-
gosa (2.7.4+reloaded2-13+deb9u3) stretch; urgency=medium
* debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
encode+json_decode.patch:
+ Replace (un)serialize with json_encode/json_decode to mitigate PHP object
injection (CVE-2019-14466).
-- Mike Gabriel <email address hidden> Sat, 25 Apr 2020 21:51:15 +0200
-
gosa (2.7.4+reloaded2-13+deb9u1) stretch-security; urgency=medium
* debian/patches:
+ Add 0013_escape-html-entities-for-uid-to-avoid-code-execution-
CVE-2018-1000528.patch. Fixes code injection in password change dialog.
Resolves CVE-2018-1000528. (Closes: #902723).
-- Mike Gabriel <email address hidden> Wed, 04 Jul 2018 09:15:17 +0200
-
gosa (2.7.4+reloaded2-13) unstable; urgency=medium
[ Dominik George ]
* Allow IPv4 addresses and FQDNs as sudoHost. (Closes: #834065).
* Added myself to Uploaders.
[ Mike Gabriel ]
* debian/control:
+ Update D (gosa, gosa-dev): php-cli -> php7.0-cli.
+ Update PHP MySQL(i) dependency. GOsa with PHP 7 now depends on php-mysqli.
* debian/patches:
+ Add 1028_use-mysqli-instead-of-mysql.patch. Migrate from PHP MySQL
extension to MySQLi extension. (Closes: #834063).
+ Fix another man page type via 1004_fix-typos-in-man-pages.patch.
* lintian:
+ Update source.lintian-overrides.
+ Add php-script-but-no-phpX-cli-dep override for two files.
* debian/README.Debian: Fix spelling issue.
* debian/gosa-plugin-opsi.lintian-overrides:
+ Drop. No required any more.
-- Mike Gabriel <email address hidden> Wed, 25 Jan 2017 22:11:04 +0100
-
gosa (2.7.4+reloaded2-12) unstable; urgency=medium
[ Mike Gabriel ]
* debian/fix-constructors.sh:
+ Additionally replace occurrences of <class>::<class>(...) with
<class>::_construct(). Assure script can be run several times on the
same GOsa code tree.
* debian/patches:
+ Fix 1026_fix-deprecated-constructor-format.patch. Additionally patch
occurrences of <class>::<class>(...) with <class>::_construct().
[ Wolfgang Schweer ]
* debian/fix-constructors.sh:
+ Exclude xml:xml* commands from being touched by this script.
* debian/patches:
+ Another fix for 1026_fix-deprecated-constructor-format.patch. Don't
replace xml::xml2array by flawed xml::__construct2array.
-- Mike Gabriel <email address hidden> Thu, 02 Jun 2016 23:51:54 +0200
-
gosa (2.7.4+reloaded2-10) unstable; urgency=medium
[ Holger Levsen ]
* Fixup PHP syntax in 1010_fix-entry-removal-in-mail-plugin.patch. See
#796823 for the details.
* Update depends and debian/gosa-apache.conf for the PHP 7.0 transition.
Thanks to Wolfgang Schweer for the patch! (Closes: #821501)
[ Mike Gabriel ]
* debian/gosa.NEWS: Fix date (2015 -> 2016) for latest NEWS announcement.
-- Holger Levsen <email address hidden> Mon, 23 May 2016 12:44:31 +0200
-
gosa (2.7.4+reloaded2-9) unstable; urgency=medium
* debian/gosa-desktop.dirs:
+ Create /etc/gosa through dpkg for bin:package gosa-desktop. (Closes:
#814576).
* debian/control:
+ Drop as alternative Ds (gosa-desktop): konqueror, epiphany-browser,
midori, chromium. (Closes: #814774).
-- Mike Gabriel <email address hidden> Mon, 15 Feb 2016 13:17:12 +0100
-
gosa (2.7.4+reloaded2-6) unstable; urgency=medium
* debian/patches:
+ Fix 1007_gen-uids-like-gosa26.patch. If a placeholder operator specifies
no start and end, but only one value (e.g., %{givenName[12]}), then always
use the complete string. (Closes: #803540).
+ Add 1021_disable-sorting-in-DHCP-section-lists.patch. Disable sorting for
DHCP section lists (plus fix accessor name in class_sortableList.inc).
+ Add 0006_code-injection-in-samba-hash-generation.patch,
0007_update-sambaHashHook-description.patch. Fix potential code injection
issue in Samba hash generation.
+ Update 1004_fix-typos-in-man-pages.patch due to cherry-picking
0007_update-sambaHashHook-description.patch from upstream. Also fix
more man page typos (reported by lintian).
* debian/gosa.postinst:
+ When figuring out whether it makes sense to restart Apache2, let's check
for presence of apache2ctl binary (instead of apache2 binary). Nowadays,
the Apache2 server can be considered installed when apache2ctl is present
on a Debian system.
+ Avoid usage of full paths when testing for presence of executables.
* debian/gosa.postrm:
+ Avoid usage of full paths when testing for presence of executables.
-- Mike Gabriel <email address hidden> Mon, 04 Jan 2016 23:33:10 +0100
-
gosa (2.7.4+reloaded2-5) unstable; urgency=medium
* debian/patches:
+ Update 1016_allow-same-user-ids-as-adduser.patch. Fix typo.
+ Update 0003_xss-vulnerability-on-login-screen.patch. Fix a
second place where $username should be sanitized by set_post()
function.
+ Add 1020_ob-fixes.patch. Only run ob_end_clean() if there is
something to clean.
-- Mike Gabriel <email address hidden> Mon, 19 Oct 2015 13:17:40 +0200
-
gosa (2.7.4+reloaded2-4) unstable; urgency=medium
* debian/patches:
+ Improve 1007_gen-uids-like-gosa26.patch. Handle situations where attribute
values are shorter than the minimal length required. Use the complete
attribute's value then, if even not long enough.
+ Fix 1012_allow-one-level-domains-in-email-addresses.patch. Fix email
template checks in tests::is_email(). Also, allow mail addresses
starting with a single letter followed by a dot as second character
(e.g., "m.gabriel").
+ Add 1013_fix-smarty-gettext-tags-recognition.patch. Fix rendering of .tpl
files that contain parameterized {t} blocks.
+ Add 1014_fix-description-of-new-prim-groups.patch. Fix obtaining givenName
and sn from user object when creating its primary POSIX group.
+ Add 1015_allow-iso8601-date-format-in-user-API.patch. Allow writing
ISO8601 conform date strings into the dateOfBirth field.
+ Add 1016_allow-same-user-ids-as-adduser.patch. If strictNamingRules is set
to false in gosa.conf, allow the same UID naming rule as found in
/usr/bin/adduser (as of Debian jessie/stretch).
+ Add 1017_get-ogroups-ou-fix.patch. Use correct GOsa² API call to obtain
ogroupRDN string.
+ Add 1018_no-item-multiplication-on-duplicate-search-results.patch. Don't
return items more than once when found during consecutive search queries.
+ Add 1019_fix-various-typos.patch. Fix various typos in the GOsa² code.
* debian/gosa-apache.conf:
+ Drop FCGIWRapper option from FCGI related Apache2 config part. Fixes
Apache2 startup failures when mod_fscgi is used with GOsa².
* Debian Menu system: Drop debian/gosa.menu in favour of shipping our
gosa-desktop.desktop file. (See tech-ctte resolution in #741573).
* Debhelper compat: Bump to version 9.
* debian/control:
+ Drop R (gosa): ${misc:Recommends}.
-- Mike Gabriel <email address hidden> Tue, 13 Oct 2015 16:19:33 +0200
-
gosa (2.7.4+reloaded2-3) unstable; urgency=medium
* debian/patches:
+ Rename several patches (2005-2008 -> 1005-1008) to denote that
they are relevant for upstream.
+ Add 1009_fix-insertDhcp-icon-in-dhcp-section-overview.patch. Fix
label stripping in GOsa²'s image() function. This fixes displaying
the insertDhcp* icon in the DHCP service plugin. (Closes: #794117).
+ Add 2005_allow-Debian-blends-to-override-gosa-conf.patch. Allow
Debian blends to provide their own version of gosa.conf and not get
bugged by GOsa's notification message on gosa.conf template changes.
Debian blends using GOsa (e.g., Edu, LAN) must handle gosa.conf
updates themselves. (Closes: #794118).
+ Add 0004_fix-get-post.patch. Fix transferral of POST variables.
+ Add 1010_fix-entry-removal-in-mail-plugin.patch. Fix entry deletion
of items in "alternatives addresses" and "forward messages to
non-group members" for group mail objects. (LP:#1307483).
+ Add 0005_fix-password-expiry-status.patch. Fix expiration status
for passwords if shadowMax is used in POSIX/shadow accounts.
+ Add 1011_define-isPluginModified.patch. Fix undefined property
error for non-defined usertags::$isPluginModified. (Closes: #794690).
+ Add 1012_allow-one-level-domains-in-email-addresses.patch. Allow
one-level domains in email addresses (such as <uid>@intern, as used
in Debian Edu by default). (Closes: #794738).
debian/control:
+ Add C (gosa-plugin-mail): gosa-plugin-mailaddress. New package in
Debian unstable providing a very light-weighted Mail configuration
plugin für GOsa².
-- Mike Gabriel <email address hidden> Mon, 24 Aug 2015 15:15:14 +0200
-
gosa (2.7.4+reloaded2-2) unstable; urgency=medium
* debian/patches:
+ Add 2007_gen-uids-like-gosa26.patch. Fix idGenerator for patterns
like {%sn[3-6}-{%givenName[3-6]}. (Closes: #793455).
+ Add 2008_enable-csv-import-on-clean-installs.patch. Enable CSV / LDIF
import on (non-Debian-Edu) clean GOsa² installations by default. (Closes:
#782529)
* debian/{control,*.install}:
+ Process with wrap-and-sort.
* debian/control:
+ Bump Standards: to 3.9.6. No changes needed.
* debian/copyright:
+ Really mention all files (plus various fixes).
* debian/watch:
+ Provide as symlink to debian/watch.gosa-core to make uscan and DDPO happy.
* lintian:
+ Drop debian-watch-file-is-missing override. This package version now
provides a watch file.
* debian/gosa-desktop.desktop:
+ Drop MimeType= key from .desktop file. Makes no sense without providing
%f, %F, %u or %U for the Exec key.
-- Mike Gabriel <email address hidden> Fri, 24 Jul 2015 11:06:39 +0200
-
gosa (2.7.4+reloaded2-1) unstable; urgency=medium
* Repack gosa src:package in order to drop several subtrees of the source
code:
- Smarty3 sources,
- Smarty Gettext sources,
- Liberation font, further fonts shipped with pChart,
- Scriptaculous.js,
- and upstream's debian/ packaging folder.
* debian/README.multi-orig-tarball-package:
+ Grammar fix.
* debian/gosa.postinst:
+ When activating gosa for lighttpd, create /etc/lighttpd/conf-enabled/
if it does not exist, yet. (Closes: #757558).
* debian/control:
+ Make sure that all GOsa² component/plugin bin:packages match the exact
version of the gosa bin:package.
+ Add D (gosa): smarty-gettext.
+ Add D (gosa): libjs-scriptaculous.
* debian/rules:
+ Rework get-orig-source rule, remove embedded libraries from upstream
source tree.
+ Stop shipping fonts with gosa src:package in Debian (via
get-orig-source).
+ Use Debian's version of smarty-gettext (via symlink).
+ Use Debian's version of Scriptaculous.js and Prototype.js (via symlinks).
+ Improve readability. Add some comments.
* debian/copyright:
+ Update file.
+ Update debian/copyright.in template.
* lintian:
+ Drop override embedded-php-library for Smarty3. Not shipped in repacked
sources anymore.
+ Drop override embedded-php-library for Scriptaculous.js and Prototype.js.
Not shipped in repacked sources anymore.
+ Drop unused overrides.
* debian/patches:
+ Add 1004_fix-typos-in-man-pages.patch. Fix several typos and
hyphen-used-as-minus-sign issues in GOsa² man pages.
+ Update 0001_smarty3.patch. The sources of smarty-gettext are not shipped
with Debian's gosa src:package anymore.
+ Improve trimming in 1002_trim-decrypt.patch. Obtained from latest password
encryption/decryption tests with FusionDirectory.
+ Provide patch headers with Author: and Description: fields whereever
possible.
-- Mike Gabriel <email address hidden> Mon, 11 Aug 2014 18:41:55 +0200