phpbb3 (3.0.12-5+deb8u4) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2019-13376, CVE-2019-16993: includes/acp/acp_bbcodes.php:
    Check form key in acp_bbcodes, and check form key no matter if submit
    is set. CVE-2019-13376 has been a regression of the fix for CVE-2019-16993.

 -- Mike Gabriel <sunweaver@debian.org>  Tue, 01 Oct 2019 00:58:32 +0200

phpbb3 (3.0.12-5+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-9826:
    Colin Snover discovered a denial-of-service vulnerability in phpBB3, a
    full-featured web forum. Previous versions allowed users to run searches
    that might result in long execution times and load on larger boards when
    using the fulltext native search engine. To combat this, further
    restrictions were introduced on search queries.

 -- Markus Koschany <apo@debian.org>  Fri, 03 May 2019 20:53:53 +0200

phpbb3 (3.0.12-5+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2018-19274:
    Passing an absolute path to a file_exists check in phpBB allows Remote Code
    Execution through Object Injection by employing Phar deserialization when
    an attacker has access to the Admin Control Panel with founder permissions.
    The fix for this issue resulted in the removal of setting the ImageMagick
    path. The GD image library can be used as a replacement and a new event to
    generate thumbnails was added, so it is possible to write an extension that
    uses a different image library to generate thumbnails.

 -- Markus Koschany <apo@debian.org>  Sat, 24 Nov 2018 14:52:11 +0100

phpbb3 (3.0.12-5+deb8u1) jessie; urgency=medium

  * Fix possible redirection on Chrome: an insufficient check allowed users of
    the Google Chrome browser to be redirected to external domains (e.g. on
    login) [CVE-2015-3880]

 -- David Prévot <taffit@debian.org>  Tue, 12 May 2015 15:52:23 -0400

phpbb3 (3.0.12-5) unstable; urgency=medium

  * Fix authentication setup: another PHP 5.6 compatibility issue, the
    internal ldap_escape() function was recently added into PHP 5.6 as
    provided by php5-ldap, and thus need to be renamed.
    (Closes: #778553)
  * Fix avatar upload permissions
  * Fix image display in Apache (Closes: #778457)

 -- David Prévot <taffit@debian.org>  Mon, 16 Feb 2015 13:51:53 -0400

phpbb3 (3.0.12-4) unstable; urgency=medium

  * Fix CSRF vulnerability [CVE-2015-1432] and CSS injection [CVE-2015-1431]
    (Closes: #776699)
  * Improve PHP 5.6 compatibility: allow mbstring.http_{in,out}put to be set
    as '' as well as 'pass' on install; do not display warning in ACP if so.

 -- David Prévot <taffit@debian.org>  Mon, 02 Feb 2015 20:35:46 -0400

phpbb3 (3.0.12-3) unstable; urgency=medium

  * Adapt update_languages script to new scheme
  * Update URL for upstream language files
  * Bump standards version to 3.9.6
  * Update copyright

 -- David Prévot <taffit@debian.org>  Sat, 25 Oct 2014 20:58:23 -0400

phpbb3 (3.0.12-2) unstable; urgency=medium

  * Update translations:
    - Update Belarusian
    - Update Finnish
    - Add Gaelic
    - Add Tatar
  * Update packaging team (Closes: #740936)
    Thanks Jeroen and Jean-Marc for your previous work.

 -- David Prévot <taffit@debian.org>  Fri, 11 Apr 2014 17:57:11 -0400

phpbb3 (3.0.12-1) unstable; urgency=low

  * New upstream release
  * Refresh patches
  * Update copyright
  * Clean up pre-Squeeze upgrade path
  * Use XZ compression for language packs
  * Bump standards version to 3.9.5
  * Allow alternatives to MySQL (closes: #732900)

 -- David Prévot <taffit@debian.org>  Thu, 02 Jan 2014 22:04:21 -0400

phpbb3 (3.0.11-5) unstable; urgency=low

  * Make fix_chown.patch a bit more robust
  * Clean up pre-Squeeze handling
  * Handle Apache 2.4 (and 2.2 too, closes: #669959)
  * Clean up copyright

 -- David Prévot <taffit@debian.org>  Sun, 21 Jul 2013 18:06:20 -0400

phpbb3 (3.0.11-4) unstable; urgency=high

  * Fix chown in cache (closes: #711172)
  * Fix world-writable directories

 -- David Prévot <taffit@debian.org>  Thu, 13 Jun 2013 15:35:45 -0400

phpbb3 (3.0.11-3) experimental; urgency=low

  * Update Belarusian, Bulgarian, Czech, Mexican Spanish, Spanish (Casual
    Honorifics and Formal Honorifics) and Slovenian translations.
  * Update copyright to new path for these translations.

 -- David Prévot <taffit@debian.org>  Wed, 03 Apr 2013 23:03:56 -0400

phpbb3 (3.0.11-2) experimental; urgency=low

  * Allow language pack update, without updating the main tarball.
  * Update Czech, Croatian, Swedish and Vietnamese translations.
  * Update copyright to new path for these translations.

 -- David Prévot <taffit@debian.org>  Mon, 26 Nov 2012 16:57:03 -0400

phpbb3 (3.0.11-1) experimental; urgency=low

  * New upstream release.
  * New Brazilian Portuguese debconf translation by J.S.Júnior
   (closes: #663496).
  * Move webserver examples to /usr/share/phpbb3/webserver-examples since they
    are referenced at install time (Policy 10.7.3).
  * Update copyright, making it conform to machine-readable version 1.0.
  * Update to policy 3.9.4: no change needed.
  * Update patches.
  * debian/dbapps-lib: Correct handling of dbc_dbserver when configuring mysql
    connection parameters, thanks to Liam Young for the patch (the #613060 fix
    was not correct, LP: #997782, closes: #678544).
  * Remove AUTHORS and VERSION files from the l10n binary package.

 -- David Prévot <taffit@debian.org>  Fri, 05 Oct 2012 18:36:43 -0400

phpbb3 (3.0.10-2) unstable; urgency=low

  * Update Czech translation (closes: #658650).

 -- David Prévot <taffit@debian.org>  Sat, 04 Feb 2012 19:16:24 -0400

phpbb3 (3.0.10-1) unstable; urgency=low

  * New upstream release.
  * Update patches and schemes.
  * Explicitly define version number for database upgrade.

 -- David Prévot <taffit@debian.org>  Mon, 16 Jan 2012 19:33:28 -0400

phpbb3 (3.0.9-1) unstable; urgency=low

  * New upstream release.
  * Remove Shield Ranks plugin (licensing issue). 
  * Update language pack path (upstream packages modified).
  * Update patches: use cache/$url_forum/ in acm_memory.php too.
  * Don't hardcode version number for database upgrade.
  * Handle permissions of nested directories (closes: #607380).
  * Explicitly define PHPBB_ROOT_PATH in install-XXX (closes: #644276).

 -- David Prévot <taffit@debian.org>  Sun, 20 Nov 2011 12:31:59 -0400

phpbb3 (3.0.7-PL1-5) unstable; urgency=low

  [ David Prévot ]
  * Fix broken cache, thanks to Nicolas Schodet (actually closes: #599480).
  * Fix cross site scripting vulnerability (closes: #612477) [CVE-2011-0544].
  * Enforce run_sql with "-h localhost" when $dbc_dbserver is empty
    (closes: #613060).
  * Don't use local lib on preinst (closes: #595536).
  * Update to policy 3.9.2: no change needed.
  * Update my email address.

  [ Jean-Marc Roth ]
  * Fix postgres failure when postgres server is remote (closes: #612441). 
  * Don't be too rude on trying to uninstall when unsupported webserver is 
    used (closes: #597373). 

 -- David Prévot <taffit@debian.org>  Mon, 23 May 2011 15:59:05 -0400

phpbb3 (3.0.7-PL1-4) unstable; urgency=high

  [ Jean-Marc Roth ]
  * Be nicer on run_sql() failure (e.g. noninteractive case) -- inspired from
    dbconfig (closes: #595594).

  [ David Prévot ]
  * Vietnamese debconf translation updated, Clytie Siddall (closes: #598579).
  * Document $url_forum feature in README.multiboard (closes: #599480).

 -- David Prévot <david@tilapin.org>  Sat, 16 Oct 2010 12:30:20 -0400

phpbb3 (3.0.7-PL1-3) unstable; urgency=high

  [ David Prévot ]
  * Use explicitly port 80 in examples, thanks to Greg Lyle (closes: #586012).
  * Update to policy 3.9.1: no change needed.
  * Japanese debconf translation updated, Hideki Yamane (closes: #591079).

  [ Jean-Marc Roth ]
  * Be nicer on dbconfig-common failure -- inspired from s9y (closes: #586759).

 -- David Prévot <david@tilapin.org>  Sat, 31 Jul 2010 19:07:44 -0400

phpbb3 (3.0.7-PL1-2) unstable; urgency=low

  [ Jean-Marc Roth ]
  * Maintainer script does not correctly handle remote DB (closes: #583197).  
  * Update path to VCS-browser, websvn needs a trailing slash.

  [ David Prévot ]
  * templates reviewed with the Smith Review Project.
  * Portuguese debconf translation updated thanks to Américo Monteiro
    (closes: #583458).
  * French debconf translation updated.
  * Czech debconf translation updated thanks to Miroslav Kure
    (closes: #583771).
  * Danish debconf translation added thanks to Joe Hansen (closes: #583829).
  * Swedish debconf translation updated thanks to Martin Ågren
    (closes: #584753).
  * Italian debconf translation updated thanks to Luca Monducci
    (closes: #584771).
  * Russian debconf translation updated thanks to Yuri Kozlov
    (closes: #584800).
  * German debconf translation updated thanks to Matthias Julius
    (closes: #584847).
  * Spanish debconf translation updated thanks to Francisco Javier Cuadrado
    (closes: #584863).

  [ Thijs Kinkhorst ]
  * Remove obsolete uuencoded logos.
  * Dutch debconf translation updated.

 -- Jean-Marc Roth <jmroth@iip.lu>  Wed, 26 May 2010 12:55:24 +0200

phpbb3 (3.0.7-PL1-1) unstable; urgency=low

  [ Jean-Marc Roth ]
  * New upstream release (closes: #571787, #524361).
    [CVE-2010-1630, CVE-2010-1627]
  * Update to source package format 3.0(quilt). (made patches DEP-3 compliant)
  * Reinforced security: enable gd captcha, php5-gd becomes dependency,
    set random captcha settings during config, require user account activation
    (closes: #570011).
  * Board becomes multi-site capable (closes: #437836).
  * README.multiboard updated (closes: #529707).
  * database upgrade uses patched database_update.php from upstream
    => added php5-cli to dependencies.
  * apache2 has become new default in debconf (phpbb3/http).
  * Styles documentation updated (closes: #569911).
  * Restart webserver (closes: #430458).
  * Sqlite support fixed (closes: #504419).
  * Next-gen permissions on /var/cache and /var/lib, especially for multisite
    (closes: #447542).
  * Using UCF for webserver config.
  * Support setting admin credentials via debconf (closes: #477440).
  * Provide install directory, actually req'd for multisite (closes: #440405).

  [ David Prévot ]
  * Upstream documentation included.
  * Language pack is back (closes: #502563).
  * copyright notice updated to DEP-5 (closes: #505319).
  * Support automatic configuration for lighttpd (closes: #574551).
  * control and templates reviewed by the Smith Review Project.
  * Portuguese debconf translation updated thanks to Américo Monteiro
    (closes: #575949).
  * Vietnamese debconf translation updated thanks to Clytie Siddall
    (closes: #575990).
  * German debconf translation updated thanks to Matthias Julius
    (closes: #576939).
  * Japanese debconf translation updated thanks to Hideki Yamane
    (closes: #577063).
  * French debconf translation updated.
  * Spanish debconf translation added thanks to Francisco Javier Cuadrado
    (closes: #579197).
  * Swedish debconf translation updated thanks to Martin Ågren
    (closes: #579280).

  [ Thijs Kinkhorst ]
  * Removed self from uploaders.

 -- Jean-Marc Roth <jmroth@iip.lu>  Fri, 30 Apr 2010 12:41:23 +0200

phpbb3 (3.0.4-1) UNRELEASED; urgency=low

  * New upstream release.
  * Drop all PHP4-related stuff.
  * Obsoletes security patches from previous uploads.
  * Minor packaging cleanups.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 16 Feb 2009 23:49:49 +0100

phpbb3 (3.0.2-4) unstable; urgency=high

  * Two security fixes backported from 3.0.4:
    + deactivated accounts could be re-activated by a user
      (closes: #508872).
    + ask for forum password if post within passworded forum
      quoted in private message.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 06 Feb 2009 14:51:46 +0100

phpbb3 (3.0.2-3) unstable; urgency=high

  * More fixes for PostgreSQL database schema creation,
    thanks Ansgar Burchardt (Closes:  #497721).

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 05 Sep 2008 21:06:21 +0200

phpbb3 (3.0.2-2) unstable; urgency=high

  * Fix bug in PostgreSQL database schema creation (Closes: #497721).
  * Update to policy 3.8.0: add a patch target to debian/rules and
    a README.source file.
  * Fix watch file.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 04 Sep 2008 09:39:00 +0200

phpbb3 (3.0.2-1) unstable; urgency=medium

  * New upstream bugfix release.
    - Includes low-impact security issue, so medium urgency.
      [CVE-2008-3224]

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 12 Jul 2008 21:32:15 +0200

phpbb3 (3.0.1-1) unstable; urgency=low

  * New upstream bugfix release.
  * Add Portuguese debconf translation thanks to Miguel Figueiredo
    (Closes: #470112)
  * Fix PostgreSQL schema to strip out hash-style comments
    (Closes: #461117).

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 22 Apr 2008 01:13:42 +0200

phpbb3 (3.0.0-2) unstable; urgency=low

  * Also install download/ directory, thanks Laurent Bigonville
    (Closes: #466429).
  * Upload to unstable.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 27 Feb 2008 11:03:04 +0100

phpbb3 (3.0.0-1) experimental; urgency=low

  * New upstream release (closes: #456304).
  * Drop obsoleted fix for admin reauth (closes: #450696).
  * Initialise board startdate to package install time (closes: #447541).
  * Use MySQL 4.1 schema instead of 4.0, it is more compatible with
    recent MySQL versions (closes: #460931).
  * Make cache dir readable by webserver (closes: #447540).

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 19 Jan 2008 22:29:57 +0100

phpbb3 (3.0.0~RC7-1) experimental; urgency=low

  * New upstream Release Candidate 7.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 23 Oct 2007 23:01:26 +0200

phpbb3 (3.0.0~RC5-1) experimental; urgency=low

  * New upstream Release Candidate 5.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 27 Aug 2007 21:24:05 +0200

phpbb3 (3.0.0~RC4-1) experimental; urgency=low

  * New upstream Release Candidate 4.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 30 Jul 2007 17:02:24 +0200

phpbb3 (3.0.0~RC3-1) experimental; urgency=low

  * New upstream Release Candidate 3.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 09 Jul 2007 13:35:41 +0200

phpbb3 (3.0.0~RC2-1) experimental; urgency=low

  * New upstream Release Candidate 2.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 27 Jun 2007 13:33:24 +0200

phpbb3 (3.0.0~RC1) experimental; urgency=low

  * New upstream Release Candidate 1.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 31 May 2007 16:35:37 +0200

phpbb3 (3.0.0~B5) experimental; urgency=low

  * New upstream Beta 5 release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue,  6 Feb 2007 16:31:45 +0100

