2009
typo3-src (4.2.5-1+lenny2) stable-security; urgency=high
* Added patches (backported from 4.2.10) to fix the security issues
from "TYPO3 Security Bulletin TYPO3-SA-2009-016: Multiple
vulnerabilities in TYPO3 Core" with the following CVEs assigned:
CVE-2009-3628 TYPO3 Information disclosure
CVE-2009-3629 TYPO3 Cross-site scripting
CVE-2009-3630 TYPO3 Frame hijacking
CVE-2009-3631 TYPO3 Remote shell command execution
CVE-2009-3632 TYPO3 SQL injection
CVE-2009-3633 TYPO3 API function t3lib_div::quoteJSvalue XSS
CVE-2009-3634 TYPO3 Frontend Login Box (felogin) XSS
CVE-2009-3635 TYPO3 Insecure Authentication and Session Handling
CVE-2009-3636 TYPO3 Install Tool XSS
(Closes: 552020).
-- Christian Welzel <gawain@camlann.de> Thu, 22 Oct 2009 22:00:00 +0100
typo3-src (4.2.5-1+lenny1) testing-security; urgency=high
* Added patches (backported from 4.2.6) to fix a critical information
disclosure vulnerability in TYPO3 core and a XSS issue in TYPO3
backend module (Closes: 514713).
-- Christian Welzel <gawain@camlann.de> Mon, 10 Feb 2009 15:00:00 +0100
typo3-src (4.2.5-1) unstable; urgency=medium
* New upstream release.
- fixes a serious bug in session handling with not logged in FE-Users.
-- Christian Welzel <gawain@camlann.de> Mon, 26 Jan 2009 20:00:00 +0100
typo3-src (4.2.4-1) unstable; urgency=high
* New upstream release.
- fixes TYPO3 Security Bulletin TYPO3-SA-2009-001: Multiple vulnerabilities
in TYPO3 Core (Closes: 512608)
* Updated package description.
* Updated copyright file to list the license of two icons.
-- Christian Welzel <gawain@camlann.de> Thu, 22 Jan 2009 12:00:00 +0100
2008
typo3-src (4.2.3-1) unstable; urgency=high
* New upstream release.
- fixes XSS vulnerability in Typo3 backendmodul "fileadmin" (Closes: 505324)
- fixes XSS vulnerability in Typo3 sysext "felogin" (Closes: 505325)
- fixes the passwords are not changeable bug in the backend (Closes: 505326)
* added dependency on libjs-scriptaculous
-- Christian Welzel <gawain@camlann.de> Tue, 11 Nov 2008 20:00:00 +0100
typo3-src (4.2.2-1) unstable; urgency=low
* New upstream release.
-- Christian Welzel <gawain@camlann.de> Wed, 25 Jun 2008 20:00:00 +0100
typo3-src (4.2.1-3) unstable; urgency=low
* Fixed versioned dependency on libjs-prototype
-- Christian Welzel <gawain@camlann.de> Wed, 25 Jun 2008 20:00:00 +0100
typo3-src (4.2.1-2) unstable; urgency=low
* Moved libjs-prototype from Recommends-field do Depends-field.
-- Christian Welzel <gawain@camlann.de> Sun, 22 Jun 2008 11:00:00 +0100
typo3-src (4.2.1-1) unstable; urgency=low
* New upstream release.
- Support for php4 has been dropped.
* cleaned typo3.README.Debian and typo3-src-4.2.README.Debian
* some fixes to debian/rules
* Depend on libjs-prototype for prototype.js (Closes: 475282)
* Raised stardards version to 3.8.0
-- Christian Welzel <gawain@camlann.de> Fri, 20 Jun 2008 22:00:00 +0100
typo3-src (4.1.7-1) unstable; urgency=high
[ Christian Welzel ]
* New upstream release
- fixes TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core
(Closes: #485814)
[ Holger Levsen ]
* Change recommends from gs to ghostscript.
* Remove obsolete overrides for linda, which is obsolete itself.
* Fix spelling error in description.
-- Christian Welzel <gawain@camlann.de> Wed, 11 Jun 2008 15:00:00 +0100
typo3-src (4.1.6-1) unstable; urgency=low
* New upstream release. * Dependency changed from ttf-bitstream-vera to ttf-dejavu (Closes: 461294)
-- Christian Welzel <gawain@camlann.de> Sun, 09 Mar 2008 10:00:00 +0100
2007
typo3-src (4.1.5-1) unstable; urgency=medium
* New upstream release (Closes: 454265).
-- Christian Welzel <gawain@camlann.de> Fri, 14 Dec 2007 20:00:00 +0100
typo3-src (4.1.4-1) unstable; urgency=low
* New upstream release.
- Fixes a low-severity SQL injection in the modfunc2 of indexed_search
* t3lib/fonts/readme.txt is now patched by dpatch.
* nimbus.sfd.gz added to debian diff (perl encoded).
* copying of linda overides slightly changed.
* added watch file.
* unreleased.
-- Christian Welzel <gawain@camlann.de> Thu, 13 Dec 2007 21:00:00 +0100
typo3-src (4.1.2+debian-1) unstable; urgency=low
* New upstream release.
- Several improvements to avoid security issues by 3rd party extensions.
* Added linda overrides.
* Fixed some whitespaces in t3lib/fonts/readme.txt.
-- Christian Welzel <gawain@camlann.de> Wed, 18 Jul 2007 14:00:00 +0100
typo3-src (4.1.1+debian-1) unstable; urgency=low
* New upstream release.
- Fixes problem with rtehtmlarea and Mozilla Firefox 2.0.0.3
-- Christian Welzel <gawain@camlann.de> Wed, 04 Apr 2007 14:00:00 +0100
typo3-src (4.1.0+debian-1) unstable; urgency=low
* New upstream release.
-- Christian Welzel <gawain@camlann.de> Tue, 20 Mar 2007 09:00:00 +0100
typo3-src (4.0.5+debian-1) unstable; urgency=low
* New upstream release.
- Fixes "TYPO3 Security Bulletin TYPO3-20070221-1: Email header injection"
* Removed t3lib_div-PHP52.dpatch (now integrated by upstream)
* Fixed typo and added note to typo3.README.Debian (Closes: 405577)
-- Christian Welzel <gawain@camlann.de> Thu, 22 Feb 2007 21:00:00 +0100
2006
typo3-src (4.0.4+debian-2) unstable; urgency=low
* Added t3lib_div-PHP52.dpatch to fix crash of PHP 5.2.0
-- Christian Welzel <gawain@camlann.de> Fri, 22 Dec 2006 12:00:00 +0100
typo3-src (4.0.4+debian-1) unstable; urgency=high
* New upstream release.
- Fixed security problem in rtehtmlarea extension. (Closes: 403906)
-- Christian Welzel <gawain@camlann.de> Sat, 20 Dec 2006 23:35:41 +0100
typo3-src (4.0.3+debian-1) unstable; urgency=low
* New upstream release.
* added some comments on memory usage and further help to README.Debian.
(Closes: 403114)
* Changed ownership of /usr/share/typo3/typo3_src-4.0 to root:www-data.
* Dropped depend on imagemagick. Use graphicsmagick (better results).
-- Christian Welzel <gawain@camlann.de> Sat, 16 Dec 2006 23:05:41 +0100
typo3-src (4.0.2+debian-1) unstable; urgency=low
* Depend on ttf-bitstream-vera for vera.ttf (Closes: 374141)
* Repackaged source.tgz to include source and license of nimbus.ttf.
(Closes: 374137)
* Removed the creation of "latest"-link; typo3-dummy has hardcoded sourcedir.
-- Christian Welzel <gawain@camlann.de> Mon, 24 Nov 2006 12:37:00 +0200
typo3-src (4.0.2-3) unstable; urgency=low
* Do not depend on gs. This violate the policy. Recommend it.
* Removed suggestion of typo3-site-installer.
* Changed recommendation of mysql-server-4.1 to mysql-server.
* Changed recommendation of graphicsmagick-im-compat | imagemagick to
graphicsmagick | graphicsmagick-imagemagick-compat | imagemagick
-- Christian Welzel <gawain@camlann.de> Mon, 23 Nov 2006 19:37:00 +0200
typo3-src (4.0.2-2) unstable; urgency=low
* Do not depend on php-mysql. Recommendation is enough. * moved phpX-cgi to Depends as another alternative (Typo3 and PHP in fcgid) * added phpX-xcache to Recommends
-- Christian Welzel <gawain@camlann.de> Mon, 21 Oct 2006 19:37:00 +0200
typo3-src (4.0.2-1) unstable; urgency=low
* New maintainer (Closes: #388766). * New upstream release (Closes: #341709): - fixed by upstream: Remote command execution, arbitrary file viewing [CVE-2006-0327] (Closes: #364351). - fixed by upstream: Mail forms can be used to send spam (Closes: #364350). * removed recommendation of eaccelerator (Closes: #377821). * removed dep on non existing ooo_extract (Closes: #310776). * added alternative dep on php-cgi (Closes: #311277). * added alternative dep on php5 (Closes: #366533).
-- Christian Welzel <gawain@camlann.de> Mon, 18 Sep 2006 12:37:00 +0200
2005
typo3-src (3.7.0-8) unstable; urgency=low
* debian/control: depend on MySQL > 4.0.18 to allow the usage of the
versioning extension
-- Christian Leutloff <leutloff@debian.org> Wed, 11 May 2005 18:07:56 +0200
typo3-src (3.7.0-7) unstable; urgency=low
* debian/typo3.README.Debian: started new section with common pitfalls
-- Christian Leutloff <leutloff@debian.org> Mon, 9 May 2005 09:56:37 +0200
typo3-src (3.7.0-7) unstable; urgency=low
* debian/control: modified dependencies according to Michael Stucki
* debian/typo3.README.Debian: mention packages source for eaccelerator
and graphicsmagick
-- Christian Leutloff <leutloff@debian.org> Fri, 6 May 2005 14:57:06 +0200
typo3-src (3.7.0-6) unstable; urgency=low
* debian/typo3-src-3.7.prerm: can not remove the symlink maintained by this
package
* debian/typo3-src-3.7.postinst: reworked
* debian/typo3-src-3.7.README.Debian: updated to version 3.7
-- Christian Leutloff <leutloff@debian.org> Wed, 4 May 2005 21:48:04 +0200
typo3-src (3.7.0-5) unstable; urgency=low
* debian/control: added dependency to libapache2-mod-php4 | libapache-mod-php4
(thanks to Thomas Barth)
* typo3.README.Debian: clarified some points
-- Christian Leutloff <leutloff@debian.org> Wed, 4 May 2005 16:25:52 +0200
typo3-src (3.7.0-4) unstable; urgency=low
* control: added depned on postfix as an alternative to exim
* added TODO file
* typo3.README.Debian: concentrated now all the TYPO3 specific remarks
in this single file and added references in the READMEs of the other
packages
* renamed packages from typo3-db-dummy to typo3-dummy
-- Christian Leutloff <leutloff@debian.org> Wed, 4 May 2005 07:45:12 +0200
typo3-src (3.7.0-3) unstable; urgency=low
* typo3.README.Debian: more improvements through doing a step by step validation
-- Christian Leutloff <leutloff@debian.org> Fri, 22 Apr 2005 18:40:27 +0200
typo3-src (3.7.0-2) unstable; urgency=low
* polish package documention in typo3
-- Christian Leutloff <leutloff@debian.org> Mon, 11 Apr 2005 19:18:00 +0200
2004
typo3-src (3.7.0-1) unstable; urgency=low
* un-do package split because the way choosen was to simple
-- Christian Leutloff <leutloff@debian.org> Tue, 23 Nov 2004 21:13:46 +0100
typo3-src (3.7.0-0.2) experimental; urgency=low
* Add dependency on libgd2-xpm (>= 2.0.28-2), as mentioned by
renedustmann@maxx2.de in news:typo3.install.debian on 13.08.2004 to be
a working combination.
* add provides typo3-frontend/typo3-backend
-- Christian Leutloff <leutloff@debian.org> Thu, 4 Nov 2004 10:51:32 +0100
typo3-src (3.7.0-0.1) experimental; urgency=low
* NMU, working towards inclusion into the Debian main archive
* update to new upstream version
* updated to Standards 3.6.1
* packaging reworked: split package in frontend and backend to allow
installation of frontend only servers (as mentioned in the Typo3-Book)
* packaging reworked: Undoing the "Move everything from /usr/share/typo3
to /var/lib/typo3 This solves all problems we had with
symlinks. However, I think it is not really FHS-conform, so I'm still
not happy with that." from 3.5.0-3 to be FHS and Debian conform.
* manage "lastest" symlink in postinst and prerm
* change package priority from extra to optional
-- Christian Leutloff <leutloff@debian.org> Wed, 3 Nov 2004 19:43:08 +0100
2003
typo3-src (3.5.0-7) experimental; urgency=low
* typo3-site-installer: complete rewrite * typo3-site-installer: added 2 more options (-a, -g) * the source of TYPO3 now belongs to root.root (was root.www-data) * example localconf.php: now using the im_noFramePrepended option * typo3-site-installer: manpage update * typo3-base now depends on apache or httpd (provided by apache-ssl, etc.)
-- Michael Stucki <mundaun@gmx.ch> Mon, 20 Oct 2003 23:00:24 +0200
typo3-src (3.5.0-6) experimental; urgency=low
* removed dependency for apache and php4 in typo3-base * typo3-site-installer: one more bugfix in sed command
-- Michael Stucki <mundaun@gmx.ch> Tue, 16 Sep 2003 01:07:37 +0200
typo3-src (3.5.0-5) experimental; urgency=low
* typo3-site-installer: Added README.Debian / removed obsolete documentation * Added a manpage for typo3-site-installer (thanks to Edelhard Becker) * typo3-site-installer.sh was renamed to typo3-site-installer * typo3-site-installer: accepts abolute paths now * typo3-site-installer: compatibility bugfix in sed command
-- Michael Stucki <mundaun@gmx.ch> Mon, 16 Jun 2003 18:11:53 +0100
typo3-src (3.5.0-4) experimental; urgency=low
* Fixes in typo3-base preinst script * typo3-site-installer does no more need to download a dummysite archive
-- Michael Stucki <mundaun@gmx.ch> Thu, 5 Jun 2003 17:42:08 +0100
typo3-src (3.5.0-3) experimental; urgency=low
* Added a localconf.php example
* Added a new package "typo3-site-installer" that contains a little install
helper
* Added a new package "typo3-env" which depends on all needed components.
"typo3-base" only recommends them, since you could still run your server
without them. However it's easier to to an 'apt-get install typo3-env'
since apt wouldn't worry about the recommendations else.
* Fix wrong PHP short tags: '<?' => '<?php'
* Fix permissions so that Lintian doesn't complain anymore
Files and directories are now writable for Apache by changing the owner of
them to www-data
* Move everything from /usr/share/typo3 to /var/lib/typo3
This solves all problems we had with symlinks. However, I think it is not
really FHS-conform, so I'm still not happy with that.
* control file: Turn all Suggests into Recommends
* Site is now based on typo3_src from http://typo3.sunsite.dk/unix-archives/
* php4-gd can no more be used (use php4-gd2 instead)
* wget and zip are no longer required
* README.Debian was updated
* Documentation has been updated / optimized
* Code cleanup / optimisations contributed by Edelhard Becker (thank you!)
-- Michael Stucki <mundaun@gmx.ch> Thu, 5 Jun 2003 02:07:28 +0100
typo3-src (3.5.0-2) experimental; urgency=low
* Change ownership of /var/lib/typo3 to www-data (webserver could not write
global extensions before)
* Fix problem with some missing files by adding symlinks in
/var/lib/typo3/<version> (this is only a workaround, I am not happy with
this solution...)
-- Michael Stucki <mundaun@gmx.ch> Wed, 26 Mar 2003 15:40:44 +0100
typo3-src (3.5.0-1) experimental; urgency=low
* New upstream release
* Move /var/cache/typo3 to /var/lib/typo3 (this was wrong, since extensions
are not really cache files...)
-- Michael Stucki <mundaun@gmx.ch> Sat, 22 Feb 2003 17:16:24 +0100
typo3-src (3.5b5-5) experimental; urgency=low
* Alter contents of debian/executables * Update TODO notes * Move typo3/ext to /var/cache/typo3/<version>/ext (keep read-only for now) * t3lib/config_default.php: Change 'TTFdpi' from 72 to 96
-- Michael Stucki <mundaun@gmx.ch> Tue, 11 Feb 2003 13:39:04 +0100
typo3-src (3.5b5-4) experimental; urgency=low
* Update TODO notes * Move typo3/temp to /var/cache/typo3/<version>/temp * Do some code cleanup in debian/rules
-- Michael Stucki <mundaun@gmx.ch> Thu, 6 Feb 2003 19:57:37 +0100
typo3-src (3.5b5-3) experimental; urgency=low
* Fix some dependencies
-- Michael Stucki <mundaun@gmx.ch> Thu, 6 Feb 2003 05:39:51 +0100
typo3-src (3.5b5-2) experimental; urgency=low
* Add a note in README.Debian about how to use this package at all
* Fix Lintian complains: Small changes in copyright file
* Add recommendation for php4-cgi (used by some direct_mail scripts)
* Fix Lintian complains: Change ownership of /typo3/temp from root to
www-data; remove write permission for group
* Fix permissions for executable scripts
* Add symlink that points to latest source installation
-- Michael Stucki <mundaun@gmx.ch> Sat, 1 Feb 2003 05:14:52 +0100
typo3-src (3.5b5-1) experimental; urgency=low
* Initial Release.
-- Michael Stucki <mundaun@gmx.ch> Fri, 31 Jan 2003 12:31:54 +0100