Change log for spip package in Debian

spip (4.3.0~alpha.2+dfsg-1) experimental; urgency=medium

  [ Cerdic ]
  * feat: une fonction `attribut_url()` pour formatter une URL qui doit être
     utilisée dans un attribut html
  * fix: utiliser la fonction attribut_url() pour insérer une url dans un
    lien html

  [ Matthieu Marcillaud ]
  * build: up ecran de sécurité en version 1.16.0
  * build: version 4.3.0-alpha2

  [ RastaPopoulos ]
  * fix: surcharge la fonction `propre()` pour pouvoir l'appliquer sans erreur dans les squelettes

 -- David Prévot <email address hidden>  Fri, 31 May 2024 08:08:12 +0200

spip (4.2.13+dfsg-1) unstable; urgency=medium

  [ Cerdic ]
  * fix: éviter une preg sur les longues chaînes si pas necessaire (perf issue)
  * feat: une fonction `attribut_url()` pour formatter une URL qui doit être
    utilisée dans un attribut html
  * fix: utiliser la fonction attribut_url() pour insérer une url dans un
    lien html

  [ Matthieu Marcillaud ]
  * build: up ecran de sécurité en version 1.16.0
  * build: version 4.2.13

  [ b_b ]
  * fix: rétablir la possibilité de masquer certains champs des formulaires
    editer_article & editer_rubrique depuis le pipeline `formulaire_charger`

  [ David Prévot ]
  * Track version 4.2 for now

 -- David Prévot <email address hidden>  Fri, 31 May 2024 07:45:50 +0200

Available diffs

• diff from 4.2.12+dfsg-1 to 4.2.13+dfsg-1 (22.1 KiB)

spip (4.3.0~alpha+dfsg-1) experimental; urgency=medium

  * Upload alpha to experimental

  [ Matthieu Marcillaud ]
  * build: version 4.3.0-alpha

  [ David Prévot ]
  * Update copyright

 -- David Prévot <email address hidden>  Thu, 09 May 2024 19:20:58 +0200

spip (4.2.12+dfsg-1) unstable; urgency=medium

  [ jluc ]
  * fix: Sur `email_valide`, éviter une regexp s'il n'y a rien à tester

  [ Matthieu Marcillaud ]
  * build: version 4.2.12

  [ Cerdic ]
  * fix: ne pas interrompre la chaine de calcul des autorisations quand on
    appel autoriser() avec un id_auteur=0 ou inexistant
  * fix: ne pas provoquer une fatale quand on essaye de securiser une action
    qui a été appelée sans arg ni hash

  [ nicod_ ]
  * fix: Une seule requête plus fiable pour tester l'unicité de l'email
  * fix: Passer #debug-nav par dessus #spip-debug

  [ JamesRezo ]
  * feat: dépréciation formulaire_recherche()

  [ b_b ]
  * fix: éviter un débordement du contenu des explications dans les formulaires
    de l'espace privé
  * fix: lors de la génération d'un nouveau mot de passe pour un auteur, ne
    pas envoyer d'email si SPIP n'a pas pu le modifier
  * fix: supprimer le DOCTYPE et les commentaires des SVG dans le filtre
    `balise_svg`

  [ touti ]
  * fix: éviter que les identifiants se retrouvent sur deux lignes

 -- David Prévot <email address hidden>  Wed, 08 May 2024 09:33:54 +0200

Available diffs

• diff from 4.2.11+dfsg-1 to 4.2.12+dfsg-1 (152.1 KiB)

spip (4.2.11+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version SPIP 4.2.11

  [ JamesRezo ]
  * feat: PHP maxi 8.3

  [ David Prévot ]
  * debian/rules: Fix get-orig-source
  * debian/control: Update Standards-Version to 4.7.0

 -- David Prévot <email address hidden>  Wed, 10 Apr 2024 08:00:15 +0200

Available diffs

• diff from 4.2.9+dfsg-2 to 4.2.11+dfsg-1 (23.6 KiB)

spip (4.2.10+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * fix: Affichage de Minipres avec des contenus imprévus
    (warnings php par exemple)
  * build: Version SPIP 4.2.10

  [ jluc ]
  * fix: Ne pas relancer par mail la validation de l'inscription
    des auteurs sans mail

  [ Cerdic ]
  * fix: Éviter une fuite mémoire dans `generer_objet_info()`.

  [ nicod ]
  * fix: ne pas réduire les icones en largeur en mode horizontal

  [ David Prévot ]
  * Adapt get-orig-source to Gitlab hosting
  * Force system dependencies loading

 -- David Prévot <email address hidden>  Sat, 09 Mar 2024 16:39:54 +0100

spip (4.2.9+dfsg-2) unstable; urgency=medium

  * Upload compatible version with PHP 8.2 to unstable
  * Relax versioned dependency

 -- David Prévot <email address hidden>  Mon, 04 Mar 2024 22:21:40 +0100

Available diffs

• diff from 4.1.15+dfsg-1 to 4.2.9+dfsg-2 (1.1 MiB)

spip (4.2.9+dfsg-1) experimental; urgency=medium

  [ JLuc ]
  * fix: `identifiant_slug()` peut avoir un séparateur vide
  * fix: toujours loger une erreur de squelette

  [ Matthieu Marcillaud ]
  * fix: Éviter une fatale SQL lors de l’optimisation de liens avec des
    objets éditoriaux qui ne sont plus déclarés
  * fix: Tolérer un zéro dans l’analyse de certains critères `{critere 0,5}`
  * build: Version SPIP 4.2.9

  [ Cerdic ]
  * fix: ne pas oublier de déclarer les balise générique comme
    'balise_calculee' pour éviter son échappement dans les boucles (DATA)

 -- David Prévot <email address hidden>  Fri, 09 Feb 2024 10:10:08 +0100

spip (3.2.11-3+deb11u10) bullseye; urgency=medium

  * Backport security fix from 4.1.13
    - fix XSS when calling some templates

 -- David Prévot <email address hidden>  Thu, 21 Dec 2023 19:27:21 +0100

spip (4.1.9+dfsg-1+deb12u4) bookworm; urgency=medium

  * Backport security fix from 4.1.15
    - fix XSS in uploaded files using bigup

 -- David Prévot <email address hidden>  Fri, 12 Jan 2024 13:42:36 +0100

spip (4.1.15+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: version 4.1.14
    Fixes XSS in uploaded files using bigup

 -- David Prévot <email address hidden>  Fri, 12 Jan 2024 12:20:29 +0100

Available diffs

• diff from 4.1.13+dfsg-1 to 4.1.15+dfsg-1 (2.0 KiB)

spip (4.2.8+dfsg-1) experimental; urgency=medium

  [ Matthieu Marcillaud ]
  * build: version 4.2.8
    Fixes XSS in uploaded files using bigup

 -- David Prévot <email address hidden>  Fri, 12 Jan 2024 13:25:02 +0100

spip (4.2.7+dfsg-1) experimental; urgency=medium

  [ nicod_ ]
  * fix: boutons de gestion du logo en btn_mini et supprimer en btn_secondaire

  [ Maïeul Rouquette ]
  * fix: lors d'une institution, passer l'objet aux pipelines `pre_edition` et
    `post_editon`
  * fix(#5752): formulaire multiétapes: si tout est bien passé, recommencer à
    zéro et pas à la dernière étape

  [ Matthieu Marcillaud ]
  * fix: Traitement identique du paramètre type dans `autoriser_exception` et
    `autoriser`
  * build: version 4.2.7

  [ RealET ]
  * fix: un warning PHP avec var_profile=1

  [ placido ]
  * fix : erreur d'exécution en cas (tordu) d'appel sur image manquante

  [ Cerdic ]
  * fix: si on installe un SPIP neuf sur une base sans champ backup_cles on ne
    peut pas créer de compte webmestre car on ne peut pas initialiser son mot
    de passe, la requete update echouant
  * fix(ux): ne pas avoir un bouton 'annuler le job' qui ressemble à un bouton
    'fermer la notification' + une classe en trop
  * fix: si la lecture d'un stream ne trig jamais feof, se fier à
    fread()===false + reduire le timeout pour eviter de degrader trop les perf
  * fix: un nom plus long pour les caches d'image distant pour eviter les
    collisions, tout en renommant les anciens cache à la volée pour eviter de
    doublonner les caches
  * fix: quand le texte passe par echapper_html_suspect() il ne faut pas perdre
    le contexte des modèles
  * fix: les modèles insérés dans un texte héritent automatiquement du
    contexte, a l'insu des redacteurs. Securiser ce qui proviendrait de
    variables envoyées par l'utilisateur

  [ tofulm ]
  * Fix: Évite une fatal error en php 8.2 sur `objet_inserer` et
    `article_inserer`

  [ David Prévot ]
  * Update mutualisation to 1.4.13

 -- David Prévot <email address hidden>  Thu, 21 Dec 2023 22:15:54 +0100

spip (4.1.13+dfsg-1) unstable; urgency=medium

  [ Cerdic ]
  * fix: les modèles insérés dans un texte héritent automatiquement du
    contexte, a l'insu des redacteurs. Securiser ce qui proviendrait de
    variables envoyées par l'utilisateur

  [ Matthieu Marcillaud ]
  * build: version 4.1.13

  [ David Prévot ]
  * Update mutualisation to 1.4.13

 -- David Prévot <email address hidden>  Thu, 21 Dec 2023 13:42:01 +0100

Available diffs

• diff from 4.1.12+dfsg-1 to 4.1.13+dfsg-1 (3.0 KiB)

spip (3.2.11-3+deb11u9) bullseye; urgency=medium

  * Backport security fix from 4.1.11
    - use an auth_desensibiliser_session() function to centralize extended
      authentification data filtering.

 -- David Prévot <email address hidden>  Sat, 08 Jul 2023 20:38:26 +0200

spip (4.2.6+dfsg-1) experimental; urgency=medium

  [ Maïeul Rouquette ]
  * fix(5725): Lorsque l'on appelle plus de 10 fois un modèle inexistant,
    ne pas bloquer les appels qui suivent.

  [ RastaPopoulos ]
  * fix(5723): corriger le renseignement des JPG où parfois ça mettait
    jpeg au lieu de jpg et donc empêchait leur prise en compte.

  [ Matthieu Marcillaud ]
  * fix: Éviter une erreur Sodium sur la migration vers SPIP 4.2 si des
    jetons d’auteurs sont présents
  * build: Version SPIP 4.2.6

 -- David Prévot <email address hidden>  Fri, 06 Oct 2023 07:59:56 +0200

spip (4.1.12+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version 4.1.12

  [ David Prévot ]
  * Update mutualisation to 1.4.12

 -- David Prévot <email address hidden>  Thu, 07 Sep 2023 15:44:28 +0530

Available diffs

• diff from 4.1.11+dfsg-1 to 4.1.12+dfsg-1 (2.2 KiB)

spip (4.2.5+dfsg-1) experimental; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version SPIP 4.2.5

  [ David Prévot ]
  * Update mutualisation to 1.4.12

 -- David Prévot <email address hidden>  Sun, 03 Sep 2023 23:38:05 +0530

spip (4.1.9+dfsg-1+deb12u2) bookworm; urgency=medium

  * Backport security fix from 4.1.11
    - use an auth_desensibiliser_session() function to centralize extended
      authentification data filtering.

 -- David Prévot <email address hidden>  Sat, 08 Jul 2023 20:29:04 +0200

spip (4.1.11+dfsg-1) unstable; urgency=medium

  [ Cerdic ]
  * security: Utiliser une fonction dédiée pour nettoyer les données d’auteur lors de la préparation d’une session

  [ Matthieu Marcillaud ]
  * build: Version 4.1.11

 -- David Prévot <email address hidden>  Sat, 08 Jul 2023 20:16:37 +0200

Available diffs

• diff from 4.1.10+dfsg-1 to 4.1.11+dfsg-1 (3.9 KiB)

spip (4.2.4+dfsg-1) experimental; urgency=medium

  [ Cerdic ]
  * security: Utiliser une fonction dédiée pour nettoyer les données d’auteur lors de la préparation d’une session

  [ Matthieu Marcillaud ]
  * build: Version 4.2.4

 -- David Prévot <email address hidden>  Sat, 08 Jul 2023 20:09:50 +0200

spip (4.1.10+dfsg-1) unstable; urgency=medium

  [ Cerdic ]
  * security: limiter la profondeur de recursion de `protege_champ`
  * security: Ameliorer c76770a en évitant un `unserialize` dans
    l'écran de sécurité

  [ Matthieu Marcillaud ]
  * build: Version 4.1.10
  * build: Up écran de sécu en 1.5.3

  [ David Prévot ]
  * Add CVE to previous changelog entry
  * Update documented branch
  * Update mutualisation to 1.4.11

 -- David Prévot <email address hidden>  Fri, 09 Jun 2023 08:07:59 +0200

Available diffs

• diff from 4.1.9+dfsg-1 to 4.1.10+dfsg-1 (9.8 KiB)

spip (4.2.3+dfsg-1) experimental; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Up écran de sécu en 1.5.3
  * build: Version 4.2.3

  [ David Prévot ]
  * Build-depend on php-symfony-deprecation-contracts

 -- David Prévot <email address hidden>  Thu, 08 Jun 2023 08:07:56 +0200

spip (4.2.2+dfsg-1) experimental; urgency=medium

  * Upload to experimental during the freeze

  [ Matthieu Marcillaud ]
  * build: Version SPIP 4.2.2

  [ David Prévot ]
  * Install upstream README
  * Update copyright
  * Update mutualisation to 1.4.11
  * Update dependencies wrt composer.json
  * Build JavaScript Load Image from source
  * Provide homemade autoload.php

  [ Guilhem Moulin ]
  * Add d/salsa-ci.yml for Salsa CI.

 -- David Prévot <email address hidden>  Thu, 25 May 2023 14:23:52 +0200

spip (3.2.11-3+deb11u7) bullseye-security; urgency=medium

  * Backport security fixes from v3.2.18
    - Fix remote code execution vulnerability in forms [CVE-2023-27372]
    - Bump security screen to 1.5.0
  * Backport regression fix from v3.2.19
    - Fix plugins dependencies activation

 -- David Prévot <email address hidden>  Tue, 28 Feb 2023 22:51:50 +0100

spip (4.1.9+dfsg-1) unstable; urgency=medium

  [ Cerdic ]
  * fix: eviter une erreur fatale quand le id de l'objet supposé pour
    l'introduction n'est pas trouvé

  [ Matthieu Marcillaud ]
  * build: Version SPIP 4.1.9

 -- David Prévot <email address hidden>  Tue, 28 Feb 2023 21:25:27 +0100

Available diffs

• diff from 4.1.7+dfsg-1 to 4.1.9+dfsg-1 (10.1 KiB)

spip (4.1.8+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version SPIP 4.1.8

  [ Cerdic ]
  * Fix: Sanitizer toutes les valeurs passées aux formulaires
  * fix: Sanitizer toutes les valeurs passées aux formulaires preventivement
    dans l'écran de sécurité

  [ Guilhem Moulin ]
  * Add d/salsa-ci.yml for Salsa CI.

  [ David Prévot ]
  * Track version 4.1 for now (bookworm?)

 -- David Prévot <email address hidden>  Mon, 27 Feb 2023 23:11:50 +0100

spip (4.1.7+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version 4.1.7

  [ David Prévot ]
  * Update lintian override info format in d/source/lintian-overrides.
  * Update standards version to 4.6.2, no changes needed.

 -- David Prévot <email address hidden>  Sat, 14 Jan 2023 12:24:58 +0100

Available diffs

• diff from 4.1.5+dfsg-1 to 4.1.7+dfsg-1 (28.1 KiB)

spip (3.2.4-1+deb10u9) buster-security; urgency=medium

  * Backport security fixes from 3.2.16
    - Remote code execution
    - XSS alowing priviledge escalation

 -- David Prévot <email address hidden>  Sat, 23 Jul 2022 09:44:41 +0200

spip (3.2.11-3+deb11u5) bullseye-security; urgency=medium

  * Backport security fixes from 3.2.16
    - Remote code execution
    - XSS alowing priviledge escalation

 -- David Prévot <email address hidden>  Fri, 22 Jul 2022 20:07:47 +0200

spip (4.1.5+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * build: Version 4.1.5

  [ David Prévot ]
  * Update mutualisation to 1.4.10

 -- David Prévot <email address hidden>  Fri, 22 Jul 2022 08:21:53 +0200

Available diffs

• diff from 4.1.2+dfsg-1 to 4.1.5+dfsg-1 (56.3 KiB)

spip (3.2.11-3+deb11u4) bullseye-security; urgency=high

  * Backport security fix from 3.2.15
    - Sanitizing and other XSS protections

 -- David Prévot <email address hidden>  Tue, 24 May 2022 16:22:53 +0200

spip (4.1.2+dfsg-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 4.1.2

  [ David Prévot ]
  * Update mutualisation to 1.4.9
  * debian/rules: Don’t ship any .md file

 -- David Prévot <email address hidden>  Mon, 23 May 2022 21:44:51 +0200

Available diffs

• diff from 4.1.1+dfsg-1 to 4.1.2+dfsg-1 (34.5 KiB)

spip (4.1.1+dfsg-1) unstable; urgency=medium

  * Upload release to unstable

  [ Matthieu Marcillaud ]
  * Version 4.1.1

 -- David Prévot <email address hidden>  Wed, 13 Apr 2022 09:25:47 +0200

Available diffs

• diff from 4.0.4-1 to 4.1.1+dfsg-1 (886.8 KiB)

spip (3.2.4-1+deb10u7) buster-security; urgency=high

  * Backport security fix from 3.2.14
    - arbitrary PHP code execution

 -- David Prévot <email address hidden>  Sat, 05 Mar 2022 17:17:35 +0100

spip (3.2.11-3+deb11u3) bullseye-security; urgency=high

  * Backport security fix from 3.2.14
    - arbitrary PHP code execution

 -- David Prévot <email address hidden>  Sat, 05 Mar 2022 17:08:04 +0100

spip (4.0.5-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 4.0.5

  [ David Prévot ]
  * Track version 4.0 for now

 -- David Prévot <email address hidden>  Sat, 05 Mar 2022 15:49:46 +0100

spip (4.1.0~rc+dfsg-1) experimental; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 4.1.0-rc

  [ David Prévot ]
  * Adapt packaging to removed files

 -- David Prévot <email address hidden>  Sat, 05 Mar 2022 17:55:33 +0100

spip (4.1.0~beta+dfsg-1) experimental; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 4.1.0-beta

 -- David Prévot <email address hidden>  Sat, 19 Feb 2022 10:46:26 -0400

spip (4.1.0~alpha+dfsg-1) experimental; urgency=medium

  * Upload alpha to experimental

  [ Matthieu Marcillaud ]
  * Version 4.1.0-alpha

  [ David Prévot ]
  * Track dev versions
  * Don’t ship test data
  * Drop php-pclzip dependency
  * Use libjs-jquery-jstree
  * Update copyright
  * Use shipped version of php-xml-htmlsax3

 -- David Prévot <email address hidden>  Sat, 12 Feb 2022 11:34:15 -0400

spip (4.0.4-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 4.0.4

  [ b_b ]
  * bien verifier le droit de modifier le login dans le formulaire_editer_auteur

  [ David Prévot ]
  * Revert "Use libjs-sortable"

 -- David Prévot <email address hidden>  Sat, 05 Feb 2022 09:45:17 -0400

Available diffs

• diff from 4.0.2-1 to 4.0.4-1 (6.6 KiB)

spip (4.0.2-1) unstable; urgency=medium

  * Upload version compatible with PHP 8 to unstable

  [ Matthieu Marcillaud ]
  * Version 4.0.2

 -- David Prévot <email address hidden>  Tue, 25 Jan 2022 18:18:01 -0400

Available diffs

• diff from 3.2.12-1 to 4.0.2-1 (3.5 MiB)

spip (4.0.1-1) experimental; urgency=medium

  * Upload new major version to experimental

  [ Matthieu Marcillaud ]
  * Version 4.0.1
  * PHP 8 compat (Closes: #977340)

  [ David Prévot ]
  * Revert "Track version 3 for now"
  * Factorize minification
  * Don’t ship:
    - vcs-control-file,
    - composer, phpcs, phpstan files,
    - icones sources
  * Drop dependencies:
    - libjs-jquery-ui
    - libjs-jquery-colorbox
    - libjs-jquery-flot
    - libjs-jquery-migrate-1
    - libjs-excanvas
    - libjs-moment
  * Add dependencies:
    - libjs-twitter-bootstrap-datepicker
    - libjs-sortable
    - libjs-prefix-free
  * Update js.cookie.js path
  * Update copyright

 -- David Prévot <email address hidden>  Fri, 24 Dec 2021 16:36:42 -0400

spip (3.2.12-1) unstable; urgency=medium

  [ Matthieu Marcillaud ]
  * Version 3.2.12

  [ David Prévot ]
  * Track version 3 for now
  * Update copyright (years)
  * Update standards version to 4.6.0, no changes needed.
  * Drop misplaced changelog

 -- David Prévot <email address hidden>  Tue, 14 Dec 2021 11:47:02 -0400

Available diffs

• diff from 3.2.11-3 to 3.2.12-1 (37.1 KiB)

spip (3.2.11-3) unstable; urgency=medium

  * Adapt symlink to changed path in latest node-js-cookie.
    Thanks to Andreas Beckmann <email address hidden> (Closes: #988853)

 -- David Prévot <email address hidden>  Fri, 21 May 2021 11:14:54 -0400

Available diffs

• diff from 3.2.11-2 to 3.2.11-3 (579 bytes)

spip (3.2.11-2) unstable; urgency=medium

  * Upload to unstable with the Release Team approval
  * Update debian/copyright

 -- David Prévot <email address hidden>  Fri, 26 Mar 2021 15:37:27 -0400

Available diffs

• diff from 3.2.9-1 to 3.2.11-2 (86.5 KiB)

spip (3.2.4-1+deb10u4) buster-security; urgency=high

  * Document CVE IDs in previous changelog entries
  * Backport security fixes from 3.2.9
    - PHP injections, XSS and secrets stored in session file

 -- David Prévot <email address hidden>  Fri, 05 Feb 2021 11:35:35 -0400

spip (3.2.11-1) experimental; urgency=medium

  * Upload to experimental during the freeze

  [ Matthieu Marcillaud ]
  * Compat PHP 7.4
  * Version SPIP 3.2.11

  [ David Prévot ]
  * Refresh patches header

 -- David Prévot <email address hidden>  Fri, 26 Mar 2021 13:45:07 -0400

spip (3.2.9-1) unstable; urgency=medium

  * Critical security fixes, allowing identified authors to execute arbitrary
    PHP code, and XSS

  [ Matthieu Marcillaud ]
  * Version 3.2.9

  [ David Prévot ]
  * Update mutualisation to 1.4.7
  * Simplify gbp import-orig

 -- David Prévot <email address hidden>  Fri, 12 Feb 2021 14:33:59 -0400

Available diffs

• diff from 3.2.8-2 to 3.2.9-1 (13.7 KiB)

spip (3.2.8-2) unstable; urgency=medium

  * Document CVE IDs in previous changelog entries
  * Use minify instead of uglifyjs (Closes: #979960)
  * Update watch file format version to 4.
  * Update Standards-Version to 4.5.1
  * Drop d/lintian-overrides, syntax changed

 -- David Prévot <email address hidden>  Tue, 12 Jan 2021 09:11:37 -0400

Available diffs

• diff from 3.2.8-1 to 3.2.8-2 (1.7 KiB)

spip (3.2.4-1+deb10u3) buster-security; urgency=medium

  * Backport security fixes from 3.2.8
    - Critical security issue, allowing identified authors to execute
      arbitrary PHP code

 -- David Prévot <email address hidden>  Mon, 23 Nov 2020 12:10:16 -0400

spip (3.2.8-1) unstable; urgency=medium

  * Critical security fix, allowing identified authors to execute arbitrary
    PHP code

  [ Matthieu Marcillaud ]
  * Version 3.2.8

  [ David Prévot ]
  * Allow Apache to access some directories in /var/lib/spip/sites/
    Thanks to Vincent
  * Rename main branch to debian/latest (DEP-14)
  * debian/watch: Adapt to lowercase spip
  * debian/control:
    - Set Rules-Requires-Root: no.
    - Update standards version to 4.5.0, no changes needed
    - Use debhelper-compat 13
  * debian/rules:
    - Simplify dh_link override
    - Adapt get-orig-source to Git source
  * debian/mutualisation:
    - Update mutualisation as of r125427
    - Update mutualisation to Git source
  * debian/upstream/metadata:
    - Set upstream metadata fields: Bug-Database, Bug-Submit.
    - Fix URLs
  * debian/copyright:
    - Update Source
    - Update years

 -- David Prévot <email address hidden>  Tue, 29 Sep 2020 17:03:05 -0400

Available diffs

• diff from 3.2.7-1 to 3.2.8-1 (801.0 KiB)

spip (3.1.4-4~deb9u3) stretch-security; urgency=medium

  * Backport security fixes from 3.1.11
    - Critical security fix, allowing unidentified visitor to modify any
      published content and execute other modifications in database
      [CVE-2019-16391]
    - Other security fixes:
      + better sanitization on redirections [CVE-2019-16393]
      + don’t disclose if user exists when resetting password [CVE-2019-16394]
      + better error message sanitization on login page [CVE-2019-16392]
    - Update security screen to 1.3.12
  * Add CVE ID to previous changelog entry

 -- David Prévot <email address hidden>  Mon, 16 Sep 2019 12:02:26 -1000

spip (3.2.4-1+deb10u2) buster-security; urgency=medium

  * Backport security fix from 3.2.7
    - Critical security fix, allowing identified authors to inject content
      into database
    - Update security screen to 1.3.13
  * Fix PHP 7.3 compatibility issue.
    The regex were wrong, and started failing with PHP 7.3, causing plugins
    to be disabled and impossible to be enable back on upgrade.

 -- David Prévot <email address hidden>  Thu, 12 Dec 2019 10:22:39 -1000

spip (3.2.7-1) unstable; urgency=medium

  * Critical security fix, allowing identified authors to inject content
    into database

  [ <email address hidden> ]
  * SPIP 3.2.7

  [ David Prévot ]
  * Add CVE ID to previous changelog entry
  * Update standards version to 4.4.1, no changes needed.
  * Set upstream metadata fields: Repository, Repository-Browse.

 -- David Prévot <email address hidden>  Thu, 12 Dec 2019 10:02:58 -1000

Available diffs

• diff from 3.2.5-1 to 3.2.7-1 (6.8 KiB)

spip (3.2.4-1+deb10u1) buster-security; urgency=medium

  * Backport security fixes from 3.2.5
    - Critical security fix, allowing unidentified visitor to modify any
      published content and execute other modifications in database
      [CVE-2019-16391]
    - Other security fixes:
      + better sanitization on redirections [CVE-2019-16393]
      + don’t disclose if user exists when resetting password [CVE-2019-16394]
      + better error message sanitization on login page [CVE-2019-16392]
    - Update security screen to 1.3.12
  * Add d/gbp.conf for buster
  * Add CVE ID to previous changelog entry
  * Refresh patch headers

 -- David Prévot <email address hidden>  Mon, 16 Sep 2019 11:45:48 -1000

spip (3.2.5-1) unstable; urgency=medium

  * Critical security fix, allowing unidentified visitor to modify any
    published content and execute other modifications in database
  * Other security fixes:
    - better sanitization on redirections
    - don’t disclose if user exists when resetting password
    - better error message sanitization on login page

  [ <email address hidden> ]
  * SPIP 3.2.5

  [ David Prévot ]
  * Add CVE ID to previous changelog entry
  * Refresh patch headers
  * Update standards version, no changes needed.
  * Fix manpage section

 -- David Prévot <email address hidden>  Mon, 16 Sep 2019 09:01:57 -1000

Available diffs

• diff from 3.2.4-1 to 3.2.5-1 (17.4 KiB)

spip (3.1.4-4~deb9u2) stretch-security; urgency=medium

  * Update security screen to 1.3.11
  * Backport security fix from 3.1.10
    - Arbitrary code execution for any identified visitor (Closes: #926764)

 -- David Prévot <email address hidden>  Wed, 10 Apr 2019 16:26:35 +0900

spip (3.2.4-1) unstable; urgency=medium

  * Critical security fix allowing arbitrary code execution to any
    identified visitor

  [ <email address hidden> ]
  * SPIP 3.2.4

 -- David Prévot <email address hidden>  Wed, 10 Apr 2019 14:21:19 +0900

Available diffs

• diff from 3.2.3-1 to 3.2.4-1 (11.0 KiB)

spip (3.2.3-1) unstable; urgency=medium

  [ <email address hidden> ]
  * SPIP 3.2.3 tag spip

  [ David Prévot ]
  * Update mutualisation to 1.4.5
  * Update copyright
  * Use debhelper-compat 12
  * Update Standards-Version to 4.3.0

 -- David Prévot <email address hidden>  Thu, 24 Jan 2019 11:27:02 -1000

Available diffs

• diff from 3.2.1-1 to 3.2.3-1 (1.0 MiB)

spip (3.2.1-1) unstable; urgency=medium

  [ David Prévot ]
  * New upstream version
  * Use priority optional
  * Update mutualisation to 1.4.4
  * Drop dead list from Maintainer (and Romain from Uploaders)
    Closes: #899895
  * Move project repository to salsa.d.o
  * Use https whenever possible in debian/
  * Use debhelper-compat 11
  * Update Standards-Version to 4.2.1
  * Depend on
    - libjs-jquery-migrate-1
    - libjs-moment
    - node-js-cookie instead of libjs-jquery-cookie
    - php-xml (split from php)
  * Recommend default-mysql-server instead of mysql-server (Closes: #848450)
  * Use shipped in version of php-html-safe
  * Get rid of Cherokee configuration
  * Use dh-apache2 to handle the default webserver configuration
  * Drop old symlink conversions
  * Update copyright
  * Update minimisation
  * Use rewrite for multisite
  * Make chown non-recursive in postinst
  * Drop trailing whitespace in changelog

 -- David Prévot <email address hidden>  Wed, 28 Nov 2018 16:37:40 -1000

Available diffs

• diff from 3.1.4-4 to 3.2.1-1 (2.2 MiB)

spip (3.1.4-4~deb9u1) stretch-security; urgency=medium

  * Upload previous fixes to stretch

 -- David Prévot <email address hidden>  Sun, 10 Jun 2018 16:49:16 -1000

spip (3.0.17-2+deb8u4) jessie-security; urgency=medium

  * Update security screen to 1.3.6
  * Backport security fixes from 3.0.27
    - Secure inserted URL in anchors
    - Secure URLs sent by self()
    - Escape charset in error message
    - Allow filter mode to be passed in interdire_scripts()
    - No onclick nor JS popup in footer
    - [Privacy] add rel attribute (noopener noreferrer) in private footer
    - PHP injection via XML file

 -- David Prévot <email address hidden>  Sun, 10 Jun 2018 19:15:29 -1000

spip (3.1.4-4) unstable; urgency=medium

  * Update security screen to 1.3.6
  * Backport security fixes from 3.1.7
    - Do not disclose PHP version in headers
    - Secure inserted URL in anchors
    - Secure URLs sent by self()
    - Escape charset in error message
    - Allow filter mode to be passed in interdire_scripts()
    - No onclick nor JS popup in footer
    - Fix missing escapes
    - Secure _T() and _L() arguments
    - Provide a sanitize option for _T() and _L()
    - Deactivate sanitization when calling _T() in affdate_debut_fin() that
      uses secured data
    - Cross-site scripting (XSS) vulnerability [CVE-2017-15736]
      (Closes: #879954)
    - [Privacy] add rel attribute (noopener noreferrer) in private footer
  * Backport security fix from 3.1.8
    - PHP injection via XML file
  * Drop dead list from Maintainer (and Romain from Uploaders) (Closes: #899895)
  * Move project repository to salsa.d.o

 -- David Prévot <email address hidden>  Sun, 10 Jun 2018 14:57:12 -1000

Available diffs

• diff from 3.1.4-3 to 3.1.4-4 (10.4 KiB)

spip (3.1.4-3~deb9u1) stretch-security; urgency=high

  * Upload previous fixes to Stretch
  * Update previous changelog entry with CVE and bug report

 -- David Prévot <email address hidden>  Mon, 19 Jun 2017 09:36:46 -1000

spip (3.1.4-3) unstable; urgency=high

  * Track Stretch
  * Backport security fix from 3.1.6
    - Execution of arbitrary code
  * Update security screen to 1.3.2

 -- David Prévot <email address hidden>  Wed, 14 Jun 2017 10:43:54 -1000

Available diffs

• diff from 3.1.4-2 to 3.1.4-3 (2.6 KiB)

spip (3.1.4-2) unstable; urgency=medium

  * Fix broken symlink with recent libjs-jquery-ui.
    Thanks to Andreas Beckman (Closes: #857818)
  * Backport security fixes from 3.2-alpha-1
    - Reflected Cross Site Scripting Vulnerabilities in
      /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
      [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
    - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
      [CVE-2016-9152] (Closes: #847156)
  * Remove incorrect statement that those security issues had been fixed from
    the previous changelog entry
  * Remove incorrect execution bit for ecrire/inc/idna_convert.class.php

 -- David Prévot <email address hidden>  Wed, 26 Apr 2017 20:51:45 -1000

Available diffs

• diff from 3.1.4-1 to 3.1.4-2 (3.8 KiB)

spip (3.0.17-2+deb8u3) jessie; urgency=medium

  * Document CVE in previous changelog entry
  * Update security screen to 1.3.0
  * Backport security fixes from 3.0.23
    - Multiple XSS issues
  * Backport security fixes from 3.0.24
    - Server side request forgery (SSRF) attacks via the var_url parameter
      [CVE-2016-7999]
    - Directory traversal vulnerability in ecrire/exec/valider_xml.php
      [CVE-2016-7982]
    - Execution of arbitrary PHP code by authenticated users [CVE-2016-7998]
    - Cross-site request forgery (CSRF) vulnerability in
      ecrire/exec/valider_xml.php [CVE-2016-7980]
    - Cross-site scripting (XSS) vulnerability in valider_xml.php
      [CVE-2016-7981]
  * Backport security fixes from 3.2-alpha-1
    - Reflected Cross Site Scripting Vulnerabilities in
      /ecrire/exec/puce_statut.php and /ecrire/exec/info_plugin.php
      [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
    - Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php
      [CVE-2016-9152] (Closes: #847156)
  * Backport security fix from 3.0.25
    - Execution of arbitrary PHP code

 -- David Prévot <email address hidden>  Wed, 26 Apr 2017 18:02:00 -1000

spip (3.1.4-1) unstable; urgency=high

  [ Adriano Rafael Gomes ]
  * Add Brazilian Portuguese debconf templates translation (Closes: #829339)

  [ David Prévot ]
  * New upstream version 3.1.4, with security fixes:
    - Arbitrary PHP execution code
    - Reflected Cross Site Scripting (XSS) Vulnerabilities
      [CVE-2016-9997] [CVE-2016-9998] (Closes: #848641)
    - Cross-site scripting (XSS) vulnerability
      [CVE-2016-9152] (Closes: #847156)
  * Update mutualisation to 1.3.5
  * Update copyright

 -- David Prévot <email address hidden>  Sat, 11 Mar 2017 08:24:16 -1000

Available diffs

• diff from 3.1.3-1 to 3.1.4-1 (98.4 KiB)

spip (3.1.3-1) unstable; urgency=high

  * Upload stable 3.1 branch to unstable for Stretch
  * Document CVE in previous changelog entry
  * New upstream version 3.1.2, with non-critical XSS security fixes
  * New upstream version 3.1.3, with security fixes:
    - Exec Code Cross-Site Request Forgery [CVE-2016-7980]
    - Reflected Cross-Site Scripting [CVE-2016-7981]
    - File Enumeration / Path Traversal [CVE-2016-7982]
    - Template Compiler/Composer PHP Code Execution [CVE-2016-7998]
    - Server Side Request Forgery [CVE-2016-7999]
  * Refresh mutualisation as of r99658
  * Update Standards-Version to 3.9.8

 -- David Prévot <email address hidden>  Thu, 13 Oct 2016 07:33:27 -1000

Available diffs

• diff from 3.0.22-1 to 3.1.3-1 (4.0 MiB)

spip (2.1.17-1+deb7u5) wheezy-security; urgency=high

  * Update displayed version
  * Backport security fixes from 2.1.29
    - PHP code injection
    - Objects injection via unserialize
  * Update security screen to 1.2.4

 -- David Prévot <email address hidden>  Thu, 10 Mar 2016 20:47:57 -0400

spip (3.0.17-2+deb8u2) jessie-security; urgency=high

  * Backport security fixes from 3.0.22
    - PHP code injection
    - Objects injection via unserialize
  * Update security screen to 1.2.4

 -- David Prévot <email address hidden>  Thu, 10 Mar 2016 19:18:09 -0400

spip (3.0.22-1) unstable; urgency=high

  * Track the 3.0 branch
  * Imported Upstream version 3.0.22, with security fixes:
    - PHP code injection
    - Objects injection via unserialize
  * Update mutualisation to 1.2.8
  * Depend on php-* instead of php5-* for the php 7.0 transition
  * Update Standards-Version to 3.9.7
  * Update copyright (years)

 -- David Prévot <email address hidden>  Thu, 10 Mar 2016 21:22:43 -0400

Available diffs

• diff from 3.0.21-1ubuntu1 (in Ubuntu) to 3.0.22-1 (372.2 KiB)

spip (3.1.1-1) experimental; urgency=high

  * Imported Upstream version 3.1.1, with security fixes:
    - PHP code injection
    - Objects injection via unserialize
  * Update mutualisation to 1.2.8
  * Depend on php-* instead of php5-* for the php 7.0 transition
  * Update copyright
  * Update Standards-Version to 3.9.7

 -- David Prévot <email address hidden>  Thu, 10 Mar 2016 21:24:26 -0400

spip (3.0.17-2+deb8u1) jessie; urgency=medium

  * Track Jessie
  * Backport XSS fixes in private content from 3.0.21

 -- David Prévot <email address hidden>  Sun, 01 Nov 2015 15:34:00 -0400