fex (20100208+debian1-1+squeeze4) squeeze-lts; urgency=high

  * Non-maintainer upload by the Squeeze LTS Team.
  * [CVE-2014-3875]: 
    When inserting encoded newline characters into a request to rup, 
    additional HTTP headers can be injected into the reply, as well 
    as new HTML code on the top of the website.
  * [CVE-2014-3876]:
    The parameter akey is reflected unfiltered as part of the HTML 
    page.  Some characters are forbidden in the GET parameter due 
    to filtering of the URL, but this can be circumvented by using 
    a POST parameter.
    Nevertheless, this issue is exploitable via the GET parameter 
    alone, with some user interaction.
  * [CVE-2014-3877]:
    The parameter addto is reflected only slightly filtered back to 
    the user as part of the HTML page. Some characters are forbidden 
    in the GET parameter due to filtering of the URL, but this can 
    be circumvented by using a POST parameter. Nevertheless, this 
    issue is exploitable via the GET parameter alone, with some user 
    interaction.

 -- Thorsten Alteholz <debian@alteholz.de>  Tue, 30 Sep 2014 19:00:33 +0200

fex (20100208+debian1-1+squeeze3) stable-security; urgency=high

  * Fixup for last upload. (Missing initialization, Closes: #660828)

 -- Kilian Krause <kilian@debian.org>  Thu, 23 Feb 2012 15:39:33 +0100

fex (20100208+debian1-1+squeeze2) stable-security; urgency=high

  * Add debian/patches/08_xss.patch (backported from and by upstream) to fix
    XSS (Closes: #660621) - CVE-2012-0869

 -- Kilian Krause <kilian@debian.org>  Tue, 21 Feb 2012 11:14:34 +0100

fex (20100208+debian1-1+squeeze1) squeeze-security; urgency=high

  * Add debian/patches/07_fup.patch (backported from upstream):
    Security update for cgi-bin/fup to not allow everyone to upload files with
    empty auth-ID (fixes CVE-2011-1409)
  * Put myself into Uploaders

 -- Kilian Krause <kilian@debian.org>  Fri, 10 Jun 2011 14:31:48 +0200

fex (20100208+debian1-1) unstable; urgency=low

  * [7850750] Imported Upstream version 20100208+debian1
  * [321d092] Refreshed patches
  * [9580c42] Updated README.source
  * [178490b] fex-utils description: indent the binary list with two
    spaces. - thanks to Gerfried Fuchs
  * [832b114] Fix a typo in short description. - thanks to Ullrich
    Horlacher

 -- Giuseppe Iuculano <iuculano@debian.org>  Wed, 03 Mar 2010 17:11:38 +0100

fex (20091210+debian0-2) unstable; urgency=low

  * [c977b32] Fixed a bug in the mailer, sendmail syntax was wrong
  * [edc6f17] bin/fac: use VISUAL and EDITOR environment variables. If
    neither of the environment variables is defined, then the default
    editor /usr/bin/editor is used.

 -- Giuseppe Iuculano <iuculano@debian.org>  Sun, 07 Feb 2010 18:36:28 +0100

fex (20091210+debian0-1) unstable; urgency=low

  * Initial release (Closes: #495973)

 -- Giuseppe Iuculano <iuculano@debian.org>  Sun, 31 Jan 2010 21:39:04 +0100