drupal (5.1-0ubuntu2.3) feisty-security; urgency=low * SECURITY UPDATE: (LP: 181984) - SA-2007-031: SQL injection posssible when certain contribuited modules are enabled - SA-2008-005: Cross site request forgery - SA-2008-006: Cross site scripting (UTF8) * References: - SA-2007-031: http://drupal.org/node/198162 http://drupal.org/node/198321 (fix for first patch) - SA-2008-005: http://drupal.org/node/208562 (fixed launchpad debdiff) - SA-2008-006: http://drupal.org/node/208564 -- Emanuele Gentili Wed, 16 Jan 2008 01:29:22 +0100 drupal (5.1-0ubuntu2.2) feisty-security; urgency=low * SECURITY UPDATE: Drupal 5.1 and 5.2 having several security issues, these are: + CVE-2007-5593: install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified. + CVE-2007-5594: Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. + CVE-2007-5595: CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. + CVE-2007-5596: The core Upload module in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 places the .html extension on a whitelist, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading .html files. + CVE-2007-5597: The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions. * debian/patches/23_SA-2007-025-5.2.dpatch: - Applied fix from upstream (http://drupal.org/files/sa-2007-025/SA-2007-025-5.2.patch) * debian/patches/25_SA-2007-029-5.2.dpatch: - Applied fix from upstream (http://drupal.org/files/sa-2007-029/SA-2007-029-5.2.patch) * debian/patches/22_SA-2007-024-5.2.dpatch: - Applied fix from upstream (http://drupal.org/files/sa-2007-024/SA-2007-024-5.2.patch) * debian/patches/24_SA-2007-026-5.2.dpatch: - Applied fix from upstream (http://drupal.org/files/sa-2007-026/SA-2007-026-5.2.patch) * debian/patches/26_SA-2007-030-5.2.dpatch: - Applied fix from upstream (http://drupal.org/files/sa-2007-030/SA-2007-030-5.2.patch) * References: CVE-2007-5593 CVE-2007-5594 CVE-2007-5595 CVE-2007-5596 CVE-2007-5597 -- Stephan Hermann Tue, 13 Nov 2007 10:39:28 +0100 drupal (5.1-0ubuntu2.1) feisty-security; urgency=low * SECURITY UPDATE: Drupal 5.1 has some security flaws, which were detected. Those were remote exploits namely - Multiple cross site request forgeries - Multiple cross site scripting vulnerabilities + Further readings: http://drupal.org/node/162364 * debian/patches/* - Added 20_SA-2007-017-5.1.dpatch, which fixes the cross site request forgeries - Added 21_SA-2007-018-5.1.dpatch, which fixes the cross site scripting vulnerabilities * References: + Drupal Advisories: - http://drupal.org/node/162360 (SA-2007-017-5.1) - http://drupal.org/node/162361 (SA-2007-018.5.1) + CVE: - CVE-2007-4064 (Cross Site Scripting Vulnerability) - CVE-2007-4063 (Cross Site Forgery) -- Stephan Hermann Thu, 06 Sep 2007 17:30:34 +0200 drupal (5.1-0ubuntu2) feisty; urgency=low * Rename postgresql-server-8.2 to postgresql-8.2, as the former doesn't exist. (LP: #106540) -- Luke Yelavich Sat, 14 Apr 2007 23:27:34 +1000 drupal (5.1-0ubuntu1) feisty; urgency=low * New upstream release. * debian/control: - Changed maintainer field, and added XSBC-Original_Maintainer field. - Removed all php4 dependencies. - Added php5-gd dependency for graphics. - Changed exim4 dependency to postfix. - Adjusted postgresql dependencies and recommends. - Fixed slight grammatical error in package long description. - Added homepage. * debian/drupal-5.1*: Renamed and modified for drupal 5.1. * debian/drupal-5.1.postinst: Add curl command-line to use drupal's install script to populate the database. * debian/rules: - Refined, so that version number only has to be changed once per new upstream release. - Removed copying of database files. * debian/patches/10_cronjob.dpatch: Modified to patch against drupal 5.1, and added patch description. * debian/etc/*: Updated for drupal 5.1. * debian/README.Debian: revised. * Set apache2 as default web server. -- Luke Yelavich Mon, 12 Mar 2007 16:49:04 +1100 drupal (4.7.6-1) unstable; urgency=low * New upstream release - Fixes Arbitrary Code Execution (SA-2007-005) (Ref: CVE-TOBEASSIGNED) -- Luigi Gangitano Tue, 30 Jan 2007 03:03:21 +0100 drupal (4.7.5-2) unstable; urgency=low [ Luigi Gangitano ] * debian/control - Bumped Standards-Version to 3.7.2 (no change needed) - Removed dependency on postgsql-{client,server}-8.0 which is not in the archive anymore - Removed Suggests: on ssl enabled apache - Removed strict dependency on apache*, added dependency on httpd | apache * debian/watch - Added debian watch file * Translations - Updated Dutch translations by Bart Cornelis -- Bart Cornelis (cobaco) Tue, 23 Jan 2007 11:50:45 +0100 drupal (4.7.5-1) unstable; urgency=low * New upstream release - Fixes Denial of Service (DRUPAL-SA-2007-002) (Ref: CVE-2007-0124) - Fixes CSS Vulnerability (DRUPAL-SA-2007-001) (Ref: CVE-2007-0136) -- Luigi Gangitano Sun, 7 Jan 2007 00:33:33 +0100 drupal (4.7.4-3) unstable; urgency=low * debian/po/fr.po - Updated French debconf templates translation (Thanks to Thomas Huriaux) (Closes: #404967) * debian/control - Add php5 dependency (Closes: #405162) -- Luigi Gangitano Sun, 7 Jan 2007 00:13:36 +0100 drupal (4.7.4-2) unstable; urgency=low * debian/control - Fixed dependency on postgresql-client - Removed dependency on makepasswd (not needed since we use dbconfig.common) - Removed dependency on php4-cli (not needed with new cron script) - Promote Recommends: php4 to Depends: php4 * debian/etc/settings.php - Fix warning if baseurl.php does not exists * debian/copyright - Fixed copyright information as requested by ftp-master -- Luigi Gangitano Tue, 5 Dec 2006 15:37:25 +0100 drupal (4.7.4-1) unstable; urgency=low * Prepare package for new inclusion in Debian - Thanks to Karl-Heinz Nirschl for keeping this package in his repository and allowing me to start from his work - Change (binary) package name to drupal-4.7 allowing for multiple version to be installed concurrently, so admins can control upgrade between releases - Add dependency on dbconfig-common and switch custom config script to use functions provided by dbconfig-common (Closes: #366692) - Removed unused templates - Added dependency on curl for cron script execution - Take over removal request (Closes: #375496) - Update to latest revision (Closes: #307821, #365047, #365709) -- Luigi Gangitano Thu, 23 Nov 2006 21:53:19 +0100 drupal (4.7.4-0brainlog1) unstable; urgency=low * new upstream release because patches do not apply cleanly * fixes: DRUPAL-SA-2006-024, DRUPAL-SA-2006-025, DRUPAL-SA-2006-026 -- Karl-Heinz Nirschl Fri, 20 Oct 2006 19:26:16 +0200 drupal (4.7.2-0brainlog4) unstable; urgency=low * add security fix DRUPAL-SA-2006-011 XSS Vulnerability in user module * move scripts dir to doc -- Karl-Heinz Nirschl Thu, 3 Aug 2006 19:46:57 +0200 drupal (4.7.2-0brainlog3) unstable; urgency=low * fix initial database generation - now checks for mysql version -- Karl-Heinz Nirschl Sat, 8 Jul 2006 13:13:12 +0200 drupal (4.7.2-0brainlog2) unstable; urgency=low * Using a fresh tarball and no .svn files. * Fix x. permissions. * Use debian mysql maint password for mysql install -- Tzafrir Cohen Fri, 7 Jul 2006 15:59:41 +0300 drupal (4.7.2-0brainlog1) unstable; urgency=low * new upstream release * add patch handling to package - make cron job less verbose -- Karl-Heinz Nirschl Fri, 16 Jun 2006 17:13:50 +0200 drupal (4.7.1-0brainlog1) unstable; urgency=low * new upstream version -- Karl-Heinz Nirschl Mon, 29 May 2006 14:01:48 +0200 drupal (4.6.5-0brainlog1) unstable; urgency=low * update to drupal 4.6.5 (new upstream) -- Karl-Heinz Nirschl Mon, 29 May 2006 13:58:55 +0200 drupal (4.6.3-0brainlog1) unstable; urgency=low * New upstream version (Closes: #307821) * based on the drupal 4.5.2-4 debian package * remove the auto update database stuff * added debconf entry for the base_url -- Karl-Heinz Nirschl Thu, 29 Sep 2005 19:10:17 +0200 drupal (4.5.2-4) unstable; urgency=low * [Miguel Figueiredo ] Added Portuguese translation (Closes: #301394) * [Valentina Commissari ] Added Italian translation (Closes: #301946) * [Gleydson Mazioli da Silva ] Updated Brazilian Portuguese translation. * Fixed typo in package description (Closes: #306997) -- Hilko Bengen Thu, 19 May 2005 21:23:27 +0200 drupal (4.5.2-3) unstable; urgency=high * Fixes "Bypass access via comments" problem mentioned in http://drupal.org/node/19009. Patch from Gerhard Killesreiter, thanks. I consider this a critical bug, hence urgency=high. * [Sergio Talens-Oliag ] Updated Spanish and Catalan Debconf translations and converted them to UTF-8. -- Hilko Bengen Tue, 22 Mar 2005 11:14:36 +0100 drupal (4.5.2-2) unstable; urgency=low * Changed includes/bootstrap.inc: conf.php (or $site.php) is loaded from /etc/drupal directly, without the need for any link. * Removed indentations from sed script which is used to edit the configuration file. * Rolled back session.inc to version found in 4.5.1; fixes bug documented in http://drupal.org/node/15666 * Added documentation about manual update procedure in README.Debian and Debconf templates (Closes: #293804) * Added documentation about adding modules and themes that are not part of the package. * NEWS.Debian mentions where to get Marvin and UnConeD themes that used to be part of the Drupal distribution. -- Hilko Bengen Tue, 15 Mar 2005 15:16:26 +0100 drupal (4.5.2-1) unstable; urgency=low * New upstream version (Closes: #290745; That was fast, wasn't it?) * Updates Japanese Debconf template, thanks to Hideki Yamane (Closes: #290439) * The config file /etc/drupal/conf.php is only generated if it hasn't existed. It is no longer edited. -- Hilko Bengen Sun, 16 Jan 2005 14:49:50 +0100 drupal (4.5.1-2) unstable; urgency=low * /etc/drupal/conf.php is no longer a conffile (Closes: #289624) * Should install with mysql-client-4.1 now (Closes: #285733) -- Hilko Bengen Wed, 12 Jan 2005 02:16:28 +0100 drupal (4.5.1-1) unstable; urgency=low * New upstream version (Closes: #277547, #289216, #278345) * Marvin and UnConeD have been split off into separate packages, as they are not officially supported by upstream any longer. * Added Japanese Debconf template (Closes: #288040) -- Hilko Bengen Sun, 9 Jan 2005 04:21:03 +0100 drupal (4.4.2-2) unstable; urgency=low * Bump version dependency to 0.0.37 where better support for PostgreSQL is included (Closes: 263730) * Another patch to node.module for DB-independennce (Closes: 258015) -- Hilko Bengen Wed, 18 Aug 2004 00:39:58 +0200 drupal (4.4.2-1) unstable; urgency=low * New upstream bugfix release - PostgreSQL support fixed in node.module (Closes: #258015, #258016) * Fixed sed statement in postinst so it will work with woody's sed. (Closes: #257529) * Depends: sharutils (Closes: #258156) * Cron script checks whether /usr/share/drupal/scripts/cron.sh exists and is executable (Closes: #251853) -- Hilko Bengen Tue, 20 Jul 2004 00:03:06 +0200 drupal (4.4.1-3) unstable; urgency=low * Included Marvin and Unconed themes from contrib (Closes: #255039) -- Hilko Bengen Mon, 28 Jun 2004 14:34:40 +0200 drupal (4.4.1-2) unstable; urgency=high * Applied admin_node.patch from against the "Invalid argument supplied for foreach() in /usr/share/drupal/modules/node.module" error (Closes: #242992) * Fixed removal of links in webserver directories * Shut up cron.sh (Closes: #251853) * Install misc/ directory (images and css) (Closes: #253550) * Fixed PostgreSQL removal, added some docs (Closes: #253282) -- Hilko Bengen Thu, 10 Jun 2004 16:06:47 +0200 drupal (4.4.1-1) unstable; urgency=low * New upstream version (Closes: #246307) * Added to cron.d (Closes: #242199) * Create language in database/database.pgsql (Closes: #242572) * Fixed dependencies (Closes: #242622): - Depends on php4-cgi (since it's used by maintainer scripts) - Recommends: php4 | libapache2-mod-php4 (After all, one _can_ run Drupal with a PHP-CGI setup * Fixed generation of links in webserver directories (Closes: #249488) * Out-of-the-box support for multiple sites (Closes: #246009) * Put themes directory under /usr/share/drupal. Themes are no longer handled as conffiles. * Fixed path to database.mysql in README.Debian (Closes: #246414) -- Hilko Bengen Tue, 25 May 2004 10:12:34 +0200 drupal (4.3.2-3) unstable; urgency=low * Rewrote README.Debian, copying substantial parts from the INSTALL file (Closes: #240505) * Re-added a (commented-out) directive for restricting access to admin.php to htaccess file -- Hilko Bengen Sun, 28 Mar 2004 17:38:11 +0200 drupal (4.3.2-2) unstable; urgency=low * [Bart Cornelis ] Added Dutch debconf translation (Closes: #232230) * [Sergio Talens-Oliag ] Added Spanish and Catalan debconf translations (Closes: #235018 * [Gleydson Mazioli da Silva ] Added Brazilian Portugese debconf translation (Closes: #185829) * [Christian Perrier ] Added French debconf translation (Closes: #200722) * Added German debconf translation -- Hilko Bengen Tue, 16 Mar 2004 00:43:55 +0100 drupal (4.3.2-1) unstable; urgency=low * New maintainer (Closes: #227771) * New upstream release (Closes: #204241, #220066) - Test shows that kuro5hin RSS feed can be imported just fine (Closes: #184252) - The encoding bug in ping.module appears to have been fixed (Closes: #215643) * Revamped installation and automatic upgrade procedure - Update sets password in config.php _and_ database (Closes: #193545) - It's possible to install the package without performing any database setup at all (Closes: #201202) * Fixed /etc/drupal/apache.conf (Closes: #219143) * Basic PostgreSQL support -- user and database are created (Closes: #186563) * Should work with apache2 (Closes: #235912) -- Hilko Bengen Thu, 11 Mar 2004 17:30:11 +0100 drupal (4.1.0-10) unstable; urgency=low * Maintainer field set to QA Group * New Brazilian Portuguese debconf template translation, provided by Andre Luis Lopes . Closes: #228109 -- Emanuele Rocca Sun, 1 Feb 2004 20:35:04 +0100 drupal (4.1.0-9.1) unstable; urgency=low * NMU * French debconf templates translation. Closes: #200722 * Correction to english templates for (I guess) better english and formulations. Closes: #186566 * Brazilian portuguese debconf tempaltes translation. Closes: #185829 -- Christian Perrier Tue, 16 Sep 2003 08:55:38 +0200 drupal (4.1.0-9) unstable; urgency=low * Two corrections in postinst to allow manually setting up the DB on upgrade. -- Hugo Espuny Wed, 19 Mar 2003 22:02:50 +0100 drupal (4.1.0-8) unstable; urgency=low * Added patch from drupal.org (Closes: #185217) * Minor typo on apache.conf * Now htaccess is set up dynamically. * Example of restricted admin.php is now at htaccess * Debconf now does not repeat questions after preconfiguring. -- Hugo Espuny Wed, 19 Mar 2003 20:09:45 +0100 drupal (4.1.0-7) unstable; urgency=high * Added securing point to README.Debian * Alias directive on /etc/drupal/apache.conf now is changed dynamically according with debconf question. -- Hugo Espuny Fri, 14 Mar 2003 20:33:29 +0100 drupal (4.1.0-6) unstable; urgency=high * Corrected postrm problem whe downgrading to certain versions. -- Hugo Espuny Fri, 14 Mar 2003 19:38:15 +0100 drupal (4.1.0-5) unstable; urgency=low * Corrected mv themes order in rules file. -- Hugo Espuny Fri, 14 Mar 2003 19:22:12 +0100 drupal (4.1.0-4) unstable; urgency=low * Corrected themes moving engine. (Closes: #184752) * Themes are now configfiles (since 4.1.0-2). I forgot to say... -- Hugo Espuny Fri, 14 Mar 2003 17:30:45 +0100 drupal (4.1.0-3) unstable; urgency=low * Updated to policy version 3.5.9 -- Hugo Espuny Fri, 14 Mar 2003 00:28:18 +0100 drupal (4.1.0-2) unstable; urgency=low * Corrected directive "AllowOverride None" to "AllowOverride All" in /etc/drupal/apache.conf. (Closes: #184183) * Corrected directive to in /etc/drupal/apache.conf. * Corrected cron file, postinst and templates. Now debconf asks for the whole URL, not only TCP port. (Closes: #184182) (Closes: #184182) Thanks to John Goerzen to point me those. * News feed now works properly. (Closes: #184252) (Closes: #184253) -- Hugo Espuny Wed, 12 Mar 2003 18:25:35 +0100 drupal (4.1.0-1) unstable; urgency=high * New upstream version (Closes: #178506) (Closes: #173107) * Moved to use po-debconf. * Fixed README.Debian (Closes: #173103) (Closes: #184111) -- Hugo Espuny Fri, 7 Mar 2003 21:09:02 +0100 drupal (4.0-4) unstable; urgency=low * Corrected a bug on cron.d file. -- Hugo Espuny Wed, 11 Dec 2002 22:39:16 +0100 drupal (4.0-3) unstable; urgency=low * Corrected /etc/cron.d/drupal (thanx to Paul van Tilburg ). (Closes: #172153) * Corrected link in README.Debian. (Closes: #169949) * Changed priority to extra. * postrm now executes an abort install properly. * Updated policy standars to 3.5.8 -- Hugo Espuny Tue, 10 Dec 2002 00:38:36 +0100 drupal (4.0-2) unstable; urgency=low * Minor typo correction in templates file. * Minor bug correction about webserver port in postinst. * Added versioned dependency on wget to support HTTPS * Moved update.php to /usr/share/doc/drupal/upgrades -- Hugo Espuny Wed, 30 Oct 2002 16:54:06 +0100 drupal (4.0-1) unstable; urgency=low * New debian package. (Closes: #164676) * Code taken from phpnuke package. -- Hugo Espuny Tue, 29 Oct 2002 21:21:26 +0100