tikiwiki (1.9.7+dfsg-1ubuntu1.2) feisty-security; urgency=low

  [ Emanuele Gentili ]
  * SECURITY UPDATE: (LP: #180702)
    + CVE 2007-6526: Cross-site scripting (XSS) vulnerability in tiki-special_chars.php
      in TikiWiki before 1.9.9 allows remote attackers to inject arbitrary web script or 
      HTML via the area_name parameter.
    + CVE 2007-6528: Directory traversal vulnerability in tiki-listmovies.php in TikiWiki 
      before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and
      modified filename in the movie parameter.
    + CVE 2007-6529: Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have 
      unknown impact and attack vectors involving  tiki-edit_css.php, 
      tiki-g-admin_shared_source.php.
  * debian/patches/91_CVE-2007-6526_CVE-2007-6528_CVE-2007-6529.dpatch
    - Applied patch by upstream
  * References
    - CVE-2007-6526
    - CVE-2007-6528
    - CVE-2007-6529

  [ Jamie Strandboge ]
  *  Use dash-compliant syntax in debian/rules

 -- Emanuele Gentili <emgent@emanuele-gentili.com>  Sun, 17 Feb 2008 18:12:35 +0100

tikiwiki (1.9.7+dfsg-1ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #163833)
    + CVE-2007-4554: Cross-site scripting (XSS) vulnerability in
      tiki-remind_password.php in Tikiwiki (aka Tiki CMS/Groupware) 1.9.7 allows
      remote attackers to inject arbitrary web script or HTML via the username
      parameter. NOTE: this issue might be related to CVE-2006-2635.7.
    + CVE-2007-5423: Eval injection vulnerability in tiki-graph_formula.php in
      TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP
      sequences in the f array parameter. 
    + CVE-2007-5682: Unspecified vulnerability in tiki-graph_formula.php in
      TikiWiki before 1.9.8.2 has unknown impact and attack vectors, a different
      vulnerability than CVE-2007-5423.
  * debian/patches/90_CVE-2007-4554.dpatch: 
    - Applied patch by upstream
  * debian/patches/90_CVE-2007-5423_CVE-2007-5682.dpatch:
    - Applied patch by upstream
  * References:
    CVE-2007-4554
    CVE-2007-5423
    CVE-2007-5682

 -- Stephan Hermann <sh@sourcecode.de>  Mon, 26 Nov 2007 15:34:47 +0100

tikiwiki (1.9.7+dfsg-1ubuntu1) feisty; urgency=low

  * Depends on PHP 5 packages (LP: 96361)
  * Update maintainer field in debian/control

 -- Luca Falavigna <dktrkranz@ubuntu.com>  Tue, 10 Apr 2007 23:39:00 +0200

tikiwiki (1.9.7+dfsg-1) unstable; urgency=high

  * New upstream version.
    - Fixes a script insertion vulnerability.
  * debian/control: Added X-Vcs-* fields.

 -- Marcus Better <marcus@better.se>  Sat, 25 Nov 2006 23:01:06 +0100

tikiwiki (1.9.6+dfsg-1) unstable; urgency=low

  * New upstream version.
    - Fixed security issues: CVE-2006-5702, CVE-2006-5703.
  * Install README.Debian.sources, accidentally left out.

 -- Marcus Better <marcus@better.se>  Wed,  8 Nov 2006 11:22:21 +0100

tikiwiki (1.9.5+dfsg1-2) unstable; urgency=high

  * lib/Galaxia/src/ProcessManager/ProcessManager.php,
    tiki-g-admin_processes.php, tiki-setup_base.php: Add type checks and
    other minor bugfixes. Note that Tikiwiki 1.9.5 was probably not
    affected by the vulnerability in the original report. (Closes: #388122)
    - Fixed security issue: CVE-2006-4734.
  * debian/config, debian/postrm: Check that scripts exist before sourcing
    them. (Closes: #388237)

 -- Marcus Better <marcus@better.se>  Tue, 19 Sep 2006 13:31:06 +0200

tikiwiki (1.9.5+dfsg1-1) unstable; urgency=low

  * New upstream version.

 -- Marcus Better <marcus@better.se>  Wed,  6 Sep 2006 10:47:30 +0200

tikiwiki (1.9.4+dfsg2-4) unstable; urgency=high

  * Fix another potential security issue, as per
      http://tikiwiki.org/tiki-read_article.php?articleId=136 .
    This is not exploitable in the default configuration.

 -- Marcus Better <marcus@better.se>  Mon,  4 Sep 2006 10:22:00 +0200

tikiwiki (1.9.4+dfsg2-3) unstable; urgency=high

  * Fix a security issue in jhot.php, see
      http://permalink.gmane.org/gmane.comp.cms.tiki.devel/7927 .
    This was probably not exploitable on Debian with the default Apache
    configuration.

 -- Marcus Better <marcus@better.se>  Sun,  3 Sep 2006 12:59:34 +0200

tikiwiki (1.9.4+dfsg2-2) unstable; urgency=high

  * Fix input validation problem. (Closes: #384796)
    - Fixed security issue: CVE-2006-4299.

 -- Marcus Better <marcus@better.se>  Mon, 28 Aug 2006 08:20:56 +0200

tikiwiki (1.9.4+dfsg2-1) unstable; urgency=low

  * Put back unused code into source to minimize changes from upstream.
  * debian/README.Debian.sources: minor correction.
  * debian/control: Changed Maintainer to the Debian Tikiwiki team.

 -- Marcus Better <marcus@better.se>  Fri, 14 Jul 2006 21:20:42 +0200

tikiwiki (1.9.4+dfsg1-1) unstable; urgency=low

  * Removed unused code and code with problematic license from the source.

 -- Marcus Better <marcus@better.se>  Thu, 13 Jul 2006 21:18:22 +0200

tikiwiki (1.9.4-1) unstable; urgency=low

  * New upstream version.
    - Fixed security issues: CVE-2006-3048, CVE-2006-3047, CVE-2006-2635.
  * Don't install tiki-install.php in /usr/share/tikiwiki. (Closes: #371055)

 -- Marcus Better <marcus@better.se>  Tue, 13 Jun 2006 23:05:50 +0200

tikiwiki (1.9.2-1) unstable; urgency=low

  * Initial upload to Debian. (Closes: #329195)

 -- Marcus Better <marcus@better.se>  Tue, 20 Sep 2005 14:01:49 +0200