2007
acidbase (1.2.7-4) unstable; urgency=low
* Initial debconf translations:
- Portuguese (pt), thanks Traduz ML (Closes: #409201)
- German (de), thanks Matthias Julius (Closes: #408204)
- Russian (ru), thanks Yuri Kozlov (Closes: #408142)
- Norwegian (nb), thanks Bjørn Steensru(Closes: #408999)
* Updated debconf translations:
- Czech (cs), thanks Miroslav Kure (Closes: #408629)
-- David Gil <dgil@telefonica.net> Mon, 05 Feb 2007 14:18:21 +0100
2006
acidbase (1.2.7-3) unstable; urgency=low
* Complete the list of database clients dependencies needed by
dbconfig-common.
* Removed not needed php4-gd | php5-gd dependencies since php-image-graph
was removed in the last upload.
-- David Gil <dgil@telefonica.net> Mon, 25 Dec 2006 14:25:30 +0100
acidbase (1.2.7-2) unstable; urgency=high
* Urgency high, prevents this package from being removed from sid and
fixes an RC bug.
* Remove the dependency on php-image-color (Closes: #402406)
- remove the link from base_main.php to base_graph_main.php
- do not include base_graph_form.php in base_main.php
- modify base_graph_common.php so that it does not complain so loudly when
Image/Graph is not found. Just say that the functionality is currently
not available in Debian (due to license issues, point to the Bug
report) and say that users that need it will have to install the PEAR
modules.
- document in NEWS.Debian why the graphs have been removed and when will
they be reenabled in the front page.
* Workaround for the name change in dbconfig-common, the base_conf.php
script will substitute 'pgsql' with 'postgres'. This makes it possible
to setup a PostgreSQL configuration properly. (Closes: #402868)
* Introduce a space before the Homepage
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Tue, 12 Dec 2006 20:16:25 +0100
acidbase (1.2.7-1) unstable; urgency=high
* New upstream release.
[ David Gil ]
* Depend on all database clients supported by the package until a better
solution is adopted. See bugs #353617,#398634 for the discussion.
Thanks to Lucas Nussbaum, Andreas Henriksson, Steinar H. Gunderson and
Sean Finney for their work on this. (Closes: #398619)
* Updated French debconf template translation (Closes: #395055).
* RC bug fixed, urgency high.
[ Javier Fernandez-Sanguino ]
* Remove extra space in debian/control before the Homepage
* Add the license and author of the new contrib modules (for using
snort unified files) included in this base release in debian/copyright
-- David Gil <dgil@telefonica.net> Sat, 25 Nov 2006 13:31:27 +0100
acidbase (1.2.6-1) unstable; urgency=low
* New upstream release. * Acknowledge NMU, thanks to Steinar H. Gunderson (Closes: #389544). * Updated translations: - debian/templates: Don't mark all choices as traslatables. Applied a patch from Thomas Huriaux, thanks! (Closes: #377636) - debian/po/sv.po: Updated Swedish debconf translation. Thanks to Daniel Nylander (Closes: #375746). - debian/po/es.po: Updated Spanish debconf translation. - debian/po/cs.po: Updated Czech debconf translation. Thanks to Miroslav Kure (Closes: #389202). (This was applied in the last NMU but not commented in the changelog) * debian/control: Add extra space before Homepage at package description.
-- David Gil <dgil@telefonica.net> Wed, 27 Sep 2006 12:10:29 +0200
acidbase (1.2.5-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Make config and postrm scripts check for the existence of dbconfig-common
before attempting to use it. (Closes: #388219)
-- Steinar H. Gunderson <sesse@debian.org> Tue, 26 Sep 2006 12:59:07 +0200
acidbase (1.2.5-1) unstable; urgency=high
* New upstream release, wich includes the following security improvements:
+ Added XSSPrintSafe() (array safe htmlspecilchars() function) and made
filterSql() use ADOdb qmagic()
+ Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
variables using filterSql()
+ Santized all $_SERVER variables to be protected against XSS attacks
These improvements fix the following security bugs:
+ Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
(Closes: #363548).
+ Remote File Inclusion Vulnerabilities (CVE-2006-2685)
(Closes: #370576).
* debian/patches/02_update_external_links.dpatch : updated.
* Applied part of the patch from Paul Wise <pabs3@bonedaddy.net>:
+ Remove short description from long description
+ Update copyright file with more information
* Bump Standards-Version to 3.7.2 (no policy-related changes needed).
* Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in
mantainer scripts, not only in config file.
This is related to bug #372948 (dbconfig-common: can not determine the
database type).
* Remove ucf file under /etc/acidbase on package purge.
-- David Gil <dgil@telefonica.net> Mon, 12 Jun 2006 21:20:37 +0200
acidbase (1.2.4-1) unstable; urgency=high
* New upstream release, which fixes many bugs including the following security bug:
- base_maintenance.php in BASE before 1.2.4 (melissa), when running in
standalone mode, allows remote attackers to bypass authentication,
possibly by setting the standalone parameter to "yes".
This fixes CVE-2006-1505 (Closes: #361139.)
* Added patch to fix a warning replacing strings in CleanVariable:
- debian/patches/03_fix_warning_in_CleanVariable.dpatch: added.
- debian/patches/00list: updated.
* Now base_conf.php has all its strings quoted with ' instead of ":
- debian/patches/01_default_config.dpatch: updated.
- debian/patches/02_update_external_links.dpatch: updated.
[ Javier Fernandez-Sanguino ]
* Po-debconf translation updates:
- Swedish by Daniel Nylander (Closes: #348881)
- Portuguese by Miguel Figueiredo (Closes: #349597)
- French by "Steve" (Closes: #351230, #366432)
-- David Gil <dgil@telefonica.net> Mon, 03 Apr 2006 12:16:33 +0200
acidbase (1.2.2-1) unstable; urgency=low
* New upstream release:
+ Fixed issue with signature names (Closes: #352246).
+ Fixed auto-refresh ignored for stat pages.
+ Fixed Sort order issues.
+ Added Portscan Information.
* First attempt at dbconfig-common support (Closes: #350376).
* Some templates have been rewritten in order to follow the developers
reference (Closes: #344052).
* patches/04_fix_sql_injection.dpatch: dropped, included upstream.
[ Javier Fernandez-Sanguino ]
* Update Spanish po-debconf translation
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Sun, 5 Mar 2006 20:04:58 +0100
acidbase (1.2.1-4) unstable; urgency=low
* Use dpatch system. Split .diff.gz into the following patches:
(See patches descriptions for more details)
- 01_default_config.dpatch
- 02_update_external_links.dpatch
- 04_fix_sql_injection.dpatch
- 08_update_whois_servers.dpatch
- 11_use_trim_to_avoid_signature_problems.dpatch
* Use debhelper compat level 5 and update build-dependencies accordingly.
* Initial Czech debconf translation, thanks Miroslav Kure! (Closes: #345309)
* Fixed "Wrong $DBtype setup" bug: Use 'postgres' instead of 'postgresql' in
db_type template (Closes: #347291)
* Updated watch file.
-- David Gil <dgil@telefonica.net> Thu, 12 Jan 2006 22:33:16 +0100
2005
acidbase (1.2.1-3) unstable; urgency=low
* Fixed bug "Can't delete alerts".
Don't filter action_chk_lst and action_lst http variables
since they are arrays, not strings. (Closes: #341180)
* I missed a colon in the last changelog entry, now really Closes: #338301.
* Added debconf templates translation.
+ New spanish po file.
* Added watch file
[ Javier Fernandez-Sanguino Pen~a ]
* Reformatted debian/README.Debian and fix names that were pointing
to ACID
-- David Gil <dgil@telefonica.net> Fri, 02 Dec 2005 00:23:51 +0100
acidbase (1.2.1-2) unstable; urgency=low
* Fixed broken searching and graph plotting (Closes #338301)
* Removed debconf dependencies, ${misc:Depends} takes charge of them.
* Always ask for webserver configuration in postinst.
-- David Gil <dgil@telefonica.net> Sat, 12 Nov 2005 16:03:02 +0100
acidbase (1.2.1-1) unstable; urgency=low
[ David Gil ]
* New upstream release.
[ Javier Fernandez-Sanguino Pen~a ]
* SECURITY FIX:
Add proper filtering in all ImportHTTP variables using either the new
functions to check for numeric/alphanumeric chars or the filterSql()
function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
but also other attack vectors not mentioned in the initial advisory
(http://www.frsirt.com/english/advisories/2005/2188)
(Closes: #336788)
* To reduce the risk of possible vulnerabilities in the code, made the
default apache.conf allow access only from localhost and document this
in the (new) README.Debian file
* Added dependency on "debconf | debconf-2.0"
* Added alternative DNS lookups at Sam Spade
* Changed default alert database in debconf prompt to 'snort_log'
-- David Gil <dgil@telefonica.net> Mon, 31 Oct 2005 15:41:55 +0100
acidbase (1.2-2) unstable; urgency=low
* SECURITY FIX:
SQL injection vulnerability (CVE-2005-3325) (Closes: #335998)
* Install Apache configuration file if it is not present.
-- David Gil <dgil@telefonica.net> Sat, 29 Oct 2005 12:19:10 +0200
acidbase (1.2-1) unstable; urgency=low
* New upstream release. * debian/copyright: Updated fsf's address. * debian/postinst: Fixed bashism (Used [] && [] instead of [ -a ]).
-- David Gil <dgil@telefonica.net> Mon, 17 Oct 2005 08:33:44 +0200
acidbase (1.1.4-2) unstable; urgency=low
* Add /usr/share/php to apache configuration so that the
Image_Graph libraries are included too
* Fixed FSF address
* Removed bashism from maintainer script
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Tue, 11 Oct 2005 23:49:58 +0200
acidbase (1.1.4-1) unstable; urgency=low
[ David Gil ] * Initial release (Closes: #323923, #319389). * Add an Apache configuration file to Alias /acidbase. * Package configuration through debconf. * Modify sources so that they use a configuration file which is installed at /etc/acidbase/base_conf.php (owned by root, group www-data and mode 0640 since it contains sensitive information) [ Javier Fernandez-Sanguino Pen~a ] * Applied patches included in the acidlab package that apply to this package too: - acidlab.011.diff: Added trim() to GetSingleSignatureReference in order to avoid problems when signatures contain spaces (this happens with snortcenter) - acidlab.008.diff: update Whois servers' IP addresses (was Debian Bug #183623) * Fixed location of signatures for Nessus (although the previous link works) and for ICAT (it is now the NVD - National Vulnerability Database)
-- David Gil <dgil@telefonica.net> Wed, 24 Aug 2005 17:07:16 +0200