acidbase (1.3.6-1) unstable; urgency=low

  * New upstream release.
  * Depends on 'postgresql-client' dummy package, which will always
    point to the latest version. Removed dependencies on specific
    postgresql-client-X.Y packages (Closes: #422019).
  * Updated 12_remove_php_image_graph patch.

 -- David Gil <dgil@telefonica.net>  Mon, 28 May 2007 11:16:30 +0200

acidbase (1.3.5-1) unstable; urgency=low

  * New upstream release.
  * Merged 13_fix_postgresql.dpatch into 01_default_config.dpatch
    + debian/patches/00list: Updated
    + debian/patches/01_default_config.dpatch: Updated
    + debian/patches/13_fix_postgresql.dpatch: Removed

 -- David Gil <dgil@telefonica.net>  Sun, 04 Mar 2007 13:38:54 +0100

acidbase (1.2.7-4) unstable; urgency=low

  * Initial debconf translations:
    - Portuguese (pt), thanks Traduz ML (Closes: #409201)
    - German (de), thanks Matthias Julius (Closes: #408204)
    - Russian (ru), thanks Yuri Kozlov (Closes: #408142)
    - Norwegian (nb), thanks Bjørn Steensru(Closes: #408999)
  * Updated debconf translations:
    - Czech (cs), thanks Miroslav Kure (Closes: #408629)

 -- David Gil <dgil@telefonica.net>  Mon, 05 Feb 2007 14:18:21 +0100

acidbase (1.2.7-3) unstable; urgency=low

  * Complete the list of database clients dependencies needed by
    dbconfig-common.
  * Removed not needed php4-gd | php5-gd dependencies since php-image-graph
    was removed in the last upload.

 -- David Gil <dgil@telefonica.net>  Mon, 25 Dec 2006 14:25:30 +0100

acidbase (1.2.7-2) unstable; urgency=high

  * Urgency high, prevents this package from being removed from sid and
    fixes an RC bug.
  * Remove the dependency on php-image-color (Closes: #402406)
    - remove the link from base_main.php to base_graph_main.php
    - do not include base_graph_form.php in base_main.php
    - modify base_graph_common.php so that it does not complain so loudly when
      Image/Graph is not found. Just say that the functionality is currently
      not available in Debian (due to license issues, point to the Bug
      report) and say that users that need it will have to install the PEAR
      modules.
     - document in NEWS.Debian why the graphs have been removed and when will
     they be reenabled in the front page.
  * Workaround for the name change in dbconfig-common, the base_conf.php
    script will substitute 'pgsql' with 'postgres'. This makes it possible
    to setup a PostgreSQL configuration properly. (Closes: #402868)
  * Introduce a space before the Homepage

 -- Javier Fernandez-Sanguino Pen~a <jfs@computer.org>  Tue, 12 Dec 2006 20:16:25 +0100

acidbase (1.2.7-1) unstable; urgency=high

  * New upstream release.
  [ David Gil ] 
  * Depend on all database clients supported by the package until a better
    solution is adopted. See bugs #353617,#398634 for the discussion.
    Thanks to Lucas Nussbaum, Andreas Henriksson, Steinar H. Gunderson and
    Sean Finney for their work on this. (Closes: #398619)
  * Updated French debconf template translation (Closes: #395055).
  * RC bug fixed, urgency high.
  [ Javier Fernandez-Sanguino ] 
  * Remove extra space in debian/control before the Homepage
  * Add the license and author of the new contrib modules (for using
    snort unified files) included in this base release in debian/copyright

 -- David Gil <dgil@telefonica.net>  Sat, 25 Nov 2006 13:31:27 +0100

acidbase (1.2.6-1) unstable; urgency=low

  * New upstream release.

  * Acknowledge NMU, thanks to Steinar H. Gunderson (Closes: #389544).

  * Updated translations:
    - debian/templates: Don't mark all choices as traslatables.
      Applied a patch from Thomas Huriaux, thanks! (Closes: #377636)
    - debian/po/sv.po: Updated Swedish debconf translation.
      Thanks to Daniel Nylander (Closes: #375746).
    - debian/po/es.po: Updated Spanish debconf translation.
    - debian/po/cs.po: Updated Czech debconf translation.
      Thanks to Miroslav Kure (Closes: #389202).
      (This was applied in the last NMU but not commented in the changelog)
  * debian/control: Add extra space before Homepage at package description.

 -- David Gil <dgil@telefonica.net>  Wed, 27 Sep 2006 12:10:29 +0200

acidbase (1.2.5-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Make config and postrm scripts check for the existence of dbconfig-common
    before attempting to use it. (Closes: #388219)

 -- Steinar H. Gunderson <sesse@debian.org>  Tue, 26 Sep 2006 12:59:07 +0200

acidbase (1.2.5-1) unstable; urgency=high

  * New upstream release, wich includes the following security improvements:
     + Added XSSPrintSafe() (array safe htmlspecilchars() function) and made 
       filterSql() use ADOdb qmagic()
     + Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
       variables using filterSql()
     + Santized all $_SERVER variables to be protected against XSS attacks
    These improvements fix the following security bugs:
     + Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
       (Closes: #363548).
     + Remote File Inclusion Vulnerabilities (CVE-2006-2685)
       (Closes: #370576).

  * debian/patches/02_update_external_links.dpatch : updated.

  * Applied part of the patch from Paul Wise <pabs3@bonedaddy.net>:
    + Remove short description from long description
    + Update copyright file with more information

  * Bump Standards-Version to 3.7.2 (no policy-related changes needed).

  * Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in 
    mantainer scripts, not only in config file.
    This is related to bug #372948 (dbconfig-common: can not determine the
    database type).

  * Remove ucf file under /etc/acidbase on package purge.

 -- David Gil <dgil@telefonica.net>  Mon, 12 Jun 2006 21:20:37 +0200

acidbase (1.2.4-1) unstable; urgency=high

  * New upstream release, which fixes many bugs including the following security bug: 
    - base_maintenance.php in BASE before 1.2.4 (melissa), when running in
      standalone mode, allows remote attackers to bypass authentication,
      possibly by setting the standalone parameter to "yes".
      This fixes CVE-2006-1505 (Closes: #361139.)
  * Added patch to fix a warning replacing strings in CleanVariable:
    - debian/patches/03_fix_warning_in_CleanVariable.dpatch: added.
    - debian/patches/00list: updated.
  * Now base_conf.php has all its strings quoted with ' instead of ":
    - debian/patches/01_default_config.dpatch: updated.
    - debian/patches/02_update_external_links.dpatch: updated.

  [  Javier Fernandez-Sanguino ]
  * Po-debconf translation updates:
     - Swedish by Daniel Nylander (Closes: #348881)
     - Portuguese by Miguel Figueiredo (Closes: #349597)
     - French by "Steve" (Closes: #351230, #366432)

 -- David Gil <dgil@telefonica.net>  Mon, 03 Apr 2006 12:16:33 +0200
 
acidbase (1.2.2-1) unstable; urgency=low

  * New upstream release:
    + Fixed issue with signature names (Closes: #352246).
    + Fixed auto-refresh ignored for stat pages.
    + Fixed Sort order issues.
    + Added Portscan Information.
  * First attempt at dbconfig-common support (Closes: #350376).
  * Some templates have been rewritten in order to follow the developers
    reference (Closes: #344052).
  * patches/04_fix_sql_injection.dpatch: dropped, included upstream.
  [ Javier Fernandez-Sanguino ]
  * Update Spanish po-debconf translation

 -- Javier Fernandez-Sanguino Pen~a <jfs@computer.org>  Sun,  5 Mar 2006 20:04:58 +0100
  
acidbase (1.2.1-4) unstable; urgency=low

  * Use dpatch system. Split .diff.gz into the following patches:
    (See patches descriptions for more details)
    - 01_default_config.dpatch
    - 02_update_external_links.dpatch
    - 04_fix_sql_injection.dpatch
    - 08_update_whois_servers.dpatch
    - 11_use_trim_to_avoid_signature_problems.dpatch
  * Use debhelper compat level 5 and update build-dependencies accordingly.
  * Initial Czech debconf translation, thanks Miroslav Kure! (Closes: #345309)
  * Fixed "Wrong $DBtype setup" bug: Use 'postgres' instead of 'postgresql' in
    db_type template (Closes: #347291)
  * Updated watch file.

 -- David Gil <dgil@telefonica.net>  Thu, 12 Jan 2006 22:33:16 +0100

acidbase (1.2.1-3) unstable; urgency=low

  * Fixed bug "Can't delete alerts".
    Don't filter action_chk_lst and action_lst http variables
    since they are arrays, not strings. (Closes: #341180)
  * I missed a colon in the last changelog entry, now really Closes: #338301.
  * Added debconf templates translation.
    + New spanish po file.
  * Added watch file
  [ Javier Fernandez-Sanguino Pen~a ]
  * Reformatted debian/README.Debian and fix names that were pointing
    to ACID

 -- David Gil <dgil@telefonica.net>  Fri, 02 Dec 2005 00:23:51 +0100

acidbase (1.2.1-2) unstable; urgency=low

  * Fixed broken searching and graph plotting (Closes #338301)
  * Removed debconf dependencies, ${misc:Depends} takes charge of them.
  * Always ask for webserver configuration in postinst.

 -- David Gil <dgil@telefonica.net>  Sat, 12 Nov 2005 16:03:02 +0100

acidbase (1.2.1-1) unstable; urgency=low

  [ David Gil ]
  * New upstream release.

  [ Javier Fernandez-Sanguino Pen~a ]
  * SECURITY FIX:
    Add proper filtering in all ImportHTTP variables using either the new
    functions to check for numeric/alphanumeric chars or the filterSql()
    function to prevent SQL injection attacks. This patch fixes CVE-2005-3325 
    but also other attack vectors not mentioned in the initial advisory
    (http://www.frsirt.com/english/advisories/2005/2188)
    (Closes: #336788)
  * To reduce the risk of possible vulnerabilities in the code, made the
    default apache.conf allow access only from localhost and document this
    in the (new) README.Debian file
  * Added dependency on "debconf | debconf-2.0"
  * Added alternative DNS lookups at Sam Spade
  * Changed default alert database in debconf prompt to 'snort_log'

 -- David Gil <dgil@telefonica.net>  Mon, 31 Oct 2005 15:41:55 +0100

acidbase (1.2-2) unstable; urgency=low

  * SECURITY FIX:
    SQL injection vulnerability (CVE-2005-3325) (Closes: #335998)
  * Install Apache configuration file if it is not present.

 -- David Gil <dgil@telefonica.net>  Sat, 29 Oct 2005 12:19:10 +0200

acidbase (1.2-1) unstable; urgency=low

  * New upstream release.
  * debian/copyright: Updated fsf's address.
  * debian/postinst: Fixed bashism (Used [] && [] instead of [ -a ]).

 -- David Gil <dgil@telefonica.net>  Mon, 17 Oct 2005 08:33:44 +0200

acidbase (1.1.4-2) unstable; urgency=low

  * Add /usr/share/php to apache configuration so that the
    Image_Graph libraries are included too
  * Fixed FSF address
  * Removed bashism from maintainer script

 -- Javier Fernandez-Sanguino Pen~a <jfs@computer.org>  Tue, 11 Oct 2005 23:49:58 +0200

acidbase (1.1.4-1) unstable; urgency=low

  [ David Gil ]
  * Initial release (Closes: #323923, #319389).
  * Add an Apache configuration file to Alias /acidbase.
  * Package configuration through debconf.
  * Modify sources so that they use a configuration file which is
    installed at /etc/acidbase/base_conf.php (owned by root, group
    www-data and mode 0640 since it contains sensitive information)

  [ Javier Fernandez-Sanguino Pen~a ]
  * Applied patches included in the acidlab package that apply to this
    package too:
      - acidlab.011.diff: Added trim() to GetSingleSignatureReference in
        order to avoid problems when signatures contain spaces (this 
        happens with snortcenter)
      - acidlab.008.diff: update Whois servers' IP addresses (was Debian
        Bug #183623)
  * Fixed location of signatures for Nessus (although the previous link
    works) and for ICAT (it is now the NVD - National Vulnerability Database)

 -- David Gil <dgil@telefonica.net>  Wed, 24 Aug 2005 17:07:16 +0200