/
changelog
332 lines (248 loc) · 11.8 KB
/
changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
smarty3 (3.1.39-2ubuntu1) jammy; urgency=medium
* SECURITY UPDATE: execution of restricted php methods
- debian/patches/CVE-2021-21408.patch: Prevent evasion of the
static_classes security policy in
lexer/smarty_internal_templateparser.y and
libs/sysplugins/smarty_internal_templateparser.php.
- CVE-2021-21408
* SECURITY UPDATE: code injection through math function
- debian/patches/CVE-2021-29454-1.patch: verify if the input to
the math function is a mathematical expression in
libs/plugins/function.math.php.
- debian/patches/CVE-2021-29454-2.patch: fix to support multiple
operators in math equations in
libs/plugins/function.math.php.
- debian/patches/CVE-2021-29454-3.patch: fix to allow multiple
parameters in mathematical functions in
libs/plugins/function.math.php.
- CVE-2021-29454
* Fix for compatibility with php 8.1.
- debian/patches/php8-1compatibility.patch
-- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com> Wed, 23 Mar 2022 16:00:18 +0100
smarty3 (3.1.39-2) unstable; urgency=medium
* debian/watch:
+ Fix Github watch URL.
-- Mike Gabriel <sunweaver@debian.org> Thu, 29 Apr 2021 14:40:03 +0200
smarty3 (3.1.39-1) unstable; urgency=medium
* New upstream release.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <sunweaver@debian.org> Tue, 23 Feb 2021 11:41:59 +0100
smarty3 (3.1.38-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ Drop 0001_bring-lexer-source-functionally-up-to-date.patch. Applied
upstream.
-- Mike Gabriel <sunweaver@debian.org> Mon, 18 Jan 2021 17:20:40 +0100
smarty3 (3.1.36-2) unstable; urgency=medium
* debian/control:
+ Update versioned B-D on smarty-lexer to (>= 3.1.32+dfsg1-3~).
* debian/patches:
+ Add 0001_bring-lexer-source-functionally-up-to-date.patch. Bring
lexer source functionally up-to-date with (manually edited) compiled
version. (Closes: #977604).
* debian/watch:
+ Switch to format version 4.
-- Mike Gabriel <sunweaver@debian.org> Fri, 18 Dec 2020 14:53:44 +0000
smarty3 (3.1.36-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Stop creating Git snapshots, use upstream orig tarballs (generated from
Github tags) instead.
+ Upstream changelog has been renamed to CHANGELOG.md.
* debian/copyright:
+ Update copyright attributions.
+ Drop global Comment: field. No tarball repacking anymore.
* debian/control:
+ Bump Standards-Version: to 4.5.1. No changes needed.
+ Bump DH compat level to version 13.
* debian/upstream/metadata:
+ Add file. Comply with DEP-12.
-- Mike Gabriel <sunweaver@debian.org> Mon, 07 Dec 2020 09:33:25 +0100
smarty3 (3.1.34+20190228.1.c9f0de05+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/control:
+ Bump Standards-Version: to 4.4.1. No changes needed.
+ Add Rules-Requires-Root: field and set it to "no".
* debian/{control,compat}:
+ Switch to debhelper-compat notation. Bump DH comat level to version 12.
-- Mike Gabriel <sunweaver@debian.org> Mon, 18 Nov 2019 10:49:54 +0100
smarty3 (3.1.33+20180830.1.3a78a21f+selfpack1-1) unstable; urgency=medium
* New upstream release.
- CVE-2018-16831: Don't bypass trusted directories with "../". (Closes:
#908698).
* debian/control:
+ Bump Standards-Version: to 4.2.1. No changes needed.
-- Mike Gabriel <sunweaver@debian.org> Mon, 17 Sep 2018 13:04:18 +0200
smarty3 (3.1.32+20180424.1.ac9d4b58+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/*: White-space clean-up at EOL.
* debian/patches:
+ Drop 0001_CVE-2017-1000480.patch. Applied upstream.
* debian/rules:
+ Avoid using dpkg-parsechangelog.
* debian/copyright:
+ Update copyright attributions.
+ Use secure URI to obtain copyright references.
+ Add global Comment: field. Explain about brokenness of upstream tarballs.
* debian/control:
+ Update Vcs-*: fields. Packaging Git has been migrated to
salsa.debian.org.
+ Bump Standards-Version: to 4.1.4. No changes needed.
* debian/{control,compat}:
+ Bump DH version level to 11.
-- Mike Gabriel <sunweaver@debian.org> Sun, 27 May 2018 23:21:33 +0200
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-3) unstable; urgency=medium
* debian/patches:
+ Add 0001_CVE-2017-1000480.patch. Fixes CVE-2017-1000480. (Closes:
#886460).
-- Mike Gabriel <sunweaver@debian.org> Sun, 14 Jan 2018 11:13:16 +0100
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-2) unstable; urgency=medium
* Re-upload to Debian unstable to enforce package rebuild (as we don't
have binNMUs for arch:all packages).
* debian/control:
+ Update versioned B-D on smarty-lexer (>= 3.1.30+dfsg1-1.1~).
This is to assure correct lexer/parser generation which was broken by
smarty-lexer 3.1.30+dfsg1-1. See Debian bug #847571 for further
reference.
-- Mike Gabriel <sunweaver@debian.org> Tue, 21 Mar 2017 10:13:01 +0100
smarty3 (3.1.31+20161214.1.c7d42e4+selfpack1-1) unstable; urgency=medium
* New upstream release.
* debian/rules:
+ Self-pack orig tarball from Git commit, due to broken upstream
tarball generation on Github. For details see:
https://github.com/smarty-php/smarty/issues/325
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <sunweaver@debian.org> Tue, 24 Jan 2017 21:17:51 +0100
smarty3 (3.1.30-1) unstable; urgency=medium
* Upload to unstable.
* Update versioned B-D:
+ smarty-lexert (>= 3.1.30+dfsg1-1~).
-- Mike Gabriel <sunweaver@debian.org> Fri, 25 Nov 2016 19:52:30 +0100
smarty3 (3.1.30-1~exp1) experimental; urgency=medium
* New upstream release. Upload to experimental for testing with
GOsa, FusionDirectory and other web portals that depend on Smarty3.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <sunweaver@debian.org> Thu, 20 Oct 2016 14:00:22 +0200
smarty3 (3.1.29-2) unstable; urgency=medium
* Re-upload unchanged to unstable.
-- Mike Gabriel <sunweaver@debian.org> Fri, 07 Oct 2016 14:03:44 +0200
smarty3 (3.1.29-1) experimental; urgency=medium
* New upstream release. (Closes: #825250).
* debian/smarty3-lexer:
+ Remove shipped-with .plex and .y files for template and configfile
parser/lexer. This version uses smarty-lexer src:package at build
time instead.
* debian/control:
+ Add B-D pkg-php-tools (for dh_phpcomposer)
+ Versioned B-D: debhelper (>= 9).
+ Use encrypted URLs for Vcs-*: field.
+ Bump Standards: to 3.9.8. No changes needed.
* debian/{control,rules}:
+ Create internal lexer and parser PHP code at package build time (using
B-D smarty-lexer). (Closes: #765730). This also solves issues in Debian
package smarty3 3.1.21-1 caused by lexer/parser PHP files using the old
trigger_error class API of Smarty.class.php. (Closes: #799282).
* debian/smarty3.{install,docs}:
+ Use debhelper for installing bin:package files.
* debian/compat:
+ Bump to DH version level 9.
* debian/watch:
+ Upstream location has changed, now on Github.
* debian/rules:
+ Use pure debhelper, with phpcomposer.
+ Make package build idempotent.
* debian/copyright:
+ Update copyright attributions.
-- Mike Gabriel <sunweaver@debian.org> Mon, 30 May 2016 14:03:16 +0200
smarty3 (3.1.21-1.1) unstable; urgency=medium
* Non-maintainer upload in coordination with the maintainer.
* Update depends and README.Debian for the php 7.0 transition. Thanks to
Wolfgang Schweer for the patch! (Closes: #821660)
-- Holger Levsen <holger@debian.org> Mon, 23 May 2016 11:32:02 +0200
smarty3 (3.1.21-1) unstable; urgency=medium
* New upstream release. (Closes: #765920).
* debian/smarty3-lexer:
+ Add 4 files from smarty3 SVN that are used to generate some PHP
files in the upstream tarball. See README.lexer for details.
(Closes: #636148).
* debian/copyright:
+ Add copyright information for debian/smarty3-lexer/*.
+ Fix upstream license (LGPL-3 -> LGPL-3+) after reading the upstream-
shipped COPYING.lib file more thoroughly.
+ Relicense debian/* under same license as upstream sources (LGPL-3+).
* debian/control:
+ Bump Standards: to 3.9.6. No changes needed.
-- Mike Gabriel <sunweaver@debian.org> Sun, 19 Oct 2014 23:45:18 +0200
smarty3 (3.1.19-1) unstable; urgency=medium
* New upstream release.
+ Obtain upstream sources as zip files from upstream. Stop checking out
SVN tags. This change drops three embedded PHP libraries and files with
problematic PHP licenses. (Closes: #752614).
* debian/control:
+ Alioth-canonicalize Vcs-Git field.
+ Bump Standards: to 3.9.5. No changes needed.
* lintian:
+ Drop unused override: embedded-php-library.
-- Mike Gabriel <sunweaver@debian.org> Mon, 04 Aug 2014 21:32:20 +0200
smarty3 (3.1.13-1) unstable; urgency=low
* New upstream release.
* /debian/control:
+ Use my DD address in Maintainer: field.
+ Bump Standards: to 3.9.4. No changes needed.
* /debian/patches:
+ Drop patch: 001_escape-smarty-exception-messages.patch, included in new
upstream release.
-- Mike Gabriel <sunweaver@debian.org> Mon, 06 May 2013 10:19:14 +0200
smarty3 (3.1.10-2) unstable; urgency=low
* Fix CVE-2012-4437: Add patch 001_escape-smarty-exception-messages.patch.
Closes: #688153.
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Sat, 22 Sep 2012 21:32:58 +0200
smarty3 (3.1.10-1) unstable; urgency=low
* New upstream release. Closes: #678095.
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Tue, 19 Jun 2012 16:41:06 +0200
smarty3 (3.1.8-2) unstable; urgency=low
* Package smarty3 provides smarty (closes: #657536).
* Make /debian/copyright machine parsable, explicitly names files that
have dissenting licenses, license /debian folder under GPLv2+.
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 17 May 2012 00:32:29 +0200
smarty3 (3.1.8-1) experimental; urgency=low
* New upstream release (rev. 4611).
* New package maintainer (closes: #668200).
* Add watch file (closes: #657385).
* Add Vcs-* lines to control file.
* Add README.source that explains how we obtain code from
upstream SVN. Make sure all upstream source files are
shipped with the Debian source package (closes: #636148).
-- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 10 May 2012 10:44:55 +0200
smarty3 (3.1.0-1) experimental; urgency=low
* New upstream release (rev. 4284)
* Used the code source from subversion (Closes: #636148)
* debian/copyright:
+ added LexerGenerator copyright
+ added ParserGenerator copyright
* Fixed security holes:
+ multiple unspecified vulnerabilities (CVE-2009-5052, CVE-2009-5053,
CVE-2010-4722, CVE-2010-4724, CVE-2010-4726)
+ not consider the umask value when setting the permissions of files
(CVE-2009-5054)
+ not prevent access to the dynamic and private object members of an
assigned object (CVE-2010-4723)
+ not properly handle an on value of the asp_tags option in the php.ini file
(CVE-2010-4725)
+ not properly handle the <?php and ?> tags (CVE-2010-4727)
-- Thierry Randrianiriana <thierry@debian.org> Sat, 17 Sep 2011 21:22:11 +0300
smarty3 (3.0.8-1) unstable; urgency=low
* New upstream release (Closes: #631619)
* Bumped Standards-Version to 3.9.2
* Updated licence to LGPL-3
-- Thierry Randrianiriana <thierry@debian.org> Wed, 20 Jul 2011 11:29:24 +0300
smarty3 (3.0~rc1-2) unstable; urgency=low
* Bumped Standards-Version to 3.9.1
* Removed debian/watch
-- Thierry Randrianiriana <thierry@debian.org> Tue, 21 Sep 2010 14:45:44 +0300
smarty3 (3.0~rc1-1) unstable; urgency=low
* Initial release (Closes: #580754)
-- Thierry Randrianiriana <thierry@debian.org> Sat, 08 May 2010 14:36:04 +0300