2010
acidbase (1.4.5-2) unstable; urgency=low
* Use frontend dbconfig-common type to clear up issues (Closes:
#569317)
* Replace README.source from dpatch to quilt
* Add new 3.0 (quilt) source directory
* Update IfModule from mod_php4.c to mod_php5.c in apache.conf
* Update package to use debhelper 7
* Convert patches from dpatch to quilt
-- Jeremy T. Bouse <jbouse@debian.org> Thu, 22 Jul 2010 20:53:06 -0400
acidbase (1.4.5-1) unstable; urgency=low
* New upstream version -
- fixes undefined method errors in php 5.3 (Closes: #577570)
- addresses XSS vulnerabilities in CVE-2009-4839 (Closes: #587819)
* updated 02_update_external_links.dpatch for new version
-- Jeremy T. Bouse <jbouse@debian.org> Sat, 03 Jul 2010 02:01:54 -0400
2009
acidbase (1.4.4-3) unstable; urgency=medium
* debian/control: Dependencies for php-mail and php-mail-mime (Closes:
#561321) - thanks to Thomas Mueller <thomas@chaschperli.ch>
-- Jeremy T. Bouse <jbouse@debian.org> Wed, 16 Dec 2009 08:53:24 -0500
acidbase (1.4.4-2) unstable; urgency=low
* debian/control: Update depends against mysql & postgresql (LP:
#223405)
* debian/control: Add Vcs-* headers
* debian/gbp.conf: Add GBP config settings
-- Jeremy T. Bouse <jbouse@debian.org> Sun, 13 Dec 2009 11:24:06 -0500
acidbase (1.4.4-1) unstable; urgency=low
* Imported Upstream version 1.4.4 (Closes: #501644, #552235) * debian/control: Remove David Gil as maintainer (Closes: #551636) * debian/control: Bump Standards-Version to 3.8.3 and change Maintainer/Uploaders. * debian/rules: Change to build in binary-indep to close lintian warnings. * debian/README.source: Added README.source to clear lintian warning. * debian/patches/02_update_external_links.dpatch: Snort ID webdatabase changed (Closes: #542770) - thanks to Robert Sander <robert.sander@epigenomics.com> * debian/patches/08_update_whois_servers.dpatch: Removed as no longer needed * debian/patches/11_use_trim_to_avoid_signature_problems.dpatch: fix patch against new version * debian/po/fi.po: Initial Finnish debconf translation (Closes: #535118) - thanks to Esko Arajärvi <edu@iki.fi> * debian/po/ja.po: Initial Japanese debconf translation (Closes: #556612) - thanks to Hideki Yamane (Debian-JP) <henrich@debian.or.jp> * Updated debconf translations to change Report-Msgid-Bugs-To to jbouse@debian.org * debian/patches/12_remove_php_image_graph.dpatch: Update patch for new version * debian/patches/CVE-2007-6156.dpatch: Removed patch accepted by upstream
-- Jeremy T. Bouse <jbouse@debian.org> Fri, 27 Nov 2009 15:26:00 -0500
2008
acidbase (1.3.9-2) unstable; urgency=low
* debian/control: Bump Standards-Version to 3.8.0 with no changes. * debian/watch: fixed watch file (Closes: #450227) * debian/po/sv.po: Updated Swedish debconf translation (Closes: #492192) * debian/patches/CVE-2007-6156.dpatch: describe the patch purpose and mention the CVE id and the bug closed. * debian/templates: Use "All" as default choice for web server, to ensure that all available versions of apache are configured. * debian/NEWS: reformat news file due to systax errors, following the Developers Reference, section 6.3.4. * debian/rules: don't install snortunified license (contrib/SnortUnified/LICENSE), already listed in debian/copyright. * debian/prerm: set -e flag to maintainer script, which ensures that the script's execution is aborted when any executed command fails.
-- David Gil <dgil@telefonica.net> Thu, 16 Oct 2008 11:03:57 +0200
2007
acidbase (1.3.9-1) unstable; urgency=medium
* New upstream release.
* Changes in source package:
+ Renamed from base to acidbase
+ Removed contrib/docs/CVS directory
* debian/patches/CVE-2007-6156.dpatch: Fixed XSS bug in index.php
Thanks to Nico Golde for his patch (CVE-2007-6156; Closes: #453838)
* debian/patches/15_update_spanish_lang.dpatch: dropped, included upstream.
* debian/patches/00list: updated.
* Initial Dutch debconf translation (Closes: #436866)
* Added Homepage control field
* Added Vcs-{Cvs,Browser} fields
-- David Gil <dgil@telefonica.net> Sun, 02 Dec 2007 16:40:23 +0100
acidbase (1.3.8-1) unstable; urgency=low
* New upstream release.
* Updated spanish language translation:
+ debian/patches/00list: updated.
+ debian/patches/15_update_spanish_lang.dpatch: added.
* debian/copyright: don't include the fpdf license anymore since the
library has been removed from the source.
* Removed DH_COMPAT environment variable in debian/rules. Created
a debian/compat file instead.
-- David Gil <dgil@telefonica.net> Wed, 11 Jul 2007 13:49:43 +0200
acidbase (1.3.6-1) unstable; urgency=low
* New upstream release.
* Depends on 'postgresql-client' dummy package, which will always
point to the latest version. Removed dependencies on specific
postgresql-client-X.Y packages (Closes: #422019).
* Updated 12_remove_php_image_graph patch.
-- David Gil <dgil@telefonica.net> Mon, 28 May 2007 11:16:30 +0200
acidbase (1.3.5-1) unstable; urgency=low
* New upstream release.
* Merged 13_fix_postgresql.dpatch into 01_default_config.dpatch
+ debian/patches/00list: Updated
+ debian/patches/01_default_config.dpatch: Updated
+ debian/patches/13_fix_postgresql.dpatch: Removed
-- David Gil <dgil@telefonica.net> Sun, 04 Mar 2007 13:38:54 +0100
acidbase (1.2.7-4) unstable; urgency=low
* Initial debconf translations:
- Portuguese (pt), thanks Traduz ML (Closes: #409201)
- German (de), thanks Matthias Julius (Closes: #408204)
- Russian (ru), thanks Yuri Kozlov (Closes: #408142)
- Norwegian (nb), thanks Bjørn Steensru(Closes: #408999)
* Updated debconf translations:
- Czech (cs), thanks Miroslav Kure (Closes: #408629)
-- David Gil <dgil@telefonica.net> Mon, 05 Feb 2007 14:18:21 +0100
2006
acidbase (1.2.7-3) unstable; urgency=low
* Complete the list of database clients dependencies needed by
dbconfig-common.
* Removed not needed php4-gd | php5-gd dependencies since php-image-graph
was removed in the last upload.
-- David Gil <dgil@telefonica.net> Mon, 25 Dec 2006 14:25:30 +0100
acidbase (1.2.7-2) unstable; urgency=high
* Urgency high, prevents this package from being removed from sid and
fixes an RC bug.
* Remove the dependency on php-image-color (Closes: #402406)
- remove the link from base_main.php to base_graph_main.php
- do not include base_graph_form.php in base_main.php
- modify base_graph_common.php so that it does not complain so loudly when
Image/Graph is not found. Just say that the functionality is currently
not available in Debian (due to license issues, point to the Bug
report) and say that users that need it will have to install the PEAR
modules.
- document in NEWS.Debian why the graphs have been removed and when will
they be reenabled in the front page.
* Workaround for the name change in dbconfig-common, the base_conf.php
script will substitute 'pgsql' with 'postgres'. This makes it possible
to setup a PostgreSQL configuration properly. (Closes: #402868)
* Introduce a space before the Homepage
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Tue, 12 Dec 2006 20:16:25 +0100
acidbase (1.2.7-1) unstable; urgency=high
* New upstream release.
[ David Gil ]
* Depend on all database clients supported by the package until a better
solution is adopted. See bugs #353617,#398634 for the discussion.
Thanks to Lucas Nussbaum, Andreas Henriksson, Steinar H. Gunderson and
Sean Finney for their work on this. (Closes: #398619)
* Updated French debconf template translation (Closes: #395055).
* RC bug fixed, urgency high.
[ Javier Fernandez-Sanguino ]
* Remove extra space in debian/control before the Homepage
* Add the license and author of the new contrib modules (for using
snort unified files) included in this base release in debian/copyright
-- David Gil <dgil@telefonica.net> Sat, 25 Nov 2006 13:31:27 +0100
acidbase (1.2.6-1) unstable; urgency=low
* New upstream release. * Acknowledge NMU, thanks to Steinar H. Gunderson (Closes: #389544). * Updated translations: - debian/templates: Don't mark all choices as traslatables. Applied a patch from Thomas Huriaux, thanks! (Closes: #377636) - debian/po/sv.po: Updated Swedish debconf translation. Thanks to Daniel Nylander (Closes: #375746). - debian/po/es.po: Updated Spanish debconf translation. - debian/po/cs.po: Updated Czech debconf translation. Thanks to Miroslav Kure (Closes: #389202). (This was applied in the last NMU but not commented in the changelog) * debian/control: Add extra space before Homepage at package description.
-- David Gil <dgil@telefonica.net> Wed, 27 Sep 2006 12:10:29 +0200
acidbase (1.2.5-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Make config and postrm scripts check for the existence of dbconfig-common
before attempting to use it. (Closes: #388219)
-- Steinar H. Gunderson <sesse@debian.org> Tue, 26 Sep 2006 12:59:07 +0200
acidbase (1.2.5-1) unstable; urgency=high
* New upstream release, wich includes the following security improvements:
+ Added XSSPrintSafe() (array safe htmlspecilchars() function) and made
filterSql() use ADOdb qmagic()
+ Filtered all unfiltred (mainly auth system stuff) $_POST and $_GET
variables using filterSql()
+ Santized all $_SERVER variables to be protected against XSS attacks
These improvements fix the following security bugs:
+ Cross-site scripting (XSS) vulnerability (CVE-2006-1590)
(Closes: #363548).
+ Remote File Inclusion Vulnerabilities (CVE-2006-2685)
(Closes: #370576).
* debian/patches/02_update_external_links.dpatch : updated.
* Applied part of the patch from Paul Wise <pabs3@bonedaddy.net>:
+ Remove short description from long description
+ Update copyright file with more information
* Bump Standards-Version to 3.7.2 (no policy-related changes needed).
* Fix an annoying dbconfig-common error: Add dbc_dbtypes variable in
mantainer scripts, not only in config file.
This is related to bug #372948 (dbconfig-common: can not determine the
database type).
* Remove ucf file under /etc/acidbase on package purge.
-- David Gil <dgil@telefonica.net> Mon, 12 Jun 2006 21:20:37 +0200
acidbase (1.2.4-1) unstable; urgency=high
* New upstream release, which fixes many bugs including the following security bug:
- base_maintenance.php in BASE before 1.2.4 (melissa), when running in
standalone mode, allows remote attackers to bypass authentication,
possibly by setting the standalone parameter to "yes".
This fixes CVE-2006-1505 (Closes: #361139.)
* Added patch to fix a warning replacing strings in CleanVariable:
- debian/patches/03_fix_warning_in_CleanVariable.dpatch: added.
- debian/patches/00list: updated.
* Now base_conf.php has all its strings quoted with ' instead of ":
- debian/patches/01_default_config.dpatch: updated.
- debian/patches/02_update_external_links.dpatch: updated.
[ Javier Fernandez-Sanguino ]
* Po-debconf translation updates:
- Swedish by Daniel Nylander (Closes: #348881)
- Portuguese by Miguel Figueiredo (Closes: #349597)
- French by "Steve" (Closes: #351230, #366432)
-- David Gil <dgil@telefonica.net> Mon, 03 Apr 2006 12:16:33 +0200
acidbase (1.2.2-1) unstable; urgency=low
* New upstream release:
+ Fixed issue with signature names (Closes: #352246).
+ Fixed auto-refresh ignored for stat pages.
+ Fixed Sort order issues.
+ Added Portscan Information.
* First attempt at dbconfig-common support (Closes: #350376).
* Some templates have been rewritten in order to follow the developers
reference (Closes: #344052).
* patches/04_fix_sql_injection.dpatch: dropped, included upstream.
[ Javier Fernandez-Sanguino ]
* Update Spanish po-debconf translation
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Sun, 5 Mar 2006 20:04:58 +0100
acidbase (1.2.1-4) unstable; urgency=low
* Use dpatch system. Split .diff.gz into the following patches:
(See patches descriptions for more details)
- 01_default_config.dpatch
- 02_update_external_links.dpatch
- 04_fix_sql_injection.dpatch
- 08_update_whois_servers.dpatch
- 11_use_trim_to_avoid_signature_problems.dpatch
* Use debhelper compat level 5 and update build-dependencies accordingly.
* Initial Czech debconf translation, thanks Miroslav Kure! (Closes: #345309)
* Fixed "Wrong $DBtype setup" bug: Use 'postgres' instead of 'postgresql' in
db_type template (Closes: #347291)
* Updated watch file.
-- David Gil <dgil@telefonica.net> Thu, 12 Jan 2006 22:33:16 +0100
2005
acidbase (1.2.1-3) unstable; urgency=low
* Fixed bug "Can't delete alerts".
Don't filter action_chk_lst and action_lst http variables
since they are arrays, not strings. (Closes: #341180)
* I missed a colon in the last changelog entry, now really Closes: #338301.
* Added debconf templates translation.
+ New spanish po file.
* Added watch file
[ Javier Fernandez-Sanguino Pen~a ]
* Reformatted debian/README.Debian and fix names that were pointing
to ACID
-- David Gil <dgil@telefonica.net> Fri, 02 Dec 2005 00:23:51 +0100
acidbase (1.2.1-2) unstable; urgency=low
* Fixed broken searching and graph plotting (Closes #338301)
* Removed debconf dependencies, ${misc:Depends} takes charge of them.
* Always ask for webserver configuration in postinst.
-- David Gil <dgil@telefonica.net> Sat, 12 Nov 2005 16:03:02 +0100
acidbase (1.2.1-1) unstable; urgency=low
[ David Gil ]
* New upstream release.
[ Javier Fernandez-Sanguino Pen~a ]
* SECURITY FIX:
Add proper filtering in all ImportHTTP variables using either the new
functions to check for numeric/alphanumeric chars or the filterSql()
function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
but also other attack vectors not mentioned in the initial advisory
(http://www.frsirt.com/english/advisories/2005/2188)
(Closes: #336788)
* To reduce the risk of possible vulnerabilities in the code, made the
default apache.conf allow access only from localhost and document this
in the (new) README.Debian file
* Added dependency on "debconf | debconf-2.0"
* Added alternative DNS lookups at Sam Spade
* Changed default alert database in debconf prompt to 'snort_log'
-- David Gil <dgil@telefonica.net> Mon, 31 Oct 2005 15:41:55 +0100
acidbase (1.2-2) unstable; urgency=low
* SECURITY FIX:
SQL injection vulnerability (CVE-2005-3325) (Closes: #335998)
* Install Apache configuration file if it is not present.
-- David Gil <dgil@telefonica.net> Sat, 29 Oct 2005 12:19:10 +0200
acidbase (1.2-1) unstable; urgency=low
* New upstream release. * debian/copyright: Updated fsf's address. * debian/postinst: Fixed bashism (Used [] && [] instead of [ -a ]).
-- David Gil <dgil@telefonica.net> Mon, 17 Oct 2005 08:33:44 +0200
acidbase (1.1.4-2) unstable; urgency=low
* Add /usr/share/php to apache configuration so that the
Image_Graph libraries are included too
* Fixed FSF address
* Removed bashism from maintainer script
-- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Tue, 11 Oct 2005 23:49:58 +0200
acidbase (1.1.4-1) unstable; urgency=low
[ David Gil ] * Initial release (Closes: #323923, #319389). * Add an Apache configuration file to Alias /acidbase. * Package configuration through debconf. * Modify sources so that they use a configuration file which is installed at /etc/acidbase/base_conf.php (owned by root, group www-data and mode 0640 since it contains sensitive information) [ Javier Fernandez-Sanguino Pen~a ] * Applied patches included in the acidlab package that apply to this package too: - acidlab.011.diff: Added trim() to GetSingleSignatureReference in order to avoid problems when signatures contain spaces (this happens with snortcenter) - acidlab.008.diff: update Whois servers' IP addresses (was Debian Bug #183623) * Fixed location of signatures for Nessus (although the previous link works) and for ICAT (it is now the NVD - National Vulnerability Database)
-- David Gil <dgil@telefonica.net> Wed, 24 Aug 2005 17:07:16 +0200