2007
phpbb2 (2.0.21-6) unstable; urgency=high
* Selected patches from upstream 2.0.22 for security issues: * CVE-2006-6421: Cross-site scripting (XSS) vulnerability in the private message box implementation (Closes: #402140). * CVE-2006-6841: Cross Site Request Forgery was possible with some forms. * CVE-2006-6840: Prevent negative start parameter. Exploitability unknown, but flagged by upstream as a security fix and a harmless change. * CVE-2006-6839: Improve check for bad redirection targets, exploitability unkown, but flagged by upstream as a security fix and a harmless change. (Closes: #402140) * Added German debconf translation by Matthias Julius (Closes: #404160).
-- Thijs Kinkhorst <thijs@debian.org> Sun, 14 Jan 2007 17:35:23 +0100
2006
phpbb2 (2.0.21-5) unstable; urgency=low
[ Jeroen van Wolffelaar ]
* Also in comments in apache.conf w.r.t. second board, put the avatar
aliassing before the generic aliassing, because otherwise it won't work.
[ Thijs Kinkhorst ]
* Do not set special permissions on gallery path, it works fine without
write- but needs read permission for avatar display (Closes: #395470).
* Add Security section to README.Debian; also add register_globals off
setting for php5 in apache.conf.
* Add 051_only_show_active_users.diff: do not show users who have registered
but didn't confirm yet / haven't been approved by the admin in the member
list or as the "newest user" (Partially addresses: #391775).
-- Thijs Kinkhorst <thijs@debian.org> Mon, 13 Nov 2006 17:28:21 +0100
phpbb2 (2.0.21-4) unstable; urgency=medium
* Medium urgency upload for low-risk, but still, security bug. * CVE-2006-4758: patch admin/admin_board.php for file upload vulnerability by administrator (Closes: #388120). * Add XS-Vcs-Svn-Url header.
-- Thijs Kinkhorst <thijs@debian.org> Sun, 1 Oct 2006 13:12:40 +0200
phpbb2 (2.0.21-3) unstable; urgency=high
* Fix postrm scripts to work when debconf is not present anymore
(Closes: #388331).
-- Thijs Kinkhorst <thijs@debian.org> Sun, 17 Sep 2006 21:49:43 +0200
phpbb2 (2.0.21-2) unstable; urgency=low
* Enable previously disabled patch for visual confirmation (capthca)
for guest posting, in an attempt to reduce spam (Closes: #372081).
* Change DirectoryMatch to Directory in Apache config (Closes: #385053).
-- Thijs Kinkhorst <thijs@debian.org> Sat, 9 Sep 2006 20:36:44 +0200
phpbb2 (2.0.21-1) unstable; urgency=low
* New upstream release (Closes: #345359, #375865). + Addresses obscure security bug: XSS with onmouseover, only exploitable with Internet Explorer and Allow HTML on which is highly unrecommended by this package. (CVE-2005-4357, Closes: #344674, #345359) + Addresses even more obscure security bug: admin_smilies.php smile_url Variable XSS (CVE-2006-0437, Closes: #352635). + Obsoletes 027_CVE-2006-1896_admin_cmd_exec.diff. + Improves randomness of gen_rand_string [CVE-2006-0632]. * Add 019_disable_logintries.diff: skip this new feature since it's incompatible with the database-layout. * [JvW] Add to source package disabled patch to enable visual confirmation for guest posts if visual confirmation is enabled for registration http://www.phpbb.com/files/mods/guest_confirmation_1_0_1a.mod * Add 101_fix_german.diff: fixes for German translation, thanks Mathias Hasselmann (Closes: #363676). * Add Dutch translation by myself. * Checked for standards version 3.7.2, no changes necessary. * Update my maintainer address.
-- Thijs Kinkhorst <thijs@debian.org> Tue, 4 Jul 2006 15:23:28 +0200
phpbb2 (2.0.18-3) unstable; urgency=high
* High urgency because of a release critical security bug.
* Fix missing sanitizing of the Font Colour 3 variable in viewtopic.php,
which allowed for PHP code execution by board admins. Found by "noch22".
(Closes: #365533, CVE-2006-1896)
* Add Russian debconf translation, thanks Yuriy Talakan' (Closes: #367155).
-- Thijs Kinkhorst <kink@squirrelmail.org> Tue, 23 May 2006 12:23:54 +0200
2005
phpbb2 (2.0.18-2) unstable; urgency=medium
* Fix compression of SQL schema's, which broke phpbb2-conf-mysql too
(Closes: #341991)
* Fix upgrade of /usr/share/doc/phpbb2/schemas from dir to symlink by removing
the dir in preinst (Closes: #342081)
* [TK] Russian translation fixes by Alexander Gerasiov (Closes: #336623).
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Mon, 5 Dec 2005 19:40:11 +0100
phpbb2 (2.0.18-1) unstable; urgency=high
* New upstream release (Closes: #336587), fixing several security issues (Closes: #336582): - IE-specific cookie disclosure [CVE-2005-3310] (Closes: #335662) - Inadequate preventive register_globals=true cleaning code [CVE-2005-3415, CVE-2005-3416, CVE-2005-3417], because of this, the following three items were actually exploiteable: + Various cross-site scripting issues [CVE-2005-3418] + SQL injection [CVE-2005-3419] + Remote code execution via regular expressions [CVE-2005-3420] (these three issues are also fixed themselves) * Swedish debconf translations by Daniel Nylander (Closes: #334195). * Upgrade debhelper compatibility to the recommended level 5. [phpbb2-conf-mysql] * Move database schemas to /usr/share/phpbb2/schemas, because phpbb2-conf-mysql depends on them being present (Closes: #339700). * [JvW] Updated to add new table that was added in 2.0.18, hopefully it works, but no longer going to delay this upload for testing this change
-- Thijs Kinkhorst <kink@squirrelmail.org> Tue, 29 Nov 2005 22:06:33 +0100
phpbb2 (2.0.17-1) unstable; urgency=low
* New upstream bugfix release.
- But disable admin-reauthentication feature, while we don't use db-config
yet
* Update standards-version to 3.6.2, no changes.
* Add correct debconf dependency (Closes: #332064)
* Drop security patches backported from upstream.
* Make source and binary package version numbers the same (Closes: #312113).
* Fix spelling of Sí in Spanish translation (Closes: #314773).
* Swap Alias line in README.multiboard so avatars will work.
* Add dependency alternative for php4-sybase (MS SQL, Closes: #324923).
* Fix typo in short description.
* Add dependencies for php5 (Closes: #320843).
* Vietnamese debconf translations by Clytie Siddall (Closes: #316832).
* Italian debconf translations by Luca Monducci (Closes: #325781).
* Update languages: Korean; dropped Danish, Swedish and Finnish as
upstream broke it
-- Thijs Kinkhorst <kink@squirrelmail.org> Sun, 28 Aug 2005 17:50:43 +0200
phpbb2 (2.0.13+1-7) unstable; urgency=high
* Security: Update existing bbcode xss patch to incorporate latest
XSS vulnerability [CAN-2005-2161]. (Closes: #317739)
* Add missing CVE-id to -6 changelog. (Closes: #310827)
-- Thijs Kinkhorst <kink@squirrelmail.org> Thu, 12 May 2005 21:46:15 +0200
phpbb2 (2.0.13+1-6) unstable; urgency=high
* Security: Fix cross site scripting in [url] and [img] bbcode
[CAN-2005-1193, CAN-2005-1290]. (Closes: #308282)
* Jeroen: Change dependencies to work correctly when only having
libapache-mod-php installed, while remaining to work correctly when only
having 'php4' installed (from woody, then)
-- Thijs Kinkhorst <kink@squirrelmail.org> Thu, 12 May 2005 21:46:15 +0200
phpbb2 (2.0.13+1-5) unstable; urgency=high
* Security: Fix arbitrary execution of code in local files by any
administrator in template handling
* Security: warn about allow_html being a very dangerous setting
* Fix misnamed patch for Finnish language pack, now really including it at
build time (now really fixing #296756)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Sat, 30 Apr 2005 19:10:36 +0200
phpbb2 (2.0.13+1-4) unstable; urgency=medium
* Fix wrongly applied postgres character set patch (Closes: #298580) * Urgence medium because of the above, postgres users will get annoying warnings every time with -3
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Fri, 15 Apr 2005 21:34:51 +0200
phpbb2 (2.0.13+1-3) unstable; urgency=low
* Welcome Thijs Kinkhorst as co-maintainer, who did most of the work for
this upload
* Add README.multiboard: documentation for setting up multible boards on
the same host (Closes: #298918)
* Set the correct client encoding for PostgreSQL servers, so it uses the
same charset as the webserver does. Patch from Peter Palfrader.
(Closes: #298580)
* Remove empty index.htm from the schemas directory (Closes: #298768)
* Remove unneccessary index.htm from site root (Closes: #298775)
* Fix test for local MySQL server in phpbb-conf-mysql so it won't fail
with MySQL 4.1 (Closes: #301218)
* Change priority of phpbb-conf-mysql to extra
* Some small documentation fixes
* Languages update: Updated Dutch (partially obsoleting the Debian patch),
introduced Sakha
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Wed, 30 Mar 2005 02:28:29 +0200
phpbb2 (2.0.13-2) unstable; urgency=high
* [CAN-2005-0673] Fix cross-site-scripting in private message signatures and in normal posts when users have enabled HTML despite board prohibition, based on anonymous patch on BugTraq: http://lists.virus.org/bugtraq-0503/msg00087.html (Closes: #298690) * In documentation tell that the initial admin user is 'Admin', not 'admin', as in PostgreSQL this is significant (Closes: #298512)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Sun, 13 Mar 2005 18:57:14 +0100
phpbb2 (2.0.13-1) unstable; urgency=high
* New upstream release, closing critical security hole allowing anyone to
become board admin
* Fix a bug in the default apache config listing the Alias directives in the
wrong order. Due to the symlink, on default install this was no problem.
Thanks Jari Aalto (Closes: #296465)
* Add a symlink to a new README about templates in
/usr/share/share/phpbb2/templates, to give a hint to people not otherwise
reading the documentation like they should
* Fix quoting mistake in finnish language pack, thanks Ari Hutka
(Closes: #296756)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Wed, 02 Mar 2005 02:05:17 +0100
phpbb2 (2.0.12-1) unstable; urgency=high
* New upstream release, closing several potential security bugs
+ Disabled version checking mechanism, because it piggybacks to phpbb.com,
and makes no sense in Debian either
+ Retained display of version number
* Languages: Added Vietnamese, dropped Romanian without Diacretics
* Added suggests to a DBMS (Closes: #292496)
* Override lintian warnings that are not appliceable here (Closes: #294932)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Tue, 22 Feb 2005 01:21:49 +0100
phpbb2 (2.0.11-1) unstable; urgency=low
* New upstream release (Closes: #282840) + Drop security fix from 2.0.10-3, is now in upstream * Updated a number of languages from upstream * Added Czech debconf translation, thanks Miroslav Kure! (Closes: #282994) * Include Debian-branded logo's, kindly provided by 'Wolven' * Fix location of Esperanto images, that language pack has broken directories upstream * Added patch to error out descriptively if the database module to connect is not available. Previous behaviour was to silently die and give a blank page, confusing quite a number of users
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Wed, 09 Feb 2005 13:57:26 +0100
2004
phpbb2 (2.0.10-3) unstable; urgency=high
* Fix exploit (in the wild) with highlighting feature in viewtopic.php
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Thu, 18 Nov 2004 20:31:25 +0100
phpbb2 (2.0.10-2) unstable; urgency=high
* Fix my autodetection patch to not try to overwrite global board config
with personal config of the admin changing the global config, also fix
detection of hostname when it is run on a non-default port
* Make the postgres_basic.sql also have sane defaults just like the mysql
one
* Patch a shameful amount of spelling errors in the Dutch language pack,
thanks Paul Slootman for noticing most of them (Closes: #253900)
* Improve the README.Debian to also tell about configuring apache
* Drop the <IfModule ...> </IfModule> conditional around the default
Aliasses, as it makes not much sense
* Change "it's" to "its" in phpbb2-conf-mysql package description (oops...)
(Closes: #268537)
* Package uploaded by Norbert Tretkowski <nobse@debian.org>.
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Sun, 12 Sep 2004 23:01:22 +0200
phpbb2 (2.0.10-1) unstable; urgency=high
* New upstream security release (Closes: #259298, #260015) * Fixed debconf typo, and added Japanese debconf translation, thanks to Hideki Yamane (Closes: #258705)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Wed, 28 Jul 2004 23:30:39 +0200
phpbb2 (2.0.8a+1-4) unstable; urgency=low
* Add the Esperanto language to phpbb2-languages (required .orig.tar.gz
rebuild)
* Copyright statement updated with the literal general copyright statement
found in the docs dir, rather than one of the statements copied from the
.php source files.
* Allow the php module for apache2 too, and have apache2 as first webserver.
* Fix typo in postinst to work for apache-* and apache2 too, and make the
symlink end on '.conf' for wildcard includes (Closes: #246229)
* Do show full Debian version, it's useful, and hiding it doesn't help you
security-wise anyway.
* Postprocess all templates and php files to remove windows newlines. Thanks
Paul Slootman for noticing (Closes: #247145)
* Added French debconf translation, thanks to Eric Madesclair
(Closes: #246809)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Mon, 14 Jun 2004 22:50:00 +0200
phpbb2 (2.0.8a-3) unstable; urgency=low
* Added /etc/phpbb2/templates, where you can put your own templates. Debian
supplied templates are linked from there. Special request from Paul
Slootman (yeah, I'm doing favours for those who sponsor me :) ).
* Move the ucf --purge of config.php to package phpbb2-conf-mysql, but the
actual removal remains in phpbb2, which is the sane behaviour
(Closes: #243170)
* It is actually mail-transport-agent, not mail-transfer-agent: Oops, fixed
* On the forum, show only the upstream version, not the full debian version,
as that might give an indication about which security fixes were applied
in the even that phpbb gets security fixes backported
* phpbb2-conf-mysql: Don't put a timestamp in the generated config.php, so
prompting on changes is only performed when there are real changes
* phpbb2-conf-mysql: makepasswd code now fully moved to postinst, one
invokation was accidentally left over to config, where it could be not
working (Closes: #244876)
* Minor README.Debian textual fixes, install UPGRADING.Debian now too
(failed previously)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Fri, 23 Apr 2004 00:07:25 +0200
phpbb2 (2.0.8a-2) unstable; urgency=low
* Fix typo in phpbb2-conf-mysql postinst, causing initial testpost to
reappear on upgrade
* Added Conflicts and Depends so to prevent having phpbb2 and
phpbb2-languages concurrently installed with different notion of the
Documentroot (Closes: #242862)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Fri, 9 Apr 2004 18:03:22 +0200
phpbb2 (2.0.8a-1) unstable; urgency=low
* New upstream (Closes: #241818) * Changed phpbb2 DocumentRoot from /usr/share/phpbb2 to /usr/share/phpbb2/site and updated all references. See NEWS. * Now use po-debconf for debconf templates, patch generously provided by Martin Quinson (thanks!), who in progress also fixed my language a bit. In addition, both Era Eriksson and Alexander Winston provided valuable feedback on my language in the templates, of which large parts are implemented (Closes: #236863) * Recommend a mail-transfer-agent now, thanks Gürkan Sengün for the catch * Show the Debian version number, don't get version number from database * Fix stupid xargs invocation to prevent error when not building directly from subversion, i.e. building from Debian-source (Closes: #242139) * Document in the example config.php the $dbhost behaviour of phpBB w.r.t. PostgreSQL, which is a bit non-standard (Closes: #239512) * Bumped standards-version to 3.6.1 (no changes)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Mon, 5 Apr 2004 01:43:13 +0200
phpbb2 (2.0.6d-3) unstable; urgency=high
* The ``wow, _what_ happened during my vacation?!'' release
* Fix various security issues, all backported for now:
- Fixed redirect problems (2.0.7a)
- Fixed sql injection vulnerability in search (2.0.7a)
- Fixed several vulnerabilities in admin pages (2.0.8)
- Fixed sid checking code in admin/pagestart.php (2.0.8)
- Fixed injection vulnerabilities possible with the img bbcode tag (2.0.8)
- Limited allowed images in img bbcode tag to jpg, jpeg, gif and png (2.0.8)
- Fixed sql injection vulnerability in privmsg (2.0.8a)
* Made a silly error in debian/rules causing this version to fail to build
from source (see Bug#242139)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Sun, 28 Mar 2004 21:51:11 +0200
phpbb2 (2.0.6d-2) unstable; urgency=medium
* Security ``just before leaving for a week'' release, featuring an
cross-site scripting fix from 2.0.7, plus a minor bugfix, but nothing
else (Closes: #237869)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Wed, 17 Mar 2004 22:45:10 +0100
phpbb2 (2.0.6d-1) unstable; urgency=low
* New upstream release to fix cross-site scripting issue, and a few minor
one-line other fixes
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Mon, 1 Mar 2004 22:24:24 +0100
phpbb2 (2.0.6c-1) unstable; urgency=low
* Initial Release (Closes: #168166)
-- Jeroen van Wolffelaar <jeroen@wolffelaar.nl> Tue, 10 Feb 2004 12:00:14 +0100