Change log for smarty3 package in Debian
| 1 → 34 of 34 results | First • Previous • Next • Last |
smarty3 (3.1.48-1) unstable; urgency=medium
* New upstream release.
- CVE-2023-28447: Fix cross site scripting vulnerability in Javascript
escaping.
* debian/control:
+ Bump Standards-Version: to 4.6.2. No changes needed.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Thu, 15 Jun 2023 16:10:44 +0200
Available diffs
smarty3 (3.1.47-2) unstable; urgency=medium
* debian/control:
+ Bump versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-5~).
* debian/rules:
+ Re-enable configfile/template parser/lexer generation. (Closes: #1022737).
-- Mike Gabriel <email address hidden> Tue, 25 Oct 2022 07:42:53 +0200
| Published in buster-release |
smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload.
* Fix the following CVE:
- CVE-2021-21408: template authors could run restricted static php methods
- CVE-2021-29454: template authors could run arbitrary PHP code by crafting
a malicious math string
- CVE-2022-29221: template authors could inject php code by choosing a
malicious {block} name or {include} file name
- CVE-2021-26119: Sandbox Escape because $smarty.template_object can be
accessed in sandbox mode
- CVE-2021-26120: code injection via an unexpected function name
-- Markus Koschany <email address hidden> Sun, 29 May 2022 13:13:32 +0200
| Published in bullseye-release |
smarty3 (3.1.39-2+deb11u1) bullseye-security; urgency=high
* Non-maintainer upload.
* Fix the following CVE:
- CVE-2021-21408: template authors could run restricted static php methods
- CVE-2021-29454: template authors could run arbitrary PHP code by crafting
a malicious math string
- CVE-2022-29221: template authors could inject php code by choosing a
malicious {block} name or {include} file name
-- Markus Koschany <email address hidden> Sat, 28 May 2022 23:55:24 +0200
smarty3 (3.1.45-1) unstable; urgency=medium
* New upstream release.
- CVE-2021-21408: Prevent template authors from running restricted static
php methods. (see smarty4 bug #1010375).
- CVE-2021-29454: Prevent template authors from running arbitrary PHP code
by crafting a malicious math string. (see smarty4 bug #1010375, as well).
- CVE-2022-29221: Prevent template authors from injecting PHP code by
choosing malicious filenames. (Closes: #1011758).
* debian/watch:
+ Only watch 3.x versions of Smarty.
* debian/control:
+ Bump Standards-Version: to 4.6.1. No changes needed.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Mon, 30 May 2022 08:24:30 +0200
smarty3 (3.1.39-2) unstable; urgency=medium
* debian/watch:
+ Fix Github watch URL.
-- Mike Gabriel <email address hidden> Thu, 29 Apr 2021 14:40:03 +0200
Available diffs
- diff from 3.1.39-1 to 3.1.39-2 (450 bytes)
smarty3 (3.1.39-1) unstable; urgency=medium
* New upstream release.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Tue, 23 Feb 2021 11:41:59 +0100
Available diffs
- diff from 3.1.38-1 to 3.1.39-1 (1.2 KiB)
smarty3 (3.1.38-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied
upstream.
-- Mike Gabriel <email address hidden> Mon, 18 Jan 2021 17:20:40 +0100
Available diffs
- diff from 3.1.36-2 to 3.1.38-1 (3.4 KiB)
smarty3 (3.1.36-2) unstable; urgency=medium
* debian/control:
+ Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~).
* debian/patches:
+ Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring
lexer source functionally up-to-date with (manually edited) compiled
version. (Closes: #977604).
* debian/watch:
+ Switch to format version 4.
-- Mike Gabriel <email address hidden> Fri, 18 Dec 2020 14:53:44 +0000
Available diffs
- diff from 3.1.36-1 to 3.1.36-2 (1.7 KiB)
smarty3 (3.1.36-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Stop creating Git snapshots, use upstream orig tarballs (generated from
Github tags) instead.
+ Upstream changelog has been renamed to CHANGELOG.md.
* debian/copyright:
+ Update copyright attributions.
+ Drop global Comment: field. No tarball repacking anymore.
* debian/control:
+ Bump Standards-Version: to 4.5.1. No changes needed.
+ Bump DH compat level to version 13.
* debian/upstream/metadata:
+ Add file. Comply with DEP-12.
-- Mike Gabriel <email address hidden> Mon, 07 Dec 2020 09:33:25 +0100
Available diffs
| Superseded in sid-release |
smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/control:
+ Bump Standards-Version: to 4.4.1. No changes needed.
+ Add Rules-Requires-Root: field and set it to "no".
* debian/{control,compat}:
+ Switch to debhelper-compat notation. Bump DH comat level to version 12.
-- Mike Gabriel <email address hidden> Mon, 18 Nov 2019 10:49:54 +0100
Available diffs
smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium
* New upstream release.
- CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
#908698).
* debian/control:
+ Bump Standards-Version: to 4.2.1. No changes needed.
-- Mike Gabriel <email address hidden> Mon, 17 Sep 2018 13:04:18 +0200
Available diffs
| Published in jessie-release |
smarty3 (3.1.21-1+deb8u2) jessie-security; urgency=medium
* debian/patches:
+ Fix object name in 0001_CVE-2017-1000480.patch. Thanks to Côme Chilliet
from the FusionDirectory team for spotting this.
-- Mike Gabriel <email address hidden> Tue, 30 Jan 2018 17:40:58 +0100
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/*: White-space clean-up at EOL.
* debian/patches:
+ Drop 0001_CVE-2017-1000480.patch. Applied upstream.
* debian/rules:
+ Avoid using dpkg-parsechangelog.
* debian/copyright:
+ Update copyright attributions.
+ Use secure URI to obtain copyright references.
+ Add global Comment: field. Explain about brokenness of upstream tarballs.
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to
salsa.debian.org.
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/{control,compat}:
+ Bump DH version level to 11.
-- Mike Gabriel <email address hidden> Sun, 27 May 2018 23:21:33 +0200
Available diffs
| Published in stretch-release |
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u1) stretch-security; urgency=medium
* debian/patches:
+ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
#886460).
-- Mike Gabriel <email address hidden> Sun, 14 Jan 2018 13:16:25 +0100
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium
* debian/patches:
+ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
#886460).
-- Mike Gabriel <email address hidden> Sun, 14 Jan 2018 11:13:16 +0100
Available diffs
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium
* Re-upload to Debian unstable to enforce package rebuild (as we don't
have binNMUs for arch:all packages).
* debian/control:
+ Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~).
This is to assure correct lexer/parser generation which was broken by
smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further
reference.
-- Mike Gabriel <email address hidden> Tue, 21 Mar 2017 10:13:01 +0100
Available diffs
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Self-pack orig tarball from Git commit, due to broken upstream
tarball generation on Github. For details see:
https://github.com/smarty-php/smarty/issues/325
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Tue, 24 Jan 2017 21:17:51 +0100
Available diffs
smarty3 (3.1.30-1) unstable; urgency=medium
* Upload to unstable.
* Update versioned B-D:
+ smarty-lexert (>= 3.1.30+dfsg1-1~).
-- Mike Gabriel <email address hidden> Fri, 25 Nov 2016 19:52:30 +0100
Available diffs
- diff from 3.1.29-2 to 3.1.30-1 (153.2 KiB)
| Deleted in experimental-release (Reason: None provided.) |
smarty3 (3.1.30-1~exp1) experimental; urgency=medium
* New upstream release. Upload to experimental for testing with
GOsa, FusionDirectory and other web portals that depend on Smarty3.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Thu, 20 Oct 2016 14:00:22 +0200
smarty3 (3.1.29-2) unstable; urgency=medium * Re-upload unchanged to unstable. -- Mike Gabriel <email address hidden> Fri, 07 Oct 2016 14:03:44 +0200
Available diffs
- diff from 3.1.21-1.1 to 3.1.29-2 (246.9 KiB)
| Deleted in experimental-release (Reason: None provided.) |
smarty3 (3.1.29-1) experimental; urgency=medium
* New upstream release. (Closes: #825250).
* debian/smarty3-lexer:
+ Remove shipped-with .plex and .y files for template and configfile
parser/lexer. This version uses smarty-lexer src:package at build
time instead.
* debian/control:
+ Add B-D pkg-php-tools (for dh_phpcomposer)
+ Versioned B-D: debhelper (>= 9).
+ Use encrypted URLs for Vcs-*: field.
+ Bump Standards: to 3.9.8. No changes needed.
* debian/{control,rules}:
+ Create internal lexer and parser PHP code at package build time (using
B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian
package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old
trigger_error class API of Smarty.class.php. (Closes: #799282).
* debian/smarty3.{install,docs}:
+ Use debhelper for installing bin:package files.
* debian/compat:
+ Bump to DH version level 9.
* debian/watch:
+ Upstream location has changed, now on Github.
* debian/rules:
+ Use pure debhelper, with phpcomposer.
+ Make package build idempotent.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <email address hidden> Mon, 30 May 2016 14:03:16 +0200
smarty3 (3.1.21-1.1) unstable; urgency=medium
* Non-maintainer upload in coordination with the maintainer.
* Update depends and README.Debian for the php 7.0 transition. Thanks to
Wolfgang Schweer for the patch! (Closes: #821660)
-- Holger Levsen <email address hidden> Mon, 23 May 2016 11:32:02 +0200
Available diffs
smarty3 (3.1.21-1) unstable; urgency=medium
* New upstream release. (Closes: #765920).
* debian/smarty3-lexer:
+ Add 4 files from smarty3 SVN that are used to generate some PHP
files in the upstream tarball. See README.lexer for details.
(Closes: #636148).
* debian/copyright:
+ Add copyright information for debian/smarty3-lexer/*.
+ Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream-
shipped COPYING.lib file more thoroughly.
+ Relicense debian/* under same license as upstream sources (LGPL-3+).
* debian/control:
+ Bump Standards: to 3.9.6. No changes needed.
-- Mike Gabriel <email address hidden> Sun, 19 Oct 2014 23:45:18 +0200
Available diffs
- diff from 3.1.19-1 to 3.1.21-1 (46.4 KiB)
smarty3 (3.1.19-1) unstable; urgency=medium
* New upstream release.
+ Obtain upstream sources as zip files from upstream. Stop checking out
SVN tags. This change drops three embedded PHP libraries and files with
problematic PHP licenses. (Closes: #752614).
* debian/control:
+ Alioth-canonicalize Vcs-Git field.
+ Bump Standards: to 3.9.5. No changes needed.
* lintian:
+ Drop unused override: embedded-php-library.
-- Mike Gabriel <email address hidden> Mon, 04 Aug 2014 21:32:20 +0200
Available diffs
- diff from 3.1.13-1 to 3.1.19-1 (1.8 MiB)
smarty3 (3.1.13-1) unstable; urgency=low
* New upstream release.
* /debian/control:
+ Use my DD address in Maintainer: field.
+ Bump Standards: to 3.9.4. No changes needed.
* /debian/patches:
+ Drop patch: 001_escape-smarty-exception-messages.patch, included in new
upstream release.
-- Mike Gabriel <email address hidden> Mon, 06 May 2013 10:19:14 +0200
Available diffs
- diff from 3.1.10-2 to 3.1.13-1 (73.2 KiB)
smarty3 (3.1.10-2) unstable; urgency=low
* Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch.
Closes: #688153.
-- Mike Gabriel <email address hidden> Sat, 22 Sep 2012 21:32:58 +0200
Available diffs
- diff from 3.1.10-1 to 3.1.10-2 (813 bytes)
smarty3 (3.1.10-1) unstable; urgency=low * New upstream release. Closes: #678095. -- Mike Gabriel <email address hidden> Tue, 19 Jun 2012 16:41:06 +0200
Available diffs
- diff from 3.1.8-2 to 3.1.10-1 (67.7 KiB)
smarty3 (3.1.8-2) unstable; urgency=low
* Package smarty3 provides smarty (closes: #657536).
* Make /debian/copyright machine parsable, explicitly names files that
have dissenting licenses, license /debian folder under GPLv2+.
-- Mike Gabriel <email address hidden> Thu, 17 May 2012 00:32:29 +0200
Available diffs
| Deleted in experimental-release (Reason: None provided.) |
smarty3 (3.1.8-1) experimental; urgency=low
* New upstream release (rev. 4611).
* New package maintainer (closes: #668200).
* Add watch file (closes: #657385).
* Add Vcs-* lines to control file.
* Add README.source that explains how we obtain code from
upstream SVN. Make sure all upstream source files are
shipped with the Debian source package (closes: #636148).
-- Mike Gabriel <email address hidden> Thu, 10 May 2012 10:44:55 +0200
| Superseded in experimental-release |
smarty3 (3.1.0-1) experimental; urgency=low
* New upstream release (rev. 4284)
* Used the code source from subversion (Closes: #636148)
* debian/copyright:
+ added LexerGenerator copyright
+ added ParserGenerator copyright
* Fixed security holes:
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
+ not consider the umask value when setting the permissions of files
(CVE-2009-5054)
+ not prevent access to the dynamic and private object members of an
assigned object (CVE-2010-4723)
+ not properly handle an on value of the asp_tags option in the php.ini file
(CVE-2010-4725)
+ not properly handle the <?php and ?> tags (CVE-2010-4727)
-- Thierry Randrianiriana <email address hidden> Sat, 17 Sep 2011 21:22:11 +0300
smarty3 (3.0.8-1) unstable; urgency=low * New upstream release (Closes: #631619) * Bumped Standards-Version to 3.9.2 * Updated licence to LGPL-3 -- Thierry Randrianiriana <email address hidden> Wed, 20 Jul 2011 11:29:24 +0300
smarty3 (3.0~rc1-2) unstable; urgency=low * Bumped Standards-Version to 3.9.1 * Removed debian/watch -- Thierry Randrianiriana <email address hidden> Tue, 21 Sep 2010 14:45:44 +0300
smarty3 (3.0~rc1-1) unstable; urgency=low * Initial release (Closes: #580754) -- Thierry Randrianiriana <email address hidden> Sat, 08 May 2010 14:36:04 +0300
| 1 → 34 of 34 results | First • Previous • Next • Last |
