horde3 (3.3.12+debian0-2) unstable; urgency=emergency

  * Remove backdoor in emergency (upstream server is compromised).
    CVE-2012-0209

 -- Gregory Colpart <reg@debian.org>  Thu, 09 Feb 2012 00:41:34 +0100

horde3 (3.3.12+debian0-1) unstable; urgency=low

  * New upstream release (Closes: #636592)
    - Fix 'return value of new by reference is deprecated', at least in
      lib/Horde/Kolab/Server/Object.php (Closes: #630142, #601186)
    - pgsql create script fixed (Closes: #508571)
    - Fix dirty flag handling when saving prefs to files (Closes: #538027)
    - Fix preferences management regression (Closes: #634962)
    - Fix SQL error during cache cleanup (Closes: #566610)
    - Fix undefined index: token_lifetime (Closes: #629006)
  * Housekeeping (thanks to lintian):
    - spelling error in README.Debian (writeable writable)
    - Update to standards version 3.9.2, no change required
    - Don't use asterisks in NEWS.Debian
    - Use versioned LGPL-2.1 in copyright
    - Add minimal build-indep and build-arch targets to d/rules
  * Switch to dpkg-source 3.0 (quilt) format
  * Remove conflict on horde and old turba2 (very old packages)

 -- Mathieu Parent <sathieu@debian.org>  Sat, 07 Jan 2012 12:23:19 +0100

horde3 (3.3.8+debian0-2) unstable; urgency=medium

  * Backport security patches from 3.3.9 and 3.3.10 to fix CVE-2010-3077
    and CVE-2010-3694 (Closes: #598582)
  * Backport upstream fix from 3.3.10 for SyncML bug: page sometimes deleting
    more anchors than selected.
  * Fix annoying bug in temp-cleanup.cron (Closes: #597603) 

 -- Gregory Colpart <reg@debian.org>  Wed, 03 Nov 2010 23:44:17 +0100

horde3 (3.3.8+debian0-1) unstable; urgency=low

  [ Mathieu Parent ]
  * Add misc:Depends to pear-horde-channel 

  [ Gregory Colpart ]
  * New upstream release. 
  * Update to standards version 3.8.4, no further required changes.

 -- Gregory Colpart <reg@debian.org>  Sun, 09 May 2010 23:11:24 +0200

horde3 (3.3.6+debian0-2) unstable; urgency=low

  * Correct debian/links
  * Updated check for upstream JS libs 
  * Add call to dh_link (Closes: #562138 imp4: Javascript problems after
    upgrade)

 -- Mathieu Parent <sathieu@debian.org>  Sat, 26 Dec 2009 00:27:55 +0100

horde3 (3.3.6+debian0-1) unstable; urgency=low

  * New upstream release.
  * Change my email address, as I am now Debian developer
  * Replace config symlink by update-alternatives to allow configuration
    packages

 -- Mathieu Parent <sathieu@debian.org>  Sun, 20 Dec 2009 16:39:57 +0100

horde3 (3.3.5+debian0-1) unstable; urgency=high

  [ Gregory Colpart ]
  * New upstream release.
  * This version is mainly for fixing security bugs, in particular a
    vulnerability in image form fields that allows overwriting of arbitrary
    local files. See CVE-2009-3236 for more information. (Closes: #547318)
  * Adjust branch names in debian/rules for refresh-patches.
  * Add patch-stamp in COPY_EXCLUDE (oops).
  * Add php-mdb2* packages in Recommends (Closes: #528927).
  * Update to standards version 3.8.3, no further required changes.

  [ Mathieu Parent ]
  * Install /etc/horde/horde3/registry.d directory

 -- Gregory Colpart <reg@debian.org>  Sun, 20 Sep 2009 20:00:25 +0200

horde3 (3.3.4+debian0-1) unstable; urgency=low

  * New upstream release. 
  * Change Vcs-Browser field (migrate a --bare git repository on alioth). 
  * Update to standards version 3.8.1, no further required changes.

 -- Gregory Colpart <reg@debian.org>  Sat, 02 May 2009 03:46:44 +0200

horde3 (3.3.3+debian0-1) unstable; urgency=low

  * New upstream release. (Closes: #513015)
  * This new version has a lot of fixes and improvements, and includes some
    changes backported previously.
  * Add "Git patches" stuff in debian/rules.
  * Add horde PEAR channel within pear-horde-channel package. (Closes: #514007)
  * Add Mathieu Parent in Uploaders: field.
  * We use now Git, upgrade Vcs-* in debian/control.

 -- Gregory Colpart <reg@debian.org>  Sun, 15 Mar 2009 19:22:50 +0100

horde3 (3.2.2+debian0-2) unstable; urgency=high

  * Add informations in README.Debian about test.php files: these files should
    not be "allow from all", because test.php includes private informations and
    could be unsafe (for example see CVE-2008-4182).
  * Include a patch from Horde upstream to fix an IE-only hole in XSS filter
    (See CVE-2008-5917 for more information). (Closes: #512592)
  * Include patches from Horde upstream to fix a file inclusion issue in
    Horde_Image driver name (Image/Image.php) and an unescaped output in
    the tag cloud block (services/portal/cloud_search.php). (Closes: #513265)

 -- Gregory Colpart <reg@debian.org>  Thu, 29 Jan 2009 01:15:51 +0100

horde3 (3.2.2+debian0-1) unstable; urgency=high

  * New upstream release.
  * This version is mainly for fixing two security bugs: unescaped output in
    the MIME library and improve the XSS filter for HTML (See CVE-2008-3823 for
    more information). (Closes: #499579)
  * Add changelog entry with CVE ID in changelog for 3.2.1+debian0-1.
  * Fix misspelling in Recommends: field. (Closes: #499001)
  * Improve upgrade path Etch->Lenny with forcing to show diff of
    /etc/horde/horde3/registry.php because all horde components are now
    inactive by default. (Closes: #493885)
  * Change Gregory Colpart's email address in debian/control file.

 -- Gregory Colpart <reg@debian.org>  Mon, 22 Sep 2008 03:28:05 +0200

horde3 (3.2.1+debian0-2) unstable; urgency=low

  [ Mathieu Parent ]
  * debian/rules: remove js/src/* in the target directory instead of the
    source directory

  [ Gregory Colpart (evolix) ]
  * Backport patch from Horde CVS to fix a MIME handling bug. Thanks to Marc
    Dequènes <duck@duckcorp.org> to report it. (Closes: #490125)
  * Adjust dependencies (php5-gd, php5-mcrypt, php-mail and php-mail-mime are
    now required; php5-cli is now recommended, etcetera).
  * Execute now temp-cleanup.cron script as www-data instead of root, and
    redirect errors to /dev/null.
  * Add cron script for Alarms.
  * Allow only www-data to read Horde configuration files. (Closes: #432814) 
  * Adjust watch file with adding dversionmangle option.
  * Fix line-too-long lintian warnings in debian/copyright.
  * Disable all Horde components by default, and initial configuration
    settings  to avoid broken pages. (Closes: #487799, #486679) 

 -- Gregory Colpart (evolix) <reg@evolix.fr>  Mon, 21 Jul 2008 04:06:39 +0200

horde3 (3.2.1+debian0-1) unstable; urgency=low

  * New upstream release.
  * This new version has major changes compared to the previous version: an
    alarm system that can send email, generate inline notifications, and play
    sounds for events in any Horde application; support for read and write
    databases; operation when the database is down; many performance
    improvements, several slick new themes; WCAG 1.0 Priority 2/Section 508
    accessibility guidelines compliance; full Kolab webclient support; many
    improvements in the JavaScript and user interface; a new tree view for
    Help along with keyword search; support for memcache clustering; and many,
    many bug fixes and small enhancements.
  * This new upstream release fixes a security bug: a small XSS/unescaped
    output in obrowser (See CVE-2008-3330 and #492578 for more informations).
  * With this new version: remove of backported patch for correcting invalid
    entities in es_ES (#461400) and manual merge for
    config/mime_drivers.php.dist and config.conf.xml for keeping Debian
    specific patches.
  * Thanks to Mathieu Parent <math.parent@gmail.com> for his help/patches for
    this package.
  * Repack upstream source to remove fckeditor, tinymce and scriptaculous
    (size of upstream source is now instead 7 Mo instead of 8 Mo).
  * Added a check in debian/rules to make sure that those external libs are not
    in the orig.tar.gz
  * A lot of improvements in debian/copyright file.
  * Some adjustements in debian/rules: remove exec rights for xml/png/gif/css/
    js/jpg/html/htm files, no more need to remove empty directories and copy
    CREDITS file.
  * Link some *.js files with libjs-scriptaculous package.
  * Link editors (tinymce and fckeditor) with tinymce2 and fckeditor packages.
  * Add unrtf and libwpd-tools in "Suggests" field. 
  * Add patch to keep PAM authentication stays compatible with precedent
    version (and with php5-auth-pam package). Add php5-auth-pam to Suggests:
    field.
  * Update to standards version 3.8.0, no further required changes.

 -- Gregory Colpart (evolix) <reg@evolix.fr>  Sat, 14 Jun 2008 17:14:51 +0200

horde3 (3.1.7-1) unstable; urgency=high

  * New upstream release.
  * This new version has security fix: fix arbitrary file inclusion through
    abuse of the theme preference (see CVE-2008-1284 for more informations).
    (Closes: #470640)
  * Fix typo in debian/rules comments.
  * Add php-net-imap package in "Suggests" field. (Closes: #470283)
  * Add libgeoip1 package in "Suggests" field. (Closes: #376935)

 -- Gregory Colpart (evolix) <reg@evolix.fr>  Sat, 15 Mar 2008 14:00:34 +0100

horde3 (3.1.6-1) unstable; urgency=high

  * New upstream release.
  * This new version has security fixes : privilege escalation in the Horde
    API and XSS vulnerabilities (see CVE-2007-6018 for more informations).
    (Closes: #461131)
  * This new version fixes also translation error in it_IT locale
    (Closes: #459555)
  * Import fix from Horde CVS to correct invalid entities in es_ES
    translantion (thanks to Adrian Santos Marrero <adsaman@gmail.com>)
    (Closes: #461400)
  * Update to standards version 3.7.3, no further required changes.
  * Use now Vcs-* fields in debian/control.
  * Remove empty directories which causes lintian warnings.
  * Bump debhelper compat level to 5.
  * Add Homepage field. 

 -- Gregory Colpart (evolix) <reg@evolix.fr>  Sun, 20 Jan 2008 20:52:59 +0100

horde3 (3.1.4-2) unstable; urgency=low

  [ Gregory Colpart (evolix) ]
  * Added XS-VCS-* fields in debian/control.
  * Typo in previous changelog.

  [ Ola Lundqvist ]
  * Correction of log file problem in configuration file, closes: #452351.
  * Document that the echo line need to be removed as well, closes: #456908.

 -- Ola Lundqvist <opal@debian.org>  Sat, 22 Dec 2007 11:21:40 +0100

horde3 (3.1.4-1) unstable; urgency=high

  * New upstream release.
  * Transition to PHP5 for Recommends and Suggests fields. (Closes: #432237)
  * Remove old phpapi-* from Depends: (Closes: #420644)
  * Clean Depends, Recommends and Suggests fields.
  * Remove exec right for XML files in debian/rules.
  * Add locales in Recommends.
  * Disable upstream _detect_webroot() function (unusable in Debian).
  * Fix XSS vulnerability. See CVE-2007-1473 for more information.
    (Closes: #434045)

 -- Gregory Colpart (evolix) <reg@evolix.fr>  Tue, 24 Jul 2007 18:48:35 -0400

horde3 (3.1.3-5) unstable; urgency=low

  * Changed webroot from /horde to /horde3, especially regarding cookie
    handling, closes: #391493.

 -- Ola Lundqvist <opal@debian.org>  Mon, 21 May 2007 07:03:41 +0200

horde3 (3.1.3-4) unstable; urgency=high

  * Correction for arbitrary file deletion vulnerability,
    closes: #415116. Thanks to Paul TBBle Hampson <Paul.Hampson@Pobox.com>
    for providing the patch.

 -- Ola Lundqvist <opal@debian.org>  Sat, 24 Mar 2007 21:19:05 +0100

horde3 (3.1.3-3) unstable; urgency=low

  * Recommend php-db (closes: #400277)

 -- Lionel Elie Mamane <lmamane@debian.org>  Sat, 27 Jan 2007 19:38:21 +0100

horde3 (3.1.3-2) unstable; urgency=low

  * Changed the default cookie path from /horde to horde3, closes:
    #391493. Thanks for Gregory Colpart <reg@evolix.fr> for committing
    this change and to Lorenzo Bettini <bettini@dsi.unifi.it> for
    suggesting it.

 -- Ola Lundqvist <opal@debian.org>  Mon,  9 Oct 2006 14:00:35 +0200

horde3 (3.1.3-1) unstable; urgency=low

  * New upstream version, closes: #383416. This is a bugfix release to
    correct CVE-2006-4256.
  * Now suggests gettext, closes: #385457.

 -- Ola Lundqvist <opal@debian.org>  Sun,  3 Sep 2006 12:34:06 +0200

horde3 (3.1.2-1) unstable; urgency=medium

  * New upstream release.
    One of the following is true:
    - This release fixes security problems CVE-2006-3549 and CVE-2006-3548
    - These security problems were already fixed in the past in the Debian
      branch.
    - These security problems were already partially fixed in the past in
      the Debian version and this release mops up the rest.
    In all cases, closes: #378281
  * Tweak README.Debian and example config a bit (closes: #373235)
  * Make the PHP tempdir configurable instead of hardcoded in the weekly
    cleanup script (closes: #376526)
  * Put the CREDITS file where the online help viewer expects it
    (closes: #357377)
  * Bump up Standards-Version

 -- Lionel Elie Mamane <lmamane@debian.org>  Sun, 16 Jul 2006 13:12:10 +0200

horde3 (3.1.1-4) UNRELEASED; urgency=low

  * Put debhelper in Build-Depends, not B-D-Indep.

 -- Lionel Elie Mamane <lmamane@debian.org>  Fri, 16 Jun 2006 11:49:45 +0200

horde3 (3.1.1-3) unstable; urgency=high

  * The SuSE maintainer found several XSS isses in Horde. See
    CVE-2006-2195 for more information. Thanks to Moritz Muehlenhoff
    <jmm@inutil.org> for providing the patch.

 -- Ola Lundqvist <opal@debian.org>  Wed, 14 Jun 2006 09:36:43 +0200

horde3 (3.1.1-2) unstable; urgency=low

  * Correcting the dependencies for php5.
  * Jose Carlos Medeiros no longer maintainer of this package.

 -- Ola Lundqvist <opal@debian.org>  Sat,  6 May 2006 21:01:48 +0200

horde3 (3.1.1-1) unstable; urgency=high

  [ Lionel Elie Mamane <lmamane@debian.org> ]
  * New upstream version
    - Close remote arbitrary command execution hole (closes: #360023)
      CVE-2006-1491
  * Really exclude {arch} directory from being installed in binary
    package.

 -- Lionel Elie Mamane <lmamane@debian.org>  Thu,  6 Apr 2006 19:14:56 +0200

horde3 (3.1-2) UNRELEASED; urgency=low

  [ Lionel Elie Mamane <lmamane@debian.org> ]
  * Conflict with versions of turba2 we break compatibility with.
    (closes: #360231)

 -- Lionel Elie Mamane <lmamane@debian.org>  Fri, 31 Mar 2006 23:08:02 +0200

horde3 (3.1-1) unstable; urgency=low

  [ Lionel Elie Mamane <lmamane@debian.org> ]
  * Tweak the "Admin interface disabled because insecure" message.

  [ Ola Lundqvist <opal@debian.org> ]
  * Updated to upstream version 3.1, closes: #356186, #356526.
    With correction for CVE-2006-1260 file disclosure vulnerability.
    Closes: #358812.
    This version correct CVE-2005-4190 as well, closes: #354512.
  * Modified dependencies in order to support php5 and to support
    recent installations of php4, closes: #353612, #359700, #359208.

 -- Ola Lundqvist <opal@debian.org>  Tue, 28 Mar 2006 20:58:38 +0200

horde3 (3.0.9-3) unstable; urgency=low

  * Move to team maintainership.
  * Make sure that {arch} is not a part of installed dir.

 -- Ola Lundqvist <opal@debian.org>  Sun, 12 Mar 2006 21:40:35 +0100

horde3 (3.0.9-2) unstable; urgency=high

  * Correct fix for weatherdotcom.

 -- Ola Lundqvist <opal@debian.org>  Fri, 16 Dec 2005 20:50:01 +0100

horde3 (3.0.9-1) unstable; urgency=high

  * New upstream release that correct a cross site scripting vulnerability
    as described in CVE-2005-4190, closes: #342942.
  * Documented that horde is incompatible with php4 session.auto_start option
    in the README.Debian file, closes: #341695.
  * Added php-mail to recommends list, closes: #339135.
  * Applied a patch to make weatherdotcom work, closes: #342161.
    Thanks to Giuseppe Iuculano <giuseppe@iuculano.it>.
  * Documented how to add alias to apache config, closes: #306605.
  * Changed the initial config message slightly, closes: #341358.

 -- Ola Lundqvist <opal@debian.org>  Fri, 16 Dec 2005 17:51:15 +0100

horde3 (3.0.7-1) unstable; urgency=high

  * New upstream release.
    This version fix cross site scripting vulnerabilities (CVE-2005-3759),
    closes: #340323.

 -- Ola Lundqvist <opal@debian.org>  Tue, 22 Nov 2005 22:45:59 +0100

horde3 (3.0.6-1) unstable; urgency=low

  * New upstream release.
  * Added phpapi-20041030 to the supported api versions (to support php5),
    closes: #333155.
  * Fixed so files in etc are rewritten the same was as files in usr/share,
    closes: #319780.
  * Updated to standards version 3.6.2.
  * Corrected to new FSF address.

 -- Ola Lundqvist <opal@debian.org>  Sat,  5 Nov 2005 16:11:03 +0100

horde3 (3.0.5-4) unstable; urgency=low

  * Minor fix for README.Debian file.
  * Added suggests of php4-mhash, closes: #335913.
  * Corrected dependency on php4, closes: #329940.
  * Corrected problem with ispell and Brazilian Language, closes: #328155.
    Thanks to Jose Carlos Medeiros <jcnascimento@gmail.com> for the fix.

 -- Ola Lundqvist <opal@debian.org>  Sat,  5 Nov 2005 12:40:43 +0100

horde3 (3.0.5-3) unstable; urgency=high

  * Improved description on why horde3 is disabled by default.

 -- Ola Lundqvist <opal@debian.org>  Sun,  9 Oct 2005 12:54:43 +0200

horde3 (3.0.5-2) unstable; urgency=high

  * Configuration disabled by default, closes: #332290, #332289.
  * Removed some crap from the README.Debian file, closes: #332276.

 -- Ola Lundqvist <opal@debian.org>  Sat,  8 Oct 2005 21:10:48 +0200

horde3 (3.0.5-1) unstable; urgency=low

  * New upstream release,
    closes: #325146, #315571, #325727, #321490, #309729, #304186.
  * Added gollem to suggest list, closes: #325492.
  * Added webcpp, chora2, xlhtml, ppthtml, wv, source-highlight, enscript
    and rpm to suggest list, closes: #309657, #326066.
  * Patched config/mime_drivers.php.dist so that no /usr/local is used
    for programs that exist in Debian archive, closes: #309661.

 -- Ola Lundqvist <opal@debian.org>  Fri,  9 Sep 2005 22:53:15 +0200

horde3 (3.0.4-4) unstable; urgency=low

  * Added conflict on horde so removing horde do not cause configuration
    removal in horde3, closes: #307623.

 -- Ola Lundqvist <opal@debian.org>  Wed,  4 May 2005 23:08:08 +0200

horde3 (3.0.4-3) unstable; urgency=medium

  * Removed post* and pre* files becuase they contain nothing that
    should remain.
  * Fixed dependency problem, closes: #294026.
  * Added a note about configuration to README.Debian, closes: #304086.

 -- Ola Lundqvist <opal@debian.org>  Sun, 17 Apr 2005 14:27:31 +0200

horde3 (3.0.4-2) unstable; urgency=low

  * Fixed permission problem on log file.
  * Updated copyright file. It actually use LGPL and not GPL.
  * Removed unnecessary config dir in /etc/horde/horde3.

 -- Ola Lundqvist <opal@debian.org>  Sun, 10 Apr 2005 19:51:55 +0200

horde3 (3.0.4-1) unstable; urgency=low

  * New upstream release.

 -- Ola Lundqvist <opal@debian.org>  Mon,  4 Apr 2005 08:11:18 +0200

horde3 (3.0.3-1) unstable; urgency=low

  * New upstream release.
    Jose Carlos Medeiros <jose@psabs.com.br> have helped a lot with
    this version.

 -- Ola Lundqvist <opal@debian.org>  Thu, 17 Feb 2005 15:41:33 -0200

horde3 (3.0.2-1) unstable; urgency=low

  * New upstream release.
  * Cooperated with Roberto Sanchez <roberto@familiasanchez.net> in
    order to complete this version.

 -- Ola Lundqvist <opal@debian.org>  Fri,  7 Jan 2005 13:41:54 +0100

horde3 (3.0.1-1) unstable; urgency=low

  * New upstream release.

 -- Ola Lundqvist <opal@debian.org>  Thu,  6 Jan 2005 16:35:23 +0100

horde3 (3.0-1) unstable; urgency=low

  * Initial Release.

 -- Ola Lundqvist <opal@debian.org>  Sat,  1 Jan 2005 14:51:04 +0100
