mahara (1.2.6-2+squeeze2) stable-security; urgency=high

  * SECURITY UPDATE: fixes to session key validation (CSRF)
    - debian/patches/CVE-2011-1403.patch: upstream patch

  * SECURITY UPDATE: privilege escalations
    - debian/patches/CVE-2011-1402.patch: upstream patch

  * SECURITY UPDATE: information disclosure in AJAX calls
    - debian/patches/CVE-2011-1404.patch: upstream patch

  * SECURITY UPDATE: https to http downgrade
    - debian/patches/CVE-2011-1406.patch: upstream patch

  * SECURITY UPDATE: sanitisation of HTML emails
    - debian/patches/CVE-2011-1405.patch: upstream patch

 -- Francois Marier <francois@debian.org>  Mon, 09 May 2011 13:30:06 +1200

mahara (1.2.6-2+squeeze1) stable-security; urgency=high

  * SECURITY UPDATE: cross-site scripting vulnerability
    - debian/patches/CVE-2011-0439.dpatch: upstream patch
    - CVE-2011-0439

  * SECURITY UPDATE: possible cross-site request forgery (deleting blogs)
    - debian/patches/CVE-2011-0440.dpatch: upstream patch
    - CVE-2011-0440

 -- Francois Marier <francois@debian.org>  Fri, 18 Mar 2011 15:51:03 +1300

mahara (1.2.6-2) unstable; urgency=medium

  * Move flowplayer.audio to the contrib package as well
  * Add an allow rule in apache.conf for flowplayer.audio

 -- Francois Marier <francois@debian.org>  Mon, 06 Sep 2010 20:59:44 +1200

mahara (1.2.6-1) unstable; urgency=medium

  * New upstream release (to address #591200):
    - removal of the tinymce media plugin
    - replaced the non-free media player with flowplayer

  * Move mediaplayer into a separate contrib package (closes: #591200)
  * Relax the deny rule on serving lib to make flowplayer work
  * Add a dependency on tinymce and use that instead of bundled version

  * Bump Standards-Version up to 3.9.1
  * Urgency set to medium because of RC bug

 -- Francois Marier <francois@debian.org>  Mon, 06 Sep 2010 20:51:17 +1200

mahara (1.2.5-2) unstable; urgency=low

  * Remove postgresql8.3 from recommends, add postgresql8.4
  * Add mysql-server-5.1 to recommends

 -- Francois Marier <francois@debian.org>  Tue, 06 Jul 2010 17:35:06 +1200

mahara (1.2.5-1) unstable; urgency=high

  * New upstream release
    - multiple cross-site scripting vulnerabilities (CVE-2010-1667)
    - multiple cross-site request forgery vulnerabilities (CVE-2010-1668)
    - sql injection (CVE-2010-1669)
    - unsafe auth plugins configuration options (CVE-2010-1670)

  * Use system's version of HTML purifier (CVE-2010-2479)
  * Add missing symlink to PEAR's File module to fix csv parsing

  * Remove reference to the common BSD license in debian/copyright
  * Bump Standards-Version to 3.9.0

 -- Francois Marier <francois@debian.org>  Mon, 05 Jul 2010 15:45:27 +1200

mahara (1.2.4-1) unstable; urgency=high

  * New upstream release
    - fix for SQL injection (CVE-2010-0400)

 -- Francois Marier <francois@debian.org>  Tue, 06 Apr 2010 21:07:03 +1200

mahara (1.2.3-1) unstable; urgency=low

  * New upstream release
  * Fix error in postrm script for when /usr/share/mahara/theme/ doesn't exist

  * Bump Standards-Version to 3.8.4
  * Switch team maintenance email address to a Launchpad mailing list

 -- Francois Marier <francois@debian.org>  Mon, 08 Feb 2010 11:58:22 +1300

mahara (1.2.0-2) unstable; urgency=low

  * Fix postrm script so that Mahara can be uninstalled

 -- Francois Marier <francois@debian.org>  Fri, 27 Nov 2009 22:09:03 +1300

mahara (1.2.0-1) unstable; urgency=low

  * New upstream release
  * Replace smarty with dwoo in dependencies and post{inst,rm} scripts
  * Remove snoopy which is no longer used in Mahara
  * Update config.php based on upstream's config-dist.php

  * Remove Nigel from uploaders
  * Update download URL in debian/watch and debian/copyright
  * Switch to source package format 3.0 (quilt)
  * Update copyright year in debian/copyright

 -- Francois Marier <francois@debian.org>  Fri, 27 Nov 2009 16:49:48 +1300

mahara (1.1.7-1) unstable; urgency=high

  * New upstream release
    - Privilege escalation fix (CVE-2009-3298)
    - XSS fix (CVE-2009-3299)

  * Bump Standards-Version up to 3.8.3
  * Switch packaging license to refer to GPL-3
  * debian/mahara.config: Move -e to a separate line to silence lintian

 -- Francois Marier <francois@debian.org>  Fri, 30 Oct 2009 13:46:40 +1300

mahara (1.1.6-1) unstable; urgency=low

  * New Upstream Version
  * README.Debian: must specify the character set when creating a database
    in the default instal of MySQL on Debian

 -- Francois Marier <francois@debian.org>  Thu, 06 Aug 2009 22:22:01 +1200

mahara (1.1.5-1) unstable; urgency=high

  * New Upstream Version
    - fixes multiple xSS vulnerabilities
    - fix for an information disclosure bug
  * Bump Standards-Version to 3.8.2

 -- Francois Marier <francois@debian.org>  Mon, 22 Jun 2009 15:17:25 +1200

mahara (1.1.3-1) unstable; urgency=high

  * New Upstream Version
    - fixes XSS issues in user profile field and text boxes in user views
      (CVE-2009-0664)
    - fixes remote code execution in the bundled copy of html2text
      (CVE-2008-5619, closes: #524778)
  * Bump Standards-Version to 3.8.1 (no changes)
  * Remove execute bit on a bunch of Javascript files (lintian warning)

 -- Francois Marier <francois@debian.org>  Wed, 22 Apr 2009 17:06:36 +1200

mahara (1.1.2-1) unstable; urgency=high

  * New Upstream Version
    - fixes multiple XSS vulnerabilities (CVE-2009-0660)

 -- Francois Marier <francois@debian.org>  Tue, 10 Mar 2009 19:44:14 +1300

mahara (1.1.1-1) unstable; urgency=medium

  * New Upstream Version
    - fixes broken upgrades on MySQL

 -- Francois Marier <francois@debian.org>  Mon, 02 Mar 2009 12:08:42 +1300

mahara (1.1.0-1) unstable; urgency=low

  * New Upstream Version
  * Add dependency on php5-curl (instead of being only recommended)
  * Mention the 3rd install step (logging in as admin) in README.Debian

 -- Francois Marier <francois@debian.org>  Thu, 26 Feb 2009 12:57:40 +1300

mahara (1.0.9-2) unstable; urgency=low

  * debian/mahara.postrm: delete the snoopy symlink
  * debian/mahara.postinst: create a lib/smarty/libs symlink when necessary
    (for example on Ubuntu)

 -- Francois Marier <francois@debian.org>  Mon, 09 Feb 2009 17:55:38 +1300

mahara (1.0.9-1) unstable; urgency=high

  * New Upstream Version
    - fixes XSS vulnerability in forum posts
  * debian/copyright: add the word "copyright" to fix a lintian notice

 -- Francois Marier <francois@debian.org>  Tue, 03 Feb 2009 18:26:32 +1300

mahara (1.0.6-1) unstable; urgency=low

  * New upstream version

 -- Francois Marier <francois@debian.org>  Sun, 09 Nov 2008 23:45:15 +1300

mahara (1.0.5-2) unstable; urgency=high

  * Depend on libphp-snoopy instead of using the embedded copy shipped
    with Mahara (CVE-2008-4796, closes: #504170)
  * Backport upstream's patch (41189c30d198153dc66dc867e160dab948929458)
    to phpmailer (CVE-2007-3125, closes: #504253)
  * Add lintian overrides for the customised embedded libraries

 -- Francois Marier <francois@debian.org>  Mon, 03 Nov 2008 19:16:44 +1300

mahara (1.0.5-1) unstable; urgency=low

  * New Upstream Version
  * Fix comments in maintainer scripts (closes: #491924)
  * Add lintian override for embedded copies of mochikit
  * Bump debhelper compatibility to 7 to use dh_lintian

 -- Francois Marier <francois@debian.org>  Mon, 29 Sep 2008 13:00:12 +1300

mahara (1.0.4-2) unstable; urgency=low

  * Compress the package using bzip2
  * Remove non-userdata directories in /var/lib/mahara when purging
  * Clarify the MySQL instructions in README.Debian

  * Add Galician debconf translation (closes: #488185). Thanks Jacobo!
  * Add Japanese debconf translation (closes: #488338). Thanks Tsunoda!
  * Add Czech debconf translation (closes: #488368). Thanks Miroslav!
  * Add Turkish debconf translation (closes: #488507). Thanks Mert!
  * Add Russian debconf translation (closes: #489168). Thanks Yuri!
  * Add Finnish debconf translation (closes: #489121). Thanks Esko!
  * Add Vietnamese debconf translation (closes: #489402). Thanks Clytie! 

 -- Francois Marier <francois@debian.org>  Mon, 07 Jul 2008 11:23:15 +1200

mahara (1.0.4-1) unstable; urgency=low

  [ Francois Marier ]
  * Add Swedish debconf translation (closes: #487724). Thanks Martin!
  * Remove outdated NEWS file

  [ Nigel McNie ]
  * New Upstream Version

 -- Francois Marier <francois@debian.org>  Wed, 25 Jun 2008 16:52:34 +1200

mahara (1.0.3-1) unstable; urgency=low

  [ Nigel McNie ]
  * New Upstream Version
  * Tweak apache rules to give access to some required files (closes: #479858)

  [ Francois Marier ]
  * Bump Standards-Version up to 3.8.0
  * Bump the Postgres version number to 8.3 to match the latest version in sid

 -- Francois Marier <francois@debian.org>  Fri, 13 Jun 2008 14:18:13 +1200

mahara (1.0.2-1) unstable; urgency=low

  * New Upstream Version

 -- Nigel McNie <nigel@catalyst.net.nz>  Tue, 29 Apr 2008 11:15:39 +1200

mahara (1.0.1-1) unstable; urgency=low

  [ Francois Marier ]
  * debian/copyright: Bump the copyright year for Mahara and remove the
    reference to Smarty since we are no longer shipping it.
  * Revised French translation thanks to Christian Perrier (closes: #472770)
  * Updated Portugese translation thanks to Américo Monteiro (closes: #471952)

  [ Nigel McNie ]
  * Don't chmod -R the dataroot directory in the postinst. It takes ages and
    is completely unnecessary.
  * Update the Vcs- control fields to point at the new location for the debian
    packaging
  * Removed a whole bunch of configuration questions from the mahara-apache2
    package that are now unnecessary
  * Support running the site under an apache alias; by default when installed
    the package won't clobber other sites (closes: #464726)
  * Set Mahara Debian Packaging Team as maintainer, set myself, Penny and
    Francois as uploaders.
  * Add MySQL howto instructions to README.Debian (closes: #475278)

 -- Francois Marier <francois@debian.org>  Fri, 11 Apr 2008 16:40:01 +1200

mahara (0.9.2-2) unstable; urgency=low

  [ Nigel McNie ]
  * Removed recommends on php5-openssl and postgresql-8.1
  * Changed default server name to mahara; moved asking about the servername
    to mahara-apache2 so running `dpkg-reconfigure -plow mahara-apache2'
    changes it (Closes: #464726)
  * Removed the restart_apache helper function
  * Re-ran debconf-updatepo
  * Depend on the smarty debian package rather than bundling our own,
    cherry-picked 21b81a5c4c4bfd0408410fdfdd6a8f0217e8f9ff from 0.9_STABLE to
    assist with this (Closes: #471201)

  [ Francois Marier ]
  * Bump debhelper compatibility to 6

 -- Nigel McNie <nigel@catalyst.net.nz>  Tue, 18 Mar 2008 12:26:31 +1300

mahara (0.9.2-1) unstable; urgency=low

  * New upstream release
  * Removed copyright notices for KSES and validateurlsyntax.php, both of
    which are no longer included in Mahara.
  * Reset the database password field after using it to write out the config
    file. This allows people to reconfigure the package to remove the
    password, at the expense of having to type in the password every time they
    reconfigure.

 -- Nigel McNie <nigel@catalyst.net.nz>  Wed, 30 Jan 2008 15:52:43 +1300

mahara (0.9.1-1) unstable; urgency=low

  [ Francois Marier ]
  * Add Portugese debconf translation (closes: #457978).  Thanks to Traduz!
  * Add Spanish debconf translation (closes: #460236).  Thanks Germana!

  [ Nigel McNie ]
  * New upstream release
  * Set myself as maintainer
  * Backported patch 8ffa8b55da108d0ab79d2200a14b152b7d37b0fe, which makes
    Mahara respect the system include path. This allows Mahara to use the
    system PEAR libraries instead of crashing when it can't find them.

 -- Nigel McNie <nigel@catalyst.net.nz>  Wed, 16 Jan 2008 15:28:33 +1300

mahara (0.9.0-1) unstable; urgency=low

  * Initial upload to unstable (closes: #447203)

 -- Francois Marier <francois@debian.org>  Mon, 17 Dec 2007 09:36:53 +1300
