-
mahara (1.5.1-3.1) unstable; urgency=high
* Non-maintainer upload.
* SECURITY UPDATE: Fix a cross-site scripting (XSS) vulnerability
which allowed remote attackers to inject arbitrary web script or
HTML via the query parameter.
- debian/patches/CVE-2012-2253.patch
- Closes: #695789
-- Luca Falavigna <email address hidden> Sun, 23 Dec 2012 14:53:41 +0100
-
mahara (1.5.1-3) unstable; urgency=high
* SECURITY UPDATE: Disable XML entity parsing to prevent XEE
- debian/patches/CVE-2012-2239.patch: upstream patch
* SECURITY UPDATE: Multiple cross-site scripting vulnerabilities
- Content passed to the error message was not escaped
- Escape pieform errors displayed to users
- debian/patches/CVE-2012-2243-0001.patch: upstream patch
- XHTML files prone to embedded javascript
- Prevent uploaded xhtml files from displaying verbatim
- debian/patches/CVE-2012-2243-0002.patch: upstream patch
* SECURITY UPDATE: Arbitrary file execution via clam path
- Remove executable bit from existing uploaded files
- debian/patches/CVE-2012-2244-0001.patch: upstream patch
- Ensure future files will not be executable
- debian/patches/CVE-2012-2244-0002.patch: upstream patch
- Remove direct path option from web configuration
- debian/patches/CVE-2012-2244-0003.patch: upstream patch
* SECURITY UPDATE: Prevent click-jacking attacks
- Add a HTTP header of X-Frame-Options to every page
- debian/patches/CVE-2012-2246.patch: upstream patch
* SECURITY UPDATE: Prevent SVG images being displayed
- SVG images displayed inline
- Adds SVG files to the list of files to not display by default
- debian/patches/CVE-2012-2247.patch: upstream patch
-- Melissa Draper <email address hidden> Tue, 12 Nov 2012 04:08:09 +0000
-
mahara (1.5.1-2.1) unstable; urgency=low
* Non-maintainer upload
* debian/mahara.preinst: Remove previous symlink that is replaced by a
directory (closes: #690124)
-- David Prévot <email address hidden> Sat, 27 Oct 2012 22:10:31 -0400
-
mahara (1.5.1-2) unstable; urgency=high
* SECURITY UPDATE: Fix multiple cross-site scripting vulnerabilities
- Sanitize json-encode login form when injected by js
- Sanitize links in links and resources menu
- Sanitize file description for blog image editor
- Add escaping to user_display_name by adding to dwoo template
- debian/patches/CVE-2012-2237-0001.patch: upstream patch
- debian/patches/CVE-2012-2237-0002.patch: upstream patch
- debian/patches/CVE-2012-2237-0003.patch: upstream patch
- debian/patches/CVE-2012-2237-0004.patch: upstream patch
-- Melissa Draper <email address hidden> Mon, 16 Jul 2012 09:37:07 +0000
-
mahara (1.5.1-1) unstable; urgency=low
[ Melissa Draper ]
* New major upstream release
- Improved password storage
- Database triggers
- php minimum version now 5.3
* Drop dependency on Dwoo and use bundled version instead
* Update versioned dependencies on Postgres and MySQL
* Add libjs-jquery dependency
* Bump Standards-Version up to 3.9.3
* Bump debhelper compatibility to 9
[ Francois Marier ]
* Fix watch file
* Update homepage URL in debian/control
* Update Alioth URLs
-- Melissa Draper <email address hidden> Thu, 31 May 2012 12:03:15 +1200
-
mahara (1.4.2-1) unstable; urgency=high
* New upstream release
* SECURITY UPDATE: Fix default config for sites with multiple SAML instances
- Default configuration changed to prevent impersonation
-- Melissa Draper <email address hidden> Wed, 14 Mar 2012 01:53:32 +0000
-
mahara (1.4.1-1) unstable; urgency=low
* New upstream release
- CVE-2011-2771
- CVE-2011-2772
- CVE-2011-2773
- CVE-2011-2774
-- Francois Marier <email address hidden> Fri, 04 Nov 2011 12:16:06 +1300
-
mahara (1.4.0-1) unstable; urgency=low
* New major upstream release - upstream .htaccess file has been removed * Add missing (empty) build targets in debian/rules (lintian warning) -- Francois Marier <email address hidden> Wed, 22 Jun 2011 14:58:47 +1200
-
mahara (1.3.6-1) unstable; urgency=high
* New upstream release (major security fixes): - CVE-2011-1402 - CVE-2011-1403 - CVE-2011-1404 - CVE-2011-1405 - CVE-2011-1406 * Fix versioned dependency of mahara-apache2 * Drop mysql-server-5.0 recommendation * Bump Standards-Version up to 3.9.2 -- Francois Marier <email address hidden> Tue, 10 May 2011 13:55:55 +1200
-
mahara (1.3.5-1) unstable; urgency=low
* Major new upstream release - compatibility with HTML Purifier 4.3.0 * Remove unused Mochikit lintian override * Update path of flowplayer in debian/rules * Fix more broken permissions in debian/rules * Add dependency on ttf-bitstream-vera and remove Mahara's bundled copy * Sync Uploaders field with Launchpad Team -- Francois Marier <email address hidden> Mon, 11 Apr 2011 15:52:10 +1200
-
mahara (1.2.7-1) unstable; urgency=high
* New upstream security release: - CVE-2011-0439 (XSS in select boxes) - CVE-2011-0440 (CSRF when deleting blogs) * Add Italian debconf translation (closes: #606378) * Add Danish debconf translation (closes: #597766) * Bump debhelper compatibility to 8 -- Francois Marier <email address hidden> Fri, 25 Mar 2011 16:08:31 +1300
-
mahara (1.2.6-2) unstable; urgency=medium
* Move flowplayer.audio to the contrib package as well
* Add an allow rule in apache.conf for flowplayer.audio
-- Francois Marier <email address hidden> Mon, 06 Sep 2010 20:59:44 +1200
-
mahara (1.2.5-2) unstable; urgency=low
* Remove postgresql8.3 from recommends, add postgresql8.4
* Add mysql-server-5.1 to recommends
-- Francois Marier <email address hidden> Tue, 06 Jul 2010 17:35:06 +1200
-
mahara (1.2.5-1) unstable; urgency=high
* New upstream release
- multiple cross-site scripting vulnerabilities (CVE-2010-1667)
- multiple cross-site request forgery vulnerabilities (CVE-2010-1668)
- sql injection (CVE-2010-1669)
- unsafe auth plugins configuration options (CVE-2010-1670)
* Use system's version of HTML purifier (CVE-2010-2479)
* Add missing symlink to PEAR's File module to fix csv parsing
* Remove reference to the common BSD license in debian/copyright
* Bump Standards-Version to 3.9.0
-- Francois Marier <email address hidden> Mon, 05 Jul 2010 15:45:27 +1200
-
mahara (1.2.4-1) unstable; urgency=high
* New upstream release
- fix for SQL injection (CVE-2010-0400)
-- Francois Marier <email address hidden> Tue, 06 Apr 2010 21:07:03 +1200
-
mahara (1.2.3-1) unstable; urgency=low
* New upstream release
* Fix error in postrm script for when /usr/share/mahara/theme/ doesn't exist
* Bump Standards-Version to 3.8.4
* Switch team maintenance email address to a Launchpad mailing list
-- Francois Marier <email address hidden> Mon, 08 Feb 2010 11:58:22 +1300
-
mahara (1.2.0-2) unstable; urgency=low
* Fix postrm script so that Mahara can be uninstalled
-- Francois Marier <email address hidden> Fri, 27 Nov 2009 22:09:03 +1300
-
mahara (1.1.7-1) unstable; urgency=high
* New upstream release
- Privilege escalation fix (CVE-2009-3298)
- XSS fix (CVE-2009-3299)
* Bump Standards-Version up to 3.8.3
* Switch packaging license to refer to GPL-3
* debian/mahara.config: Move -e to a separate line to silence lintian
-- Francois Marier <email address hidden> Fri, 30 Oct 2009 13:46:40 +1300
-
mahara (1.1.6-1) unstable; urgency=low
* New Upstream Version
* README.Debian: must specify the character set when creating a database
in the default instal of MySQL on Debian
-- Francois Marier <email address hidden> Thu, 06 Aug 2009 22:22:01 +1200
-
mahara (1.1.5-1) unstable; urgency=high
* New Upstream Version
- fixes multiple xSS vulnerabilities
- fix for an information disclosure bug
* Bump Standards-Version to 3.8.2
-- Francois Marier <email address hidden> Mon, 22 Jun 2009 15:17:25 +1200
-
mahara (1.1.3-1) unstable; urgency=high
* New Upstream Version
- fixes XSS issues in user profile field and text boxes in user views
(CVE-2009-0664)
- fixes remote code execution in the bundled copy of html2text
(CVE-2008-5619, closes: #524778)
* Bump Standards-Version to 3.8.1 (no changes)
* Remove execute bit on a bunch of Javascript files (lintian warning)
-- Francois Marier <email address hidden> Wed, 22 Apr 2009 17:06:36 +1200
-
mahara (1.1.2-1) unstable; urgency=high
* New Upstream Version
- fixes multiple XSS vulnerabilities (CVE-2009-0660)
-- Francois Marier <email address hidden> Tue, 10 Mar 2009 19:44:14 +1300
-
mahara (1.1.1-1) unstable; urgency=medium
* New Upstream Version
- fixes broken upgrades on MySQL
-- Francois Marier <email address hidden> Mon, 02 Mar 2009 12:08:42 +1300
-
mahara (1.1.0-1) unstable; urgency=low
* New Upstream Version
* Add dependency on php5-curl (instead of being only recommended)
* Mention the 3rd install step (logging in as admin) in README.Debian
-- Francois Marier <email address hidden> Thu, 26 Feb 2009 12:57:40 +1300
-
mahara (1.0.9-2) unstable; urgency=low
* debian/mahara.postrm: delete the snoopy symlink
* debian/mahara.postinst: create a lib/smarty/libs symlink when necessary
(for example on Ubuntu)
-- Francois Marier <email address hidden> Mon, 09 Feb 2009 17:55:38 +1300
-
mahara (1.0.9-1) unstable; urgency=high
* New Upstream Version
- fixes XSS vulnerability in forum posts
* debian/copyright: add the word "copyright" to fix a lintian notice
-- Francois Marier <email address hidden> Tue, 03 Feb 2009 18:26:32 +1300
-
mahara (1.0.6-1) unstable; urgency=low
* New upstream version
-- Francois Marier <email address hidden> Sun, 09 Nov 2008 23:45:15 +1300
-
mahara (1.0.5-2) unstable; urgency=high
* Depend on libphp-snoopy instead of using the embedded copy shipped
with Mahara (CVE-2008-4796, closes: #504170)
* Backport upstream's patch (41189c30d198153dc66dc867e160dab948929458)
to phpmailer (CVE-2007-3125, closes: #504253)
* Add lintian overrides for the customised embedded libraries
-- Francois Marier <email address hidden> Mon, 03 Nov 2008 19:16:44 +1300
-
mahara (1.0.5-1) unstable; urgency=low
* New Upstream Version
* Fix comments in maintainer scripts (closes: #491924)
* Add lintian override for embedded copies of mochikit
* Bump debhelper compatibility to 7 to use dh_lintian
-- Francois Marier <email address hidden> Mon, 29 Sep 2008 13:00:12 +1300
