drupal7 (7.14-2+deb7u12) wheezy-security; urgency=high

  * Backported from 7.43 (plus minor needed bits from 7.36 and 7.30
    in modules/file/file.module): SA-CORE-2016-001: Fixes several
    security vulnerabilities: File upload access bypass and DoS, brute
    force amplification attack via XML-RPC, open redirect via path
    manipulation, reflected file download, wrong modes set on some user
    accounts setting saves, information disclosure of email addresses.
    CVE IDs not yet assigned

 -- Gunnar Wolf <gwolf@debian.org>  Sun, 28 Feb 2016 11:52:05 -0600

drupal7 (7.14-2+deb7u11) wheezy-security; urgency=high

  * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access
    bypass, SQL injection, open redirect). CVE IDs not yet assigned.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 27 Aug 2015 12:59:35 -0500

drupal7 (7.14-2+deb7u10) oldstable-security; urgency=high

  * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities.  CVE
    IDs assigned as follows:
    + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234
    + Open redirect (Field UI module - Drupal 7): CVE-2015-3232
    + Open redirect (Overlay module - Drupal 7: CVE-2015-3233
    + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231
  * Refreshed patches that are applied for the build process, lowering the
    amount of build-noise generated.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 18 Jun 2015 09:53:59 -0500

drupal7 (7.14-2+deb7u9) wheezy-security; urgency=high

  * Backported from version 7.35 addressing SA-CORE-2015-001 (Access
    bypass on password reset URLs; Open redirect)

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 19 Mar 2015 10:04:29 -0600

drupal7 (7.14-2+deb7u8) wheezy-security; urgency=high

  * Backported from version 7.34 addressing SA-CORE-2014-006 (Session
    hijacking, denial of service)

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 19 Nov 2014 15:20:00 -0600

drupal7 (7.14-2+deb7u7) wheezy-security; urgency=critical

  * Backported from version 7.32 addressing SA-CORE-2014-005 (SQL
    injection) (CVE 2014-3704)

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 15 Oct 2014 11:43:08 -0500

drupal7 (7.14-2+deb7u6) wheezy-security; urgency=high

  * Backported from version 7.31 addressing SA-CORE-2014-004 (Denial of
    service due to a XML entity expansion attack). CVE not yet assigned.
  * Added DEP3 headers to patches created in 2014l

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 06 Aug 2014 23:28:29 -0500

drupal7 (7.14-2+deb7u5) wheezy-security; urgency=high

  * Backported from version 7.29 addressing SA-CORE-2014-003 (Denial of
    service, access bypass, 2×cross-site scripting). CVE not yet assigned.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 17 Jul 2014 12:14:56 -0500

drupal7 (7.14-2+deb7u4) wheezy-security; urgency=high

  * Backported from version 7.27 addressing an information disclosure
    vulnerability; (CVE-2014-2983, SA-CORE-2014-002)
  * Fixed a regression caused by the backported 7.27 fix which breaks
    IE8 (see https://drupal.org/node/2245331#comment-8699683)
  * deb7u3 version skipped due to a botched upload :-|

 -- Gunnar Wolf <gwolf@debian.org>  Mon, 21 Apr 2014 19:25:19 -0500

drupal7 (7.14-2+deb7u2) wheezy-security; urgency=high

  * Backported fixes from version 7.26 addressing several security
    vulnerabilities; see advisory in https://drupal.org/SA-CORE-2014-001
    + Impersionation while using OpenID  (CVE-2014-1475)
    + Access bypass in the taxonomy module (CVE-2014-1476)
    + Security hardening in the Form API

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 15 Jan 2014 17:35:44 -0600

drupal7 (7.14-2+deb7u1) wheezy-security; urgency=high

  * Backported fixes from version 7.24 addresing several security
    vulnerabilities (SA-CORE-2013-003), including:
    * Multiple vulnerabilities due to optimistic cross-site request forgery
      protection (Form API validation) (CVE-2013-6385)
    * Multiple vulnerabilities due to weakness in pseudorandom number
      generation using mt_rand() (Form API, OpenID and random password
      generation - Drupal 6 and 7) (CVE-2013-6386)
    * Code execution prevention (Files directory .htaccess for Apache -
      (security hardening)
    * Access bypass (Security token validation)
      Treating as security hardening
    * Cross-site scripting (Image module) (CVE-2013-6387).
    * Cross-site scripting (Color module) (CVE-2013-6388).
    * Open redirect (Overlay module) (CVE-2013-6389).

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 23 Nov 2013 11:37:27 -0600

drupal7 (7.14-2) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * Acknowledge NMUs from Gunnar Wolf

  * Incorporated fix for DoS on image derivative generation
    (Ref: SA-CORE-2013-002, CVE-2013-0316) (Closes: #701165)

  * Removed update warnings for Drupal core, since security fixes are provided
    by Debian updates. (Closes: #700545)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 23 Feb 2013 15:12:35 +0100

drupal7 (7.14-1.3) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
    and 7.19) (Closes: #698334)
  * Added the missing DEP3 header to the patch introduced in 7.14-1.2

 -- Gunnar Wolf <gwolf@debian.org>  Tue, 29 Jan 2013 12:21:13 -0600

drupal7 (7.14-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2012-004 (the full diff between
    7.17 and 7.18)

 -- Gunnar Wolf <gwolf@debian.org>  Fri, 11 Jan 2013 17:57:47 -0600

drupal7 (7.14-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2012-003 (the full diff between
    7.15 and 7.16)

 -- Gunnar Wolf <gwolf@debian.org>  Fri, 19 Oct 2012 13:08:29 -0500

drupal7 (7.14-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes DoS, Unvalidated Form Redirect, Multiple Vulnerabilities
      (Ref: SA-CORE-2012-002, CVE-2012-1588,CVE-2012-1589, CVE-2012-1590,i
       CVE-2012-1591) (Closes: #671402)
    - Fixes errors in install.php (Closes: #670415)

  * debian/control
    - Bumped Standard-Version to 3.9.3.0, no change needed

 -- Luigi Gangitano <luigi@debian.org>  Thu, 10 May 2012 20:21:41 +0200

drupal7 (7.12-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release

 -- Luigi Gangitano <luigi@debian.org>  Thu, 15 Feb 2012 21:51:54 +0100

drupal7 (7.11-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
      (Ref: SA-CORE-2012-001, CVE-2012-0825, CVE-2012-0826, CVE-2012-0827)
      (Closes: #658337)

 -- Luigi Gangitano <luigi@debian.org>  Sun, 05 Feb 2012 18:16:47 +0100

drupal7 (7.10-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * debian/rules: set PACKAGE variable. (Closes: #655794)
  * Remove debian/README.source (no longer uses dpatch).

 -- Ansgar Burchardt <ansgar@debian.org>  Sat, 21 Jan 2012 12:02:49 +0100

drupal7 (7.10-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (closes: #652544)

  * debian/*
    - Switch to source format 3.0 (quilt)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 26 Dec 2011 17:48:10 +0100

drupal7 (7.9-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #647168)

  * debian/{cron.sh,README.Debian,etc/settings.php}
    - Added secret key in cron job (Closes: 639387)
      (thanks to  Christoph Schindler)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 02 Nov 2011 18:48:16 +0100

drupal7 (7.8-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #640078)

  * debian/docs
    - Removed duplicate CHANGELOG entry

  * debian/rules
    - Added missing targets binary-arch build-arch build-indep

 -- Luigi Gangitano <luigi@debian.org>  Sun, 04 Sep 2011 21:22:24 +0200

drupal7 (7.6-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes access bypass in private file fields and comments
      (Ref: SA-CORE-2011-003, CVE-TBA)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 28 Jul 2011 02:17:32 +0200

drupal7 (7.4-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release (Closes: #633385)

  * debian/control
    - Bumped Standard-Version to 3.9.2.0, no change needed

  * debian/drupal7.{config,install,postinst,postrm}
    - Renamed apache.conf to apache2.conf (Closes: #632925)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 13 Jul 2011 16:15:35 +0200

drupal7 (7.2-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release

  * debian/patches/30_DFSG-sources
    - Added uncompressed sources of javascript files

  * debian/control
    - Removed article from start of description

 -- Luigi Gangitano <luigi@debian.org>  Mon, 20 Jun 2011 02:05:42 +0200

drupal7 (7.0-2) unstable; urgency=low

  * debian/copyright
    - Added copyright notices for include JQuery libraries

 -- Luigi Gangitano <luigi@debian.org>  Sun, 15 May 2011 23:55:24 +0200

drupal7 (7.0-1) unstable; urgency=low

  * New upstream release

  [ Luigi Gangitano ]
  * debian/etc/settings.php
    - Updated default configuration file

  * debian/drupal.{dirs,links,install,postinst,postrm}
    - Removed automatic link from apache2 configuration file

  * debian/README.Debian
    - Added instructions on how to enable drupal in Apache2

  * debian/{drupal7.postinst,docs,dbconfig.template}
    - Generate database configuration from template

  [ Kinga Marjai ]
  * debian/control
    - Removed dependency on exim4, now depends on default-mda
    - Bumped Standard-Version to 3.9.1, no change needed

  * debian/drupal6.postrm
    - Made postrm check for restart.sh in case dependencies were not properly
      installed (thanks to Bhavani Shankar.R, from Ubuntu)

  * debian/cron.sh
    - Added --fail option to curl to work around missing base_url in
      configuration files

  * debian/cron.d
    - Fixed conditional to avoid warnings on removed package

 -- Luigi Gangitano <luigi@debian.org>  Sat, 05 Mar 2011 17:43:23 +0100

drupal7 (7.0~alpha2-1) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * New upstream branch 7.0

  * debian/*
    - Rename file and directories from 6 to 7
    - In debian/control switch to Source: drupal7

  * debian/etc/settings.php
    - Updated default configuration file

  [ Kinga Marjai ]
  * debian/rules
    - Don't set debconf version dependency

 -- Luigi Gangitano <luigi@debian.org>  Tue,  3 Mar 2010 22:59:34 +0100

drupal6 (6.15-2) UNRELEASED; urgency=low

  [ Alexandre De Dommelin ]
  * Added patch to remove warnings about Drupal core updates (Closes: #521288)
  * Bump Standards-Version from 3.8.3 to 3.8.4 (no changes needed)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 10 Feb 2010 17:11:35 +0100

drupal6 (6.15-1) unstable; urgency=low

  * New upstream release (Closes: #561726)
    - Fixes several XSS vulnerabilities (Closes: #562165)
      (Ref: SA-CORE-2009-009, CVE-2009-4369, CVE-2009-4370, CVE-2009-4371)

  * debian/rules
    - Use dh_prep instead of dh_clean -k

  * debian/control
    - Upgraded versioned dependency on debhelper to 7

  * debian/README.source
    - Added directions on source handling

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Jan 2010 19:47:13 +0100

drupal6 (6.14-1) unstable; urgency=low

  * New upstream release
    - Removed security patches integrate upstream
      + 20_SA-CORE-2009-007
    - Fixes multiple vulnerabilities (Ref: SA-CORE-2009-008)
      (Closes: #547140)

  * debian/control
    - Bumped Standard-Version to 3.8.3, no change needed

  * debian/compat
    - Switch debhelper compatibility to 7

  * debian/copyright
    - Added reference to copyright file with version

 -- Luigi Gangitano <luigi@debian.org>  Sun, 20 Sep 2009 04:57:57 +0200

drupal6 (6.13-1) UNRELEASED; urgency=low

  * New upstream release

 -- Luigi Gangitano <luigi@debian.org>  Mon, 13 Jul 2009 19:42:38 +0200

drupal6 (6.12-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Apply upstream patch to fix:
    - XSS in the forum module
    - Input format access bypass via signatures
    - Password leakage via URLs
    (no CVE id yet; SA-CORE-2009-007; Closes: #535435).

 -- Nico Golde <nion@debian.org>  Mon, 06 Jul 2009 20:27:45 +0200

drupal6 (6.12-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #529309)
    (Acknoledges NMU by Security Team) (Closes: #531386)
    - Removed security patch integrate upstream
      + 20_xss

  * debian/{control,rules,links}
    - Removed dependency on libjs-jquery and use jquery.js from drupal
      sources to avoid conflict with newer version of jquery
      (Closes: #530779)

 -- Luigi Gangitano <luigi@debian.org>  Tue, 02 Jun 2009 18:25:58 +0200

drupal6 (6.11-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix several XSS issues (SA-CORE-2009-006; Closes: #529190).

 -- Nico Golde <nion@debian.org>  Thu, 28 May 2009 20:45:35 +0200

drupal6 (6.11-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes XSS vulnerability (Ref: SA-CORE-2009-005, CVE-2009-1575,
      CVE-2009-1576) (Closes: #526378)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 04 May 2009 19:56:12 +0200

drupal6 (6.10-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - This version fixes two Windows-only security issues
      (Ref: SA-CORE-2009-003, SA-CORE-2009-004)
      Debian is not affected by this vulnerabilites

 -- Luigi Gangitano <luigi@debian.org>  Sun, 01 Mar 2009 18:26:25 +0100

drupal6 (6.9-1) unstable; urgency=low

  [ Luigi Gangitano ]  
  * New upstream release
    - Removed security patch integrate upstream
      + 12_SA-2008-073
      + 13_SA-CORE-2009-001

  * debian/cron.sh
    - Handle sites/all correctly (Closes: #513522)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 16 Feb 2009 19:37:31 +0100

drupal6 (6.6-3) unstable; urgency=high

  [ Luigi Gangitano ]  
  * Urgency high due to security fixes

  * debian/patches/13_SA-CORE-2009-001
    - Added upstream patch fixing multiple vulnerabilities
      (Ref: SA-CORE-2009-001, CVE-TBD)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 16 Jan 2009 01:49:58 +0100

drupal6 (6.6-2) unstable; urgency=high

  * debian/patches/12_SA-2008-073
    - Moved NMU changes to dpatch file

  * debian/control
    - Added dependency on ${misc:Depends} to make lintian happy

  * debian/drupal6.{postinst,postrm}
    - Changed apache configuration link name to drupal6.conf, to avoid
      collision with drupal5 (Closes: #509769, #505146)
    - Set default Postgres encoding to UTF8 (Closes: #508506)

  * debian/README.Debian
    - Fixed link to installation script (Closes: 507914)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 08 Jan 2009 20:49:51 +0100

drupal6 (6.6-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Urgency high because this fixes a security issue
  * Include upstream patch for SA-2008-073, to fix a security issue:
    The update system is vulnerable to Cross site request forgeries. Malicious
    users may cause the superuser (user 1) to execute old updates that may
    damage the database.
    (Ref: SA-2008-073, CVE-2008-6170, CVE-2008-6532, CVE-2008-6533) (Closes: #508473)

 -- Patrick Schoenfeld <schoenfeld@debian.org>  Fri, 12 Dec 2008 09:30:28 +0100

drupal6 (6.6-1) unstable; urgency=high

  [ Luigi Gangitano ]  
  * Urgency high due to security fixes

  * New upstream release
    - Fixes two security vulnerabilities
      (Ref: SA-2008-067, CVE-TBA) (Closes: #503222)

  * debian/drual6.postrm
    - Fixed missing -e option to make lintian happy

  * debian/patches/10_cronjob.dpatch
    - Added patch descritpion to make lintian happy

  * debian/control
    - Bumped Standard-Version to 3.8.0, no change needed

  * debian/{control,rules,links}
    - Added dependency on libjs-jquery and use jquery.js from it

 -- Luigi Gangitano <luigi@debian.org>  Fri, 24 Oct 2008 23:06:15 +0200

drupal6 (6.5-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Removed security patch integrate upstream
      + 11-SA-2008-060

 -- Luigi Gangitano <luigi@debian.org>  Mon, 20 Oct 2008 23:59:27 +0200

drupal6 (6.4-2) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * debian/patches/11-SA-2008-060
    - Added upstream patch fixing several security vulnerabilities
      (Ref: SA-2008-060, CVE-TBA) (Closes: #501640)

  * debian/README.Debian
    - Added a notice about cookie security and session.cookie_secure
      configuration (Ref: CVE-2008-3661) (Closes: #501058)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 14 Oct 2008 15:47:20 +0200

drupal6 (6.4-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes several XSS vulnerabilities
      (Ref: SA-2008-047, CVE-TBD)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 15 Aug 2008 01:35:59 +0200

drupal6 (6.3-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: 465833)

  * debian/links
    - Changed files directory link to match new upstream configuration

  * debian/README.Debian
    - Fixed references to database population script and added instructions
      to enable apache2 mod_rewrite.

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Aug 2008 19:16:04 +0200

drupal6 (6.0-1) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * New upstream branch 6.0

  * debian/*
    - Rename file and directories from 5 to 6
    - In debian/control switch to Source: drupal6

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Aug 2008 12:00:12 +0100

drupal5 (5.7-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes several non-security related bugs (Closes: #464876)

  * debian/po/hu.po
    - Updated Hungarian debconf templates translation (Thanks to Miklos
      Lukacs) (Closes: #459378)

  * debian/cron.sh
    - Fixed cron script for multisite setup (thanks to Fernando Lucas
      Rodriguez) (Closes: #464599)

  * debian/watch
    - Removed unused 'uupdate' token

 -- Luigi Gangitano <luigi@debian.org>  Tue, 12 Feb 2008 11:40:29 +0100

drupal5 (5.6-2) unstable; urgency=low

  [ Luigi Gangitano ]
  * debian/cron.d
    - Fix typo in cron script that makes it running every minutes, set it
      to one hour (Closes: #456182)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 26 Jan 2008 20:51:39 +0100

drupal5 (5.6-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes Cross site request forgery in Aggregator module
      (Ref: SA-2008-005, CVE-TBA)
    - Fixes Cross site scripting vulnerability with IE6 and user submitted
      UTF8 input (Ref: SA-2008-006, CVE-TBA)

  * debian/cron.d
    - Run cron script every hour and not every 5 minutes (Closes: #456182)

  * debian/rules
    - Removed binary-arch section, moved all actions to binary-indep

  * debian/control
    - Swapped httpd | apache2 order to comply with policy
    - Bumped Standard-Version to 3.7.3, no change needed

 -- Luigi Gangitano <luigi@debian.org>  Fri, 11 Jan 2008 15:02:09 +0100

drupal5 (5.5-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes SQL Injection vulnerability in contributed modules
      (Ref: DRUPAL-SA-2007-031, CVE-2007-6299)

  * debian/cron.sh
    - Added check of BASE_URL in baseurl.php (Closes: #448774)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 07 Dec 2007 21:29:18 +0100

drupal5 (5.3-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes several security vulnerabilities
      + DRUPAL-SA-2007-024 (Ref: CVE-2007-5595)
      + DRUPAL-SA-2007-025 (Ref: CVE-2007-5593)
      + DRUPAL-SA-2007-026 (Ref: CVE-2007-5596)
      + DRUPAL-SA-2007-029 (Ref: CVE-2007-5594)
      + DRUPAL-SA-2007-030 (Ref: CVE-2007-5597)


 -- Luigi Gangitano <luigi@debian.org>  Sat, 20 Oct 2007 09:52:38 +0200

drupal5 (5.2-3) unstable; urgency=low

  * debian/drupal5.install
    - Install default robots.txt (Closes: #440291)

  * debian/control
    - Changed Recommends to postgresql

 -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Aug 2007 15:44:15 +0200

drupal5 (5.2-2) unstable; urgency=low

  * debian/README.Debian
    - Fixed references to configuration directory

  * debian/etc/settings.php
    - Apply fixes from upstream version (Closes: #435433)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 27 Jul 2007 02:12:20 +0200

drupal5 (5.2-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes XSS in server variables (Ref: DRUPAL-SA-2007-018, CVE: TBD)
    - Fixes XSRF in Forms API (Ref: DRUPAL-SA-2007-017, CVE: TBD)

  * debian/copyright
    - Fixed FSF address to make lintian happy

  * debian/control
    - Removed dependencies on php4
    - Updated httpd real package dependency to apache2
    - Changed Build-Depend-Indep to Build-Depend (policy 7.6)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 27 Jul 2007 01:48:04 +0200

drupal5 (5.1-3) unstable; urgency=low

  [ Luigi Gangitano ]
  * debian/control
    - Removed dependencies on 8.1 version of postgresql packages
    - Fixed typo in postgresql-server package (Closes: #429229)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 29 Jun 2007 21:39:33 +0200

drupal5 (5.1-2) unstable; urgency=low

  [ Luigi Gangitano ]
  - debian/control
    * Added Xs-Vcs-{Svn,Browser} tags

  - debian/README.Debian
    * Added istructions on Postgres database install and PHP memory limit
      (Closes: #427001)

  [ Bart Cornelis (cobaco) ]
  - New Norwegian Bokmael translation by Hans Fredrik Nordhaug

 -- Luigi Gangitano <luigi@debian.org>  Tue, 13 Mar 2007 00:21:14 +0100

drupal5 (5.1-1) unstable; urgency=low
  
  [ Luigi Gangitano ]
  * New upstream release (Closes: #409522)

  * debian/{links,drupal5.install,cron.d,etc/apache.conf}
    - Applied patch from Karl-Heinz Nirschl fixing paths

  [ Bart Cornelis ]
  Translations
  * Updated Dutch translation by Bart Cornelis
  * Updated Japanese translation by Hideki Yamane
  * Updated German translation by  Helge Kreutzmann (Closes: #413891)
  * Updated Portuguese translation by Miguel Figueiredo (Closes: #413905)
  * New Swedisch Translation by Daniel Nylander
  * New Tamil translation by Tirumurti Vasudevan (Closes: #413824)
  * New Czech translation by Miroslav Kure (Closes: #413798)
  * New Russion translation by Yuriy Talakan (Closes: #414063)
  * New Basque translation by  Piarres Beobide (Closes: #413966)
  * New Galician translation by Jacobo Tarrio (Closes: #413764)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 10 Mar 2007 20:04:24 +0100

drupal5 (5.0-1) UNRELEASED; urgency=low

  * (NOT RELEASED YET) New upstream release

  * debian/*
    - Rename file and directories from 4.7 to 5
    - In debian/control switch to Source: drupal5
    - Add watch file

  * debian/control
    - Removed Suggests on ssl enabled packages
    - Removed dependencies on apache and added dependency on httpd | apache
    - Added dependency on php4-gd | php5-gd

  * debian/{rules,drupal5.install}
    - Removed reference to not-existing directory 'database'

  * debian/patches/10_cronjob.dpatch
    - Updated patch to new cron script

 -- Luigi Gangitano <luigi@debian.org>  Fri, 26 Jan 2007 20:04:24 +0100

drupal (4.7.5-2) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * NOT RELEASED YET

  * debian/control
    - Bumped Standards-Version to 3.7.2 (no change needed)
    - Removed dependency on postgsql-{client,server}-8.0 which is not in
      the archive anymore

  * Translations
    - Updated Dutch translations by Bart Cornelis

 -- Bart Cornelis (cobaco) <cobaco@linux.be>  Tue, 23 Jan 2007 11:50:45 +0100

drupal (4.7.5-1) unstable; urgency=low

  * New upstream release
    - Fixes Denial of Service (DRUPAL-SA-2007-002)
    - Fixes CSS Vulnerability (DRUPAL-SA-2007-001)

 -- Luigi Gangitano <luigi@debian.org>  Sun,  7 Jan 2007 00:33:33 +0100

drupal (4.7.4-3) unstable; urgency=low

  * debian/po/fr.po
    - Updated French debconf templates translation (Thanks to Thomas Huriaux)
      (Closes: #404967)
  
  * debian/control
    - Add php5 dependency (Closes: #405162)

 -- Luigi Gangitano <luigi@debian.org>  Sun,  7 Jan 2007 00:13:36 +0100

drupal (4.7.4-2) unstable; urgency=low

  * debian/control
    - Fixed dependency on postgresql-client
    - Removed dependency on makepasswd (not needed since we use
      dbconfig.common)
    - Removed dependency on php4-cli (not needed with new cron script)
    - Promote Recommends: php4 to Depends: php4

  * debian/etc/settings.php
    - Fix warning if baseurl.php does not exists

  * debian/copyright
    - Fixed copyright information as requested by ftp-master

 -- Luigi Gangitano <luigi@debian.org>  Tue,  5 Dec 2006 15:37:25 +0100

drupal (4.7.4-1) unstable; urgency=low

  * Prepare package for new inclusion in Debian
    - Thanks to Karl-Heinz Nirschl for keeping this package in his repository
      and allowing me to start from his work
    - Change (binary) package name to drupal-4.7 allowing for multiple version
      to be installed concurrently, so admins can control upgrade between
      releases
    - Add dependency on dbconfig-common and switch custom config script to use
      functions provided by dbconfig-common (Closes: #366692)
    - Removed unused templates
    - Added dependency on curl for cron script execution
    - Take over removal request (Closes: #375496)
    - Update to latest revision (Closes: #307821, #365047, #365709)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Nov 2006 21:53:19 +0100

drupal (4.7.4-0brainlog1) unstable; urgency=low

  * new upstream release because patches do not apply cleanly
  * fixes: DRUPAL-SA-2006-024, DRUPAL-SA-2006-025, DRUPAL-SA-2006-026

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Fri, 20 Oct 2006 19:26:16 +0200

drupal (4.7.2-0brainlog4) unstable; urgency=low

  * add security fix DRUPAL-SA-2006-011
    XSS Vulnerability in user module
  * move scripts dir to doc

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Thu,  3 Aug 2006 19:46:57 +0200

drupal (4.7.2-0brainlog3) unstable; urgency=low

  * fix initial database generation - now checks for mysql version

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Sat,  8 Jul 2006 13:13:12 +0200

drupal (4.7.2-0brainlog2) unstable; urgency=low

  * Using a fresh tarball and no .svn files.
  * Fix x. permissions.
  * Use debian mysql maint password for mysql install

 -- Tzafrir Cohen <tzafrir@cohens.org.il>  Fri,  7 Jul 2006 15:59:41 +0300

drupal (4.7.2-0brainlog1) unstable; urgency=low

  * new upstream release
  * add patch handling to package
    - make cron job less verbose

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Fri, 16 Jun 2006 17:13:50 +0200

drupal (4.7.1-0brainlog1) unstable; urgency=low

  * new upstream version

 -- Karl-Heinz Nirschl <khn@manatorg.ath.cx>  Mon, 29 May 2006 14:01:48 +0200

drupal (4.6.5-0brainlog1) unstable; urgency=low

  * update to drupal 4.6.5 (new upstream)

 -- Karl-Heinz Nirschl <khn@maggie.ubi>  Mon, 29 May 2006 13:58:55 +0200

drupal (4.6.3-0brainlog1) unstable; urgency=low

  * New upstream version (Closes: #307821)
  * based on the drupal 4.5.2-4 debian package
  * remove the auto update database stuff
  * added debconf entry for the base_url

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Thu, 29 Sep 2005 19:10:17 +0200

drupal (4.5.2-4) unstable; urgency=low

  * [Miguel Figueiredo <elmig@debianpt.org>] Added Portuguese translation
    (Closes: #301394)
  * [Valentina Commissari <ayor@quaqua.net>] Added Italian translation 
    (Closes: #301946)
  * [Gleydson Mazioli da Silva <gleydson@debian.org>] Updated Brazilian
    Portuguese translation.
  * Fixed typo in package description (Closes: #306997)

 -- Hilko Bengen <bengen@debian.org>  Thu, 19 May 2005 21:23:27 +0200

drupal (4.5.2-3) unstable; urgency=high

  * Fixes "Bypass access via comments" problem mentioned in
    http://drupal.org/node/19009.  Patch from Gerhard Killesreiter, thanks.
    I consider this a critical bug, hence urgency=high.
  * [Sergio Talens-Oliag <sto@debian.org>] Updated Spanish and Catalan
    Debconf translations and converted them to UTF-8.

 -- Hilko Bengen <bengen@debian.org>  Tue, 22 Mar 2005 11:14:36 +0100

drupal (4.5.2-2) unstable; urgency=low

  * Changed includes/bootstrap.inc: conf.php (or $site.php) is loaded from
    /etc/drupal directly, without the need for any link.
  * Removed indentations from sed script which is used to edit the
    configuration file.
  * Rolled back session.inc to version found in 4.5.1; fixes bug documented
    in http://drupal.org/node/15666
  * Added documentation about manual update procedure in README.Debian
    and Debconf templates (Closes: #293804)
  * Added documentation about adding modules and themes that are not
    part of the package.
  * NEWS.Debian mentions where to get Marvin and UnConeD themes that used
    to be part of the Drupal distribution.

 -- Hilko Bengen <bengen@debian.org>  Tue, 15 Mar 2005 15:16:26 +0100

drupal (4.5.2-1) unstable; urgency=low

  * New upstream version (Closes: #290745; That was fast, wasn't it?)
  * Updates Japanese Debconf template, thanks to Hideki Yamane 
    (Closes: #290439)
  * The config file /etc/drupal/conf.php is only generated if it hasn't
    existed. It is no longer edited.

 -- Hilko Bengen <bengen@debian.org>  Sun, 16 Jan 2005 14:49:50 +0100

drupal (4.5.1-2) unstable; urgency=low

  * /etc/drupal/conf.php is no longer a conffile (Closes: #289624)
  * Should install with mysql-client-4.1 now (Closes: #285733)

 -- Hilko Bengen <bengen@debian.org>  Wed, 12 Jan 2005 02:16:28 +0100

drupal (4.5.1-1) unstable; urgency=low

  * New upstream version (Closes: #277547, #289216, #278345)
  * Marvin and UnConeD have been split off into separate packages, as they
    are not officially supported by upstream any longer.
  * Added Japanese Debconf template (Closes: #288040)

 -- Hilko Bengen <bengen@debian.org>  Sun,  9 Jan 2005 04:21:03 +0100

drupal (4.4.2-2) unstable; urgency=low

  * Bump version dependency to 0.0.37 where better support for PostgreSQL
    is included (Closes: 263730)
  * Another patch to node.module for DB-independennce (Closes: 258015)

 -- Hilko Bengen <bengen@debian.org>  Wed, 18 Aug 2004 00:39:58 +0200

drupal (4.4.2-1) unstable; urgency=low

  * New upstream bugfix release
    - PostgreSQL support fixed in node.module
      (Closes: #258015, #258016)
  * Fixed sed statement in postinst so it will work with woody's sed.
    (Closes: #257529)
  * Depends: sharutils (Closes: #258156)
  * Cron script checks whether /usr/share/drupal/scripts/cron.sh exists
    and is executable (Closes: #251853)

 -- Hilko Bengen <bengen@debian.org>  Tue, 20 Jul 2004 00:03:06 +0200

drupal (4.4.1-3) unstable; urgency=low

  * Included Marvin and Unconed themes from contrib (Closes: #255039)

 -- Hilko Bengen <bengen@debian.org>  Mon, 28 Jun 2004 14:34:40 +0200

drupal (4.4.1-2) unstable; urgency=high

  * Applied admin_node.patch from <http://drupal.org/node/view/7096>
    against the "Invalid argument supplied for foreach() in
    /usr/share/drupal/modules/node.module" error (Closes: #242992)
  * Fixed removal of links in webserver directories
  * Shut up cron.sh (Closes: #251853)
  * Install misc/ directory (images and css) (Closes: #253550)
  * Fixed PostgreSQL removal, added some docs (Closes: #253282)

 -- Hilko Bengen <bengen@debian.org>  Thu, 10 Jun 2004 16:06:47 +0200

drupal (4.4.1-1) unstable; urgency=low

  * New upstream version (Closes: #246307)
  * Added <CR> to cron.d (Closes: #242199)
  * Create language in database/database.pgsql (Closes: #242572)
  * Fixed dependencies (Closes: #242622):
    - Depends on php4-cgi (since it's used by maintainer scripts)
    - Recommends: php4 | libapache2-mod-php4 (After all, one _can_ run
      Drupal with a PHP-CGI setup
  * Fixed generation of links in webserver directories (Closes: #249488)
  * Out-of-the-box support for multiple sites (Closes: #246009)
  * Put themes directory under /usr/share/drupal. Themes are no longer
    handled as conffiles.
  * Fixed path to database.mysql in README.Debian (Closes: #246414)

 -- Hilko Bengen <bengen@debian.org>  Tue, 25 May 2004 10:12:34 +0200

drupal (4.3.2-3) unstable; urgency=low

  * Rewrote README.Debian, copying substantial parts from the INSTALL file
    (Closes: #240505)
  * Re-added a (commented-out) directive for restricting access to
    admin.php to htaccess file

 -- Hilko Bengen <bengen@debian.org>  Sun, 28 Mar 2004 17:38:11 +0200

drupal (4.3.2-2) unstable; urgency=low

  * [Bart Cornelis <cobaco@linux.be>] Added Dutch debconf translation
    (Closes: #232230)
  * [Sergio Talens-Oliag <sto@debian.org>] Added Spanish and Catalan
    debconf translations (Closes: #235018
  * [Gleydson Mazioli da Silva <gleydson@debian.org>] Added Brazilian
    Portugese debconf translation (Closes: #185829)
  * [Christian Perrier <bubulle@debian.org>] Added French debconf translation
    (Closes: #200722)
  * Added German debconf translation

 -- Hilko Bengen <bengen@debian.org>  Tue, 16 Mar 2004 00:43:55 +0100

drupal (4.3.2-1) unstable; urgency=low

  * New maintainer (Closes: #227771)
  * New upstream release (Closes: #204241, #220066)
    - Test shows that kuro5hin RSS feed can be imported just fine
      (Closes: #184252)
    - The encoding bug in ping.module appears to have been fixed
      (Closes:  #215643)
  * Revamped installation and automatic upgrade procedure
    - Update sets password in config.php _and_ database (Closes: #193545)
    - It's possible to install the package without performing any database
      setup at all (Closes: #201202)
  * Fixed /etc/drupal/apache.conf (Closes: #219143)
  * Basic PostgreSQL support -- user and database are created
    (Closes: #186563)
  * Should work with apache2 (Closes: #235912)

 -- Hilko Bengen <bengen@debian.org>  Thu, 11 Mar 2004 17:30:11 +0100

drupal (4.1.0-10) unstable; urgency=low

  * Maintainer field set to QA Group
  * New Brazilian Portuguese debconf template translation, provided by
    Andre Luis Lopes <andrelop@debian.org>. Closes: #228109
 
 -- Emanuele Rocca <ema@debian.org>  Sun,  1 Feb 2004 20:35:04 +0100

drupal (4.1.0-9.1) unstable; urgency=low

  * NMU
  * French debconf templates translation. Closes: #200722
  * Correction to english templates for (I guess) better english and
    formulations. Closes: #186566
  * Brazilian portuguese debconf tempaltes translation. Closes: #185829

 -- Christian Perrier <bubulle@debian.org>  Tue, 16 Sep 2003 08:55:38 +0200

drupal (4.1.0-9) unstable; urgency=low

  * Two corrections in postinst to allow manually setting up the DB 
    on upgrade.
  
 -- Hugo Espuny <hec@debian.org>  Wed, 19 Mar 2003 22:02:50 +0100

drupal (4.1.0-8) unstable; urgency=low

  * Added patch from drupal.org (Closes: #185217)
  * Minor typo on apache.conf 
  * Now htaccess is set up dynamically.
  * Example of restricted admin.php is now at htaccess
  * Debconf now does not repeat questions after preconfiguring.

 -- Hugo Espuny <hec@debian.org>  Wed, 19 Mar 2003 20:09:45 +0100

drupal (4.1.0-7) unstable; urgency=high

  * Added securing point to README.Debian
  * Alias directive on /etc/drupal/apache.conf now is changed
    dynamically according with debconf question.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 20:33:29 +0100

drupal (4.1.0-6) unstable; urgency=high

  * Corrected postrm problem whe downgrading to certain versions.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 19:38:15 +0100

drupal (4.1.0-5) unstable; urgency=low

  * Corrected mv themes order in rules file.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 19:22:12 +0100

drupal (4.1.0-4) unstable; urgency=low

  * Corrected themes moving engine. (Closes: #184752)
  * Themes are now configfiles (since 4.1.0-2). I forgot to say...

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 17:30:45 +0100

drupal (4.1.0-3) unstable; urgency=low

  * Updated to policy version 3.5.9

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 00:28:18 +0100

drupal (4.1.0-2) unstable; urgency=low

  * Corrected directive "AllowOverride None" to "AllowOverride All" in
    /etc/drupal/apache.conf. (Closes: #184183)
  * Corrected directive <DirectoryMatch> to <Directory> in
    /etc/drupal/apache.conf.
  * Corrected cron file, postinst and templates. Now debconf asks for the
    whole URL, not only TCP port. (Closes: #184182) (Closes: #184182)
    Thanks to John Goerzen <jgoerzen@complete.org> to point me those.  
  * News feed now works properly. (Closes: #184252) (Closes: #184253)

 -- Hugo Espuny <hec@debian.org>  Wed, 12 Mar 2003 18:25:35 +0100

drupal (4.1.0-1) unstable; urgency=high

  * New upstream version (Closes: #178506) (Closes: #173107)
  * Moved to use po-debconf.
  * Fixed README.Debian (Closes: #173103) (Closes: #184111)

 -- Hugo Espuny <hec@debian.org>  Fri,  7 Mar 2003 21:09:02 +0100

drupal (4.0-4) unstable; urgency=low

  * Corrected a bug on cron.d file. 

 -- Hugo Espuny <hec@debian.org>  Wed, 11 Dec 2002 22:39:16 +0100

drupal (4.0-3) unstable; urgency=low

   * Corrected /etc/cron.d/drupal (thanx to  Paul van Tilburg
     <paulvt@debian.org>). (Closes: #172153)
   * Corrected link in README.Debian. (Closes: #169949)
   * Changed priority to extra.
   * postrm now executes an abort install properly.
   * Updated policy standars to 3.5.8

 -- Hugo Espuny <hec@debian.org>  Tue, 10 Dec 2002 00:38:36 +0100

drupal (4.0-2) unstable; urgency=low

  * Minor typo correction in templates file.
  * Minor bug correction about webserver port in postinst.
  * Added versioned dependency on wget to support HTTPS
  * Moved update.php to /usr/share/doc/drupal/upgrades

 -- Hugo Espuny <hec@debian.org>  Wed, 30 Oct 2002 16:54:06 +0100

drupal (4.0-1) unstable; urgency=low

  * New debian package. (Closes: #164676)
  * Code taken from phpnuke package.

 -- Hugo Espuny <hec@debian.org>  Tue, 29 Oct 2002 21:21:26 +0100

