-
gosa (2.7.4+reloaded3-8+deb10u2) buster; urgency=medium
* debian/patches:
+ Add 1047_CVE-2019-14466-{1,2}_replace_unserialize_with_json_encode+json_
decode.patch: Replace (un)serialize with json_encode/json_decode to
mitigate PHP object injection.
-- Mike Gabriel <email address hidden> Mon, 27 Apr 2020 13:02:28 +0200
-
gosa (2.7.4+reloaded3-8+deb10u1) buster; urgency=medium
* debian/changelog:
+ post-upload fix of patch-1045 explanation...
* debian/patches:
+ Add 1046_CVE-2019-11187_stricter-ldap-error-check.patch.
Perform stricter check on LDAP success/failure (CVE-2019-11187).
-- Mike Gabriel <email address hidden> Sat, 10 Aug 2019 04:04:23 +0200
-
gosa (2.7.4+reloaded3-8) unstable; urgency=medium
* debian/patches:
+ Add 1043_smarty-add-on-function-param-types.patch. Fix missing
password field, caused by PHP error "parameter 2 expected to be a
reference, value given". This happened due to mismatching parameter
types whenever the smarty3 template rendering engine called gosa's
(slightly not-compliant anymore) smartyAddon functions. (Closes:
#918578). The patch also brings some smartyAddon hygiene for
the {render} block and the not-used-anymore {tr} block.
+ Add 1044_crypto-transition-without-mcrypt.patch. Make
gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt,
and thus make it work with Debian buster's php7.3. (Closes: #925138).
+ Update 1026_fix-deprecated-constructor-format.patch. Drop an
unwanted find+replace artefact in class_userFilter.
+ Add 1045_dont_use_filter_caching.patch. Disable filter caching via
$_SESSION. The filter caching mechanism stores PHP object in ; since
php7.0 this has lead to all sorts of unexpected results and flawed
rendering of class_management based listings. (Closes: #907815).
* debian/control:
+ Bump Standards-Version: to 4.3.0. No changes needed.
-- Mike Gabriel <email address hidden> Fri, 19 Apr 2019 15:24:14 +0200
-
gosa (2.7.4+reloaded3-7) unstable; urgency=medium
[ Mike Gabriel ]
* Update default config.
+ Enable netgroup, pwreset and school-manager plugins by default.
[ Dominik George ]
* Update my maintainer address.
* Add support for php-fpm in apache config.
-- Dominik George <email address hidden> Wed, 12 Dec 2018 16:52:38 +0100
-
gosa (2.7.4+reloaded3-6) unstable; urgency=medium
[ Christian Schwamborn ]
* debian/patches:
+ Add 1040_inactive_pwd_fields_when_using_pwd_proposal.patch. Disable
password entry text fields when password proposal is to be used.
+ Improve 1039_fix_sambakickofftime_...tmplate_setting.patch. Avoid NULL
string being handed over to the date() function.
+ Add 1041_ref_param_error_in_My_Parser.patch. Compat fix for PHP > 5.4.
Hand over real variable to function.
+ Add 1042_add_option_to_disable_autocomplete.patch. Add support for
disabling autocompletion in search boxes.
[ Mike Gabriel ]
* debian/control:
+ Bump Standards-Version: to 4.2.0. No changes needed.
+ Drop exim4 as default MTA, use default-mta instead. Thanks lintian.
-- Mike Gabriel <email address hidden> Wed, 15 Aug 2018 12:31:03 +0200
-
gosa (2.7.4+reloaded3-5) unstable; urgency=medium
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to salsa.debian.org.
* debian/patches:
+ Add 0013_escape-html-entities-for-uid-to-avoid-code-execution-
CVE-2018-1000528.patch. Fixes code injection in password change dialog.
Resolves CVE-2018-1000528. (Closes: #902723).
-- Mike Gabriel <email address hidden> Sat, 30 Jun 2018 12:35:38 +0200
-
gosa (2.7.4+reloaded3-4) unstable; urgency=medium
* debian/control:
+ Add D (gosa): php-cgi. Required for GOsa² to work under lighttpd.
(Closes: #892570).
+ Drop from S: gosa-si-server. (Closes: #891904). (Note: the requested
php7.0-cli to php-cli modification was already uploaded with
gosa/2.7.4+reloaded3-3).
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/gosa.post*:
+ Test presence of apache2ctl to detect whether GOsa² is supposed to run
under Apache2. (Closes: #892571).
* debian/patches:
+ Add 0012_using-the-correct-encryption-method.patch. Use aes-256-ecb, not
-cbc as encryption method in cred_encrypt() function. (Closes: #892546).
+ Add 2006_apache2-private-tmp.patch. Work-around for Apache2's
PrivateTmp=true feature in Debian. (Closes: #892569).
+ Various typo fixes in text comments.
* debian/README.gosa.secrets:
+ Add HowTo about GOsa²'s internal pw encryption procedure.
+ Advertise this new README in debian/NEWS.
* debian/gosa.lintian-overrides:
+ Add override maintainer-script-should-not-use-recursive-chown-or-chmod
postinst.
* lintian: Move source overrides into debian/source/.
-- Mike Gabriel <email address hidden> Fri, 20 Apr 2018 13:36:45 +0200
-
gosa (2.7.4+reloaded3-3) unstable; urgency=medium
* debian/control:
+ Switch D (gosa-dev) from php7.0-cli to php-cli.
-- Mike Gabriel <email address hidden> Sun, 04 Mar 2018 20:59:40 +0100
-
gosa (2.7.4+reloaded2-13) unstable; urgency=medium
[ Dominik George ]
* Allow IPv4 addresses and FQDNs as sudoHost. (Closes: #834065).
* Added myself to Uploaders.
[ Mike Gabriel ]
* debian/control:
+ Update D (gosa, gosa-dev): php-cli -> php7.0-cli.
+ Update PHP MySQL(i) dependency. GOsa with PHP 7 now depends on php-mysqli.
* debian/patches:
+ Add 1028_use-mysqli-instead-of-mysql.patch. Migrate from PHP MySQL
extension to MySQLi extension. (Closes: #834063).
+ Fix another man page type via 1004_fix-typos-in-man-pages.patch.
* lintian:
+ Update source.lintian-overrides.
+ Add php-script-but-no-phpX-cli-dep override for two files.
* debian/README.Debian: Fix spelling issue.
* debian/gosa-plugin-opsi.lintian-overrides:
+ Drop. No required any more.
-- Mike Gabriel <email address hidden> Wed, 25 Jan 2017 22:11:04 +0100
