Closes: #678095. -- Mike Gabriel Tue, 19 Jun 2012 16:41:06 +0200 smarty3 (3.1.8-2) unstable; urgency=low * Package smarty3 provides smarty (closes: #657536). * Make /debian/copyright machine parsable, explicitly names files that have dissenting licenses, license /debian folder under GPLv2+. -- Mike Gabriel Thu, 17 May 2012 00:32:29 +0200 smarty3 (3.1.8-1) experimental; urgency=low * New upstream release (rev. 4611). * New package maintainer (closes: #668200). * Add watch file (closes: #657385). * Add Vcs-* lines to control file. * Add README.source that explains how we obtain code from upstream SVN. Make sure all upstream source files are shipped with the Debian source package (closes: #636148). -- Mike Gabriel Thu, 10 May 2012 10:44:55 +0200 smarty3 (3.1.0-1) experimental; urgency=low * New upstream release (rev. 4284) * Used the code source from subversion (Closes: #636148) * debian/copyright: + added LexerGenerator copyright + added ParserGenerator copyright * Fixed security holes: + multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053, CVE-2010-4722, CVE-2010-4724, CVE-2010-4726) + not consider the umask value when setting the permissions of files (CVE-2009-5054) + not prevent access to the dynamic and private object members of an assigned object (CVE-2010-4723) + not properly handle an on value of the asp_tags option in the php.ini file (CVE-2010-4725) + not properly handle the tags (CVE-2010-4727) -- Thierry Randrianiriana Sat, 17 Sep 2011 21:22:11 +0300 smarty3 (3.0.8-1) unstable; urgency=low * New upstream release (Closes: #631619) * Bumped Standards-Version to 3.9.2 * Updated licence to LGPL-3 -- Thierry Randrianiriana Wed, 20 Jul 2011 11:29:24 +0300 smarty3 (3.0~rc1-2) unstable; urgency=low * Bumped Standards-Version to 3.9.1 * Removed debian/watch -- Thierry Randrianiriana Tue, 21 Sep 2010 14:45:44 +0300 smarty3 (3.0~rc1-1) unstable; urgency=low * Initial release (Closes: #580754) -- Thierry Randrianiriana Sat, 08 May 2010 14:36:04 +0300