spip (3.0.17-2+deb8u4) jessie-security; urgency=medium * Update security screen to 1.3.6 * Backport security fixes from 3.0.27 - Secure inserted URL in anchors - Secure URLs sent by self() - Escape charset in error message - Allow filter mode to be passed in interdire_scripts() - No onclick nor JS popup in footer - [Privacy] add rel attribute (noopener noreferrer) in private footer - PHP injection via XML file -- David Prévot Sun, 10 Jun 2018 19:15:29 -1000 spip (3.0.17-2+deb8u3) jessie; urgency=medium * Document CVE in previous changelog entry * Update security screen to 1.3.0 * Backport security fixes from 3.0.23 - Multiple XSS issues * Backport security fixes from 3.0.24 - Server side request forgery (SSRF) attacks via the var_url parameter [CVE-2016-7999] - Directory traversal vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7982] - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998] - Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php [CVE-2016-7980] - Cross-site scripting (XSS) vulnerability in valider_xml.php [CVE-2016-7981] * Backport security fixes from 3.2-alpha-1 - Reflected Cross Site Scripting Vulnerabilities in /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641) - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php [CVE-2016-9152] (Closes: #847156) * Backport security fix from 3.0.25 - Execution of arbitrary PHP code -- David Prévot Wed, 26 Apr 2017 18:02:00 -1000 spip (3.0.17-2+deb8u2) jessie-security; urgency=high * Backport security fixes from 3.0.22 - PHP code injection [CVE-2016-3153] - Objects injection via unserialize [CVE-2016-3154] * Update security screen to 1.2.4 -- David Prévot Thu, 10 Mar 2016 19:18:09 -0400 spip (3.0.17-2+deb8u1) jessie; urgency=medium * Track Jessie * Backport XSS fixes in private content from 3.0.21 -- David Prévot Sun, 01 Nov 2015 15:34:00 -0400 spip (3.0.17-2) unstable; urgency=medium [ Frans Spiesschaert ] * Add Dutch translation of debconf messages (Closes: #766642) [ David Prévot ] * Update copyright * Bump standards version to 3.9.6 * Document current Git branch -- David Prévot Sat, 25 Oct 2014 20:52:36 -0400 spip (3.0.17-1) unstable; urgency=medium * Depend on php-pclzip instead of libphp-pclzip * Document a lintian false positive * Imported Upstream version 3.0.17 -- David Prévot Wed, 13 Aug 2014 11:51:43 -0400 spip (3.0.16-1) unstable; urgency=medium * Update mutualisation to 1.2.2 * Update copyright years * Imported Upstream version 3.0.16 -- David Prévot Thu, 13 Mar 2014 16:01:09 -0300 spip (3.0.15-1) unstable; urgency=medium * Document fixed security issue in 3.0.13 * Imported Upstream version 3.0.15 -- David Prévot Fri, 21 Feb 2014 19:58:54 -0400 spip (3.0.14-1) unstable; urgency=medium * Imported Upstream version 3.0.14 * Update mutualisation (PHP < 5.3 compat) * Update copyright years -- David Prévot Sun, 19 Jan 2014 17:32:35 -0400 spip (3.0.13-1) unstable; urgency=low * Upload to unstable: Jessie will not be released with 2.1 * Document CVE in previous changelog entries * Imported Upstream version 3.0.13: - Fix XSS on signature from author [CVE-2013-7303] (Closes: #736170) -- David Prévot Tue, 12 Nov 2013 13:29:59 -0400 spip (3.0.12-1) experimental; urgency=low * Imported Upstream version 3.0.12 (Closes: #729172): - Fix XSS on author page [CVE-2013-4556] * Update security screen to 1.1.8: - Avoid PHP injection in $connect [CVE-2013-4557] * Use embedded jQuery ColorBox outdated version: The current code actually depend on this version, and it doesn’t work well with the version from the Debian package * Recommend php5-sqlite, needed for DB export * Handle patch set with gbp pq * Update mutualisation’s translations * Bump standards version to 3.9.5 * Use uglifyjs instead of yui-compressor * Remove now useless README.source -- David Prévot Sat, 09 Nov 2013 15:42:46 -0400 spip (3.0.11-1) experimental; urgency=low * Imported Upstream version 3.0.11 * Update mutualisation’s copyright -- David Prévot Fri, 09 Aug 2013 22:45:09 +0200 spip (3.0.10-2) experimental; urgency=low * libjs-flot has been renamed into libjs-jquery-flot * Transition towards apache 2.4 (Closes: #669794) * Make symlinks relative (Policy 10.5) * Enable /spip alias by default * Make multisite.php PHP 5.5 compatible * Refer to Apache-2.0 from /usr/share/common-licenses * Update mutualisation to 1.2.1 -- David Prévot Wed, 17 Jul 2013 18:04:10 -0400 spip (3.0.10-1) experimental; urgency=low * Imported Upstream version 3.0.10: - Fix CSRF on logout [CVE-2013-4555] * Document CVE in previous changelog entry -- David Prévot Mon, 27 May 2013 15:46:39 -0400 spip (3.0.9-1) experimental; urgency=low * New upstream version: fix privilege escalation (Closes: #709674) [CVE-2013-2118] * Minify new prive/javascript/login-sha-min.js at build time -- David Prévot Fri, 24 May 2013 22:25:48 -0400 spip (3.0.8-1) experimental; urgency=low * New major upstream version * The web server should point to /usr/share/spip instead of /var/lib/spip * security screen now part of upstream tarball * extensions has moved into plugins-dist * squelettes-dist now installed in /usr/share/spip * debian/control: - Depends on libjs-excanvas, libjs-ie7, libjs-flot, libjs-jquery-colorbox, libjs-jquery-ui, libphp-pclzip, php-xml-htmlsax3, and w3c-dtd-xhtml - Build-Depends on yui-compressor * debian/rules: - Delete new unneeded files - Delete embedded copies and symlink to the new dependencies - Minify JavaScript files - Make dh_fixperms a bit more aggressive * debian/copyright: Update * debian/links, debian/repack.sh: - Adapt to safehtml move - Delete sourceless files from ie7-js * debian/patches/: Refresh patches * debian/examples: Move mutualisation/outils to examples * debian/README.source: - Renamed from debian/README.Debian-source - Document get-orig-source target ie7-js removal -- David Prévot Tue, 07 May 2013 14:55:09 -0400 spip (2.1.21-1) unstable; urgency=low * New upstream version: various minor bugs fixed * debian/control: - Vcs-Git and Vcs-Browser updated to the Git repository - Bump standards to 3.9.4 * debian/patches/: Refresh patches * debian/templates: Remove mention of old apache and apache-ssl -- David Prévot Tue, 07 May 2013 13:21:53 -0400 spip (2.1.20-1) experimental; urgency=low * New upstream version: various minor bugs fixed * debian/repack.sh: Automatise repack * debian/copyright: Update year * debian/patches/dont_display_next_version.patch: Refresh patch * debian/patches/fix_displayed_version.patch, debian/rules: Improve version substitution * Update security screen file to 1.1.5 -- David Prévot Tue, 02 Apr 2013 15:13:52 -0400 spip (2.1.19-1) experimental; urgency=low * New upstream version: - #PARAMETRE_FORUM fix; - various partial backup fixes; - 42 new document types; - array shortcut bug fix. * Update security screen file to 1.1.4. * Update mutualisation to r67950. * Remove now useless preinst. -- David Prévot Mon, 26 Nov 2012 21:13:40 -0400 spip (2.1.17-1) unstable; urgency=low * New upstream version, fixes base disclosure (Closes: #683667). -- David Prévot Thu, 02 Aug 2012 12:34:29 -0400 spip (2.1.16-1) unstable; urgency=high * New upstream version: - fixes PHP injection (Closes: #680118); - fixes growing session directory; - fixes PHP 5.4 compatibility. * Update security screen file to 1.1.3. -- David Prévot Wed, 04 Jul 2012 08:42:01 -0400 spip (2.1.15-1) unstable; urgency=high * New upstream version, fixes cross site scripting. Closes: #677290 * Update security screen file to 1.1.2. -- David Prévot Tue, 12 Jun 2012 19:16:49 -0400 spip (2.1.14-2) unstable; urgency=low * Don't display next upstream version in the private interface. * Make the copyright compliant to format 1.0. -- David Prévot Wed, 06 Jun 2012 17:04:42 -0400 spip (2.1.14-1) unstable; urgency=low * New upstream version, fixes cross site scripting. Closes: #672961 * Update security screen file to 1.1.0. * Add CVE number to previous entry (#671264 related). -- David Prévot Mon, 14 May 2012 21:12:03 -0400 spip (2.1.13-1) unstable; urgency=high * New upstream version, fixes cross site scripting. [CVE-2012-2151] Closes: #670110 * Fix path in README. Closes: #651157 * Document more installation steps (partially address: #612467). * Add DEP-3 compliant headers. * Fix displayed version in the private interface. * Bumped standards to 3.9.3. * Update copyright. * Move more links from debian/rules to debian/links. * Update security screen file to 1.0.10. * Update mutualisation. -- David Prévot Sun, 22 Apr 2012 22:02:42 -0400 spip (2.1.12-1) unstable; urgency=high * New upstream release, fixes privilege escalation and cross site scripting. Closes: #649113 * Add self as uploader. * Bumped standards to 3.9.2. * Depend on and use fonts-dustin, libjs-jquery-cookie and libjs-jquery-form instead of shipped ones. * Use dh 7. * Update security screen file to 1.0.6. -- David Prévot Thu, 17 Nov 2011 17:53:48 -0400 spip (2.1.11-0.1) unstable; urgency=low * Non-maintainer upload. [ Romain Beauxis ] * New upstream release. Closes: #646758 * Switch to dpkg-source 3.0 (quilt) format. [ David Prévot ] * Add Vcs-* control fields. * Added da.po debconf translation, thanks to Joe Hansen. Closes: #623103 -- David Prévot Wed, 26 Oct 2011 18:14:12 -0400 spip (2.1.1-3) unstable; urgency=high * Added security screen file (ecran_securite.php). Fixes all known security issues in spip. Closes: #609212, Closes: #610016 -- Romain Beauxis Tue, 18 Jan 2011 14:01:35 -0600 spip (2.1.1-2) unstable; urgency=high * Added patch to fix int overflow in articles' published date. Thanks to David Prévot for reporting. Closes: #597026 -- Romain Beauxis Sat, 18 Sep 2010 15:08:53 -0500 spip (2.1.1-1) unstable; urgency=low * New upstream release. * Bumped standards to 3.9.0 -- Romain Beauxis Tue, 03 Aug 2010 15:29:14 -0500 spip (2.1-6) unstable; urgency=low * There is no need to add a link to common/ in each site's plugin directory. -- Romain Beauxis Wed, 23 Jun 2010 02:03:09 +0200 spip (2.1-5) unstable; urgency=high * Added es.po debconf translation, thanks to Ricardo Fraile. Closes: #580617 * Fixed safehtml class instantiation to use the packaged one. This issue lead to failures so setting priority to high to propagate quickly. -- Romain Beauxis Sat, 05 Jun 2010 22:25:18 -0500 spip (2.1-4) unstable; urgency=low * Added a themes/ directory to install optional themes. * Removed special chmod.php file not needed after the changes in the previous upload. * Now multisite can be defined using regexp. * Install missing extensions/ * Added debian/watch. -- Romain Beauxis Tue, 04 May 2010 11:05:59 -0500 spip (2.1-3) unstable; urgency=low * Fixed default rights for created directories and files. * Fixed default directory for automatically installed plugins. * Enabled short images option by default. -- Romain Beauxis Thu, 29 Apr 2010 17:47:04 -0500 spip (2.1-2) unstable; urgency=low * Fixed plugins and mutualisation: the variable _DIR_PLUGINS in mes_options.php is now called _DIR_PLUGINS_SUPPL * Fixed url_img_courtes. Thanks to David Prévot for reporting and proposing a patch. Closes: #577274 -- Romain Beauxis Fri, 16 Apr 2010 17:14:11 -0500 spip (2.1-1) experimental; urgency=low * New upstream release. * Removed safehtml patch, replaced by a symlink. * Bumped standards to 3.8.4 * There is a bug with the mutualisation and the plugins so uploading to experimental for now.. -- Romain Beauxis Mon, 12 Apr 2010 02:44:56 +0200 spip (2.0.10-1) unstable; urgency=low * New upstream release. * Bumped standards version to 3.8.3 -- Romain Beauxis Thu, 05 Nov 2009 16:08:03 -0600 spip (2.0.9-1) unstable; urgency=high * New upstream release, fixing security issue. See: http://www.spip-contrib.net/SPIP-Security-Alert-new-version for more details. -- Romain Beauxis Sun, 09 Aug 2009 11:13:15 -0500 spip (2.0.8-3) unstable; urgency=low * Fixed bashism in spip_rm_site script. Closes: #535885 -- Romain Beauxis Fri, 31 Jul 2009 02:26:58 +0200 spip (2.0.8-2) unstable; urgency=low * Fix bashism in spip_add_site Closes: #530193 * Added description of what exactly is SPIP in long description. Closes: #521682 -- Romain Beauxis Fri, 19 Jun 2009 01:24:03 +0200 spip (2.0.8-1) unstable; urgency=low * New upstream release. * Bumped standards version to 3.8.2 * Bumped compat to 7 -- Romain Beauxis Mon, 08 Jun 2009 17:40:44 +0200 spip (2.0.7-1) unstable; urgency=high * New upstream release. * This release fixes security issues, hence setting urgency to high. * Added extra security options for apache2.conf -- Romain Beauxis Wed, 15 Apr 2009 23:34:13 -0400 spip (2.0.6-2) unstable; urgency=low * Fixed alias in apache.conf. -- Romain Beauxis Wed, 18 Mar 2009 09:07:33 +0100 spip (2.0.6-1) unstable; urgency=low * New upstream release. * Initial upload to unstable. -- Romain Beauxis Tue, 17 Mar 2009 20:05:14 +0100 spip (2.0.5-1) experimental; urgency=low * New upstream version. * Should upload to unstable quite soon. -- Romain Beauxis Fri, 06 Mar 2009 20:06:46 +0100 spip (2.0.3-1) experimental; urgency=low * New upstream release. * Added Italian debconf translations, thanks to Vincenzo Campanella ! Closes: #510291 * Added Basque debconf translations, thanks to Piarres Beobide ! Closes: #510299 * Added Czech debconf translations, thanks to Martin Šín ! Closes: #510301 * Added Swedish debconf translations, thanks to Martin Bagge ! Closes: #510302 * Added Finnish debconf translations, thanks to Esko Arajärvi ! Closes: #510384 * Added Galician debconf translations, thanks to Marce Villarino ! Closes: #510391 * Added German debconf translations, thanks to Helge Kreutzmann ! Closes: #510541 * Added Portuguese debconf translations, thanks to Miguel Figueiredo ! Closes: #510640 * Added Japanese debconf translations, thanks to Hideki Yamane ! Closes: #510892 * Added French debconf translations, thanks to Jean Guillou ! Closes: #511008 * Added Russian debconf translations, thanks to Yuri Kozlov ! Closes: #512165 -- Romain Beauxis Sun, 18 Jan 2009 22:00:35 +0100 spip (2.0.2-1) experimental; urgency=low * New upstream release. -- Romain Beauxis Wed, 31 Dec 2008 04:18:22 +0100 spip (2.0.0-1) experimental; urgency=low * First release of the 2.0 branch ! * Moved dist/ to squelettes-dist/, added preinst maintainer script to handle that when upgrading from previous package. * Updated debian/copyright with GPL version 3 or above. -- Romain Beauxis Sat, 13 Dec 2008 03:25:47 +0100 spip (2.0.0~beta12262-2) experimental; urgency=low * Fixed safehtml inclusion patch -- Romain Beauxis Tue, 19 Aug 2008 11:56:54 +0200 spip (2.0.0~beta12262-1) experimental; urgency=low * New upstream release, first beta for 2.0.0 release * Added options details for mes_options.php * Added apache2.conf virtual host configuration file example * Depends and use libjs-jquery instead of shipped one * Partially fixed default mod for created file -- Romain Beauxis Thu, 31 Jul 2008 01:34:34 +0200 spip (1.9.3~svn12054-1) experimental; urgency=low * New upstream release. * Updated standards version. -- Romain Beauxis Sun, 13 Jul 2008 17:18:06 +0200 spip (1.9.3~svn11347-2) experimental; urgency=low * Added plugins support and directories -- Romain Beauxis Thu, 27 Mar 2008 12:16:26 +0100 spip (1.9.3~svn11347-1) experimental; urgency=low * New svn snapshot * Added recommends to image conversion tools supported. -- Romain Beauxis Tue, 29 Jan 2008 02:49:10 +0100 spip (1.9.3~svn11152-1) experimental; urgency=low * New upstream release * Updated standards to 3.7.3 -- Romain Beauxis Tue, 29 Jan 2008 02:38:39 +0100 spip (1.9.3~svn10413-2) experimental; urgency=low * Patched source to work with php-html-safe -- Romain Beauxis Wed, 10 Oct 2007 02:58:22 +0200 spip (1.9.3~svn10413-1) experimental; urgency=low * Initial release (Closes: #426069) * Temporaly removed file HTMLSax3.php -- Romain Beauxis Tue, 25 Sep 2007 00:31:03 +0200