drupal7 (7.14-2+deb7u19) wheezy-security; urgency=high

  * Non-maintainer upload by the Debian LTS team.
  * Fix CVE-2018-7602: A remote code execution vulnerability exists within 
    multiple subsystems of Drupal 7.x and 8.x. This potentially allows 
    attackers to exploit multiple attack vectors on a Drupal site, 
    which could result in the site being compromised.

 -- Abhijith PA <abhijith@disroot.org>  Thu, 26 Apr 2018 03:14:26 +0530

drupal7 (7.14-2+deb7u18) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2018-7600: Jasper Mattsson found a remote code execution
    vulnerability in the Drupal content management system. This potentially
    allows attackers to exploit multiple attack vectors on a Drupal site, which
    could result in the site being completely compromised. For further
    information please refer to the official upstream advisory at
    https://www.drupal.org/sa-core-2018-002.

 -- Markus Koschany <apo@debian.org>  Wed, 28 Mar 2018 22:47:59 +0200

drupal7 (7.14-2+deb7u17) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Multiple vulnerabilities have been found in the Drupal content management
    framework. For additional information, please refer to the upstream advisory
    at https://www.drupal.org/sa-core-2018-001

 -- Markus Koschany <apo@debian.org>  Wed, 28 Feb 2018 12:52:49 +0100

drupal7 (7.14-2+deb7u16) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2017-6922: files uploaded by anonymous users into a private file
    system can be accessed by other anonymous users.

 -- Lucas Kanashiro <kanashiro@debian.org>  Wed, 28 Jun 2017 09:24:54 -0300

drupal7 (7.14-2+deb7u15) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2016-9449 and CVE-2016-9451:
     - Inconsistent name for term access query can lead to information
       disclosure
     - Confirmation form allows external URL injection

 -- Markus Koschany <apo@debian.org>  Mon, 21 Nov 2016 13:47:25 +0100

drupal7 (7.14-2+deb7u14) wheezy-security; urgency=high

  * CVE-2016-6211: A vulnerability existed in the User module, where if some
    specific contributed or custom code triggers a rebuild of the user profile
    form, a registered user can be granted all user roles on the site. This
    would typically result in the user gaining administrative access.

 -- Chris Lamb <lamby@debian.org>  Fri, 15 Jul 2016 09:35:17 +0200

drupal7 (7.14-2+deb7u13) wheezy-security; urgency=high

  * CVE-2015-7943: The "Overlay" module in Drupal core displays administrative
    pages as a layer over the current page (using JavaScript) rather than
    replacing the page in the browser window. The module did not sufficiently
    validate URLs prior to displaying their contents, leading to an open
    redirect vulnerability.

 -- Chris Lamb <lamby@debian.org>  Mon, 11 Jul 2016 20:18:44 +0200

drupal7 (7.14-2+deb7u12) wheezy-security; urgency=high

  * Backported from 7.43 (plus minor needed bits from 7.36 and 7.30
    in modules/file/file.module): SA-CORE-2016-001: Fixes several
    security vulnerabilities: File upload access bypass and DoS, brute
    force amplification attack via XML-RPC, open redirect via path
    manipulation, reflected file download, wrong modes set on some user
    accounts setting saves, information disclosure of email addresses.
    CVE IDs not yet assigned

 -- Gunnar Wolf <gwolf@debian.org>  Sun, 28 Feb 2016 11:52:05 -0600

drupal7 (7.14-2+deb7u11) wheezy-security; urgency=high

  * Backported from 7.39: SA-CORE-2015-003 (cross site scripting, access
    bypass, SQL injection, open redirect). CVE IDs not yet assigned.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 27 Aug 2015 12:59:35 -0500

drupal7 (7.14-2+deb7u10) oldstable-security; urgency=high

  * Backported from 7.38: SA-CORE-2015-002 (Multiple vulnerabilities.  CVE
    IDs assigned as follows:
    + Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234
    + Open redirect (Field UI module - Drupal 7): CVE-2015-3232
    + Open redirect (Overlay module - Drupal 7: CVE-2015-3233
    + Information disclosure (Render cache system - Drupal 7): CVE-2015-3231
  * Refreshed patches that are applied for the build process, lowering the
    amount of build-noise generated.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 18 Jun 2015 09:53:59 -0500

drupal7 (7.14-2+deb7u9) wheezy-security; urgency=high

  * Backported from version 7.35 addressing SA-CORE-2015-001 (Access
    bypass on password reset URLs; Open redirect)

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 19 Mar 2015 10:04:29 -0600

drupal7 (7.14-2+deb7u8) wheezy-security; urgency=high

  * Backported from version 7.34 addressing SA-CORE-2014-006 (Session
    hijacking, denial of service)

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 19 Nov 2014 15:20:00 -0600

drupal7 (7.14-2+deb7u7) wheezy-security; urgency=critical

  * Backported from version 7.32 addressing SA-CORE-2014-005 (SQL
    injection) (CVE 2014-3704)

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 15 Oct 2014 11:43:08 -0500

drupal7 (7.14-2+deb7u6) wheezy-security; urgency=high

  * Backported from version 7.31 addressing SA-CORE-2014-004 (Denial of
    service due to a XML entity expansion attack). CVE not yet assigned.
  * Added DEP3 headers to patches created in 2014l

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 06 Aug 2014 23:28:29 -0500

drupal7 (7.14-2+deb7u5) wheezy-security; urgency=high

  * Backported from version 7.29 addressing SA-CORE-2014-003 (Denial of
    service, access bypass, 2×cross-site scripting). CVE not yet assigned.

 -- Gunnar Wolf <gwolf@debian.org>  Thu, 17 Jul 2014 12:14:56 -0500

drupal7 (7.14-2+deb7u4) wheezy-security; urgency=high

  * Backported from version 7.27 addressing an information disclosure
    vulnerability; (CVE-2014-2983, SA-CORE-2014-002)
  * Fixed a regression caused by the backported 7.27 fix which breaks
    IE8 (see https://drupal.org/node/2245331#comment-8699683)
  * deb7u3 version skipped due to a botched upload :-|

 -- Gunnar Wolf <gwolf@debian.org>  Mon, 21 Apr 2014 19:25:19 -0500

drupal7 (7.14-2+deb7u2) wheezy-security; urgency=high

  * Backported fixes from version 7.26 addressing several security
    vulnerabilities; see advisory in https://drupal.org/SA-CORE-2014-001
    + Impersionation while using OpenID  (CVE-2014-1475)
    + Access bypass in the taxonomy module (CVE-2014-1476)
    + Security hardening in the Form API

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 15 Jan 2014 17:35:44 -0600

drupal7 (7.14-2+deb7u1) wheezy-security; urgency=high

  * Backported fixes from version 7.24 addresing several security
    vulnerabilities (SA-CORE-2013-003), including:
    * Multiple vulnerabilities due to optimistic cross-site request forgery
      protection (Form API validation) (CVE-2013-6385)
    * Multiple vulnerabilities due to weakness in pseudorandom number
      generation using mt_rand() (Form API, OpenID and random password
      generation - Drupal 6 and 7) (CVE-2013-6386)
    * Code execution prevention (Files directory .htaccess for Apache -
      (security hardening)
    * Access bypass (Security token validation)
      Treating as security hardening
    * Cross-site scripting (Image module) (CVE-2013-6387).
    * Cross-site scripting (Color module) (CVE-2013-6388).
    * Open redirect (Overlay module) (CVE-2013-6389).

 -- Gunnar Wolf <gwolf@debian.org>  Wed, 23 Nov 2013 11:37:27 -0600

drupal7 (7.14-2) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * Acknowledge NMUs from Gunnar Wolf

  * Incorporated fix for DoS on image derivative generation
    (Ref: SA-CORE-2013-002, CVE-2013-0316) (Closes: #701165)

  * Removed update warnings for Drupal core, since security fixes are provided
    by Debian updates. (Closes: #700545)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 23 Feb 2013 15:12:35 +0100

drupal7 (7.14-1.3) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2013-001 (the full diff between 7.18
    and 7.19) (Closes: #698334)
  * Added the missing DEP3 header to the patch introduced in 7.14-1.2

 -- Gunnar Wolf <gwolf@debian.org>  Tue, 29 Jan 2013 12:21:13 -0600

drupal7 (7.14-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2012-004 (the full diff between
    7.17 and 7.18)

 -- Gunnar Wolf <gwolf@debian.org>  Fri, 11 Jan 2013 17:57:47 -0600

drupal7 (7.14-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Incorporated the fix for SA-CORE-2012-003 (the full diff between
    7.15 and 7.16)

 -- Gunnar Wolf <gwolf@debian.org>  Fri, 19 Oct 2012 13:08:29 -0500

drupal7 (7.14-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes DoS, Unvalidated Form Redirect, Multiple Vulnerabilities
      (Ref: SA-CORE-2012-002, CVE-2012-1588,CVE-2012-1589, CVE-2012-1590,i
       CVE-2012-1591) (Closes: #671402)
    - Fixes errors in install.php (Closes: #670415)

  * debian/control
    - Bumped Standard-Version to 3.9.3.0, no change needed

 -- Luigi Gangitano <luigi@debian.org>  Thu, 10 May 2012 20:21:41 +0200

drupal7 (7.12-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release

 -- Luigi Gangitano <luigi@debian.org>  Thu, 15 Feb 2012 21:51:54 +0100

drupal7 (7.11-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
      (Ref: SA-CORE-2012-001, CVE-2012-0825, CVE-2012-0826, CVE-2012-0827)
      (Closes: #658337)

 -- Luigi Gangitano <luigi@debian.org>  Sun, 05 Feb 2012 18:16:47 +0100

drupal7 (7.10-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * debian/rules: set PACKAGE variable. (Closes: #655794)
  * Remove debian/README.source (no longer uses dpatch).

 -- Ansgar Burchardt <ansgar@debian.org>  Sat, 21 Jan 2012 12:02:49 +0100

drupal7 (7.10-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (closes: #652544)

  * debian/*
    - Switch to source format 3.0 (quilt)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 26 Dec 2011 17:48:10 +0100

drupal7 (7.9-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #647168)

  * debian/{cron.sh,README.Debian,etc/settings.php}
    - Added secret key in cron job (Closes: 639387)
      (thanks to  Christoph Schindler)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 02 Nov 2011 18:48:16 +0100

drupal7 (7.8-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #640078)

  * debian/docs
    - Removed duplicate CHANGELOG entry

  * debian/rules
    - Added missing targets binary-arch build-arch build-indep

 -- Luigi Gangitano <luigi@debian.org>  Sun, 04 Sep 2011 21:22:24 +0200

drupal7 (7.6-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes access bypass in private file fields and comments
      (Ref: SA-CORE-2011-003, CVE-TBA)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 28 Jul 2011 02:17:32 +0200

drupal7 (7.4-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release (Closes: #633385)

  * debian/control
    - Bumped Standard-Version to 3.9.2.0, no change needed

  * debian/drupal7.{config,install,postinst,postrm}
    - Renamed apache.conf to apache2.conf (Closes: #632925)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 13 Jul 2011 16:15:35 +0200

drupal7 (7.2-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release

  * debian/patches/30_DFSG-sources
    - Added uncompressed sources of javascript files

  * debian/control
    - Removed article from start of description

 -- Luigi Gangitano <luigi@debian.org>  Mon, 20 Jun 2011 02:05:42 +0200

drupal7 (7.0-2) unstable; urgency=low

  * debian/copyright
    - Added copyright notices for include JQuery libraries

 -- Luigi Gangitano <luigi@debian.org>  Sun, 15 May 2011 23:55:24 +0200

drupal7 (7.0-1) unstable; urgency=low

  * New upstream release

  [ Luigi Gangitano ]
  * debian/etc/settings.php
    - Updated default configuration file

  * debian/drupal.{dirs,links,install,postinst,postrm}
    - Removed automatic link from apache2 configuration file

  * debian/README.Debian
    - Added instructions on how to enable drupal in Apache2

  * debian/{drupal7.postinst,docs,dbconfig.template}
    - Generate database configuration from template

  [ Kinga Marjai ]
  * debian/control
    - Removed dependency on exim4, now depends on default-mda
    - Bumped Standard-Version to 3.9.1, no change needed

  * debian/drupal6.postrm
    - Made postrm check for restart.sh in case dependencies were not properly
      installed (thanks to Bhavani Shankar.R, from Ubuntu)

  * debian/cron.sh
    - Added --fail option to curl to work around missing base_url in
      configuration files

  * debian/cron.d
    - Fixed conditional to avoid warnings on removed package

 -- Luigi Gangitano <luigi@debian.org>  Sat, 05 Mar 2011 17:43:23 +0100

drupal7 (7.0~alpha2-1) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * New upstream branch 7.0

  * debian/*
    - Rename file and directories from 6 to 7
    - In debian/control switch to Source: drupal7

  * debian/etc/settings.php
    - Updated default configuration file

  [ Kinga Marjai ]
  * debian/rules
    - Don't set debconf version dependency

 -- Luigi Gangitano <luigi@debian.org>  Tue,  3 Mar 2010 22:59:34 +0100

drupal6 (6.15-2) UNRELEASED; urgency=low

  [ Alexandre De Dommelin ]
  * Added patch to remove warnings about Drupal core updates (Closes: #521288)
  * Bump Standards-Version from 3.8.3 to 3.8.4 (no changes needed)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 10 Feb 2010 17:11:35 +0100

drupal6 (6.15-1) unstable; urgency=low

  * New upstream release (Closes: #561726)
    - Fixes several XSS vulnerabilities (Closes: #562165)
      (Ref: SA-CORE-2009-009, CVE-2009-4369, CVE-2009-4370, CVE-2009-4371)

  * debian/rules
    - Use dh_prep instead of dh_clean -k

  * debian/control
    - Upgraded versioned dependency on debhelper to 7

  * debian/README.source
    - Added directions on source handling

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Jan 2010 19:47:13 +0100

drupal6 (6.14-1) unstable; urgency=low

  * New upstream release
    - Removed security patches integrate upstream
      + 20_SA-CORE-2009-007
    - Fixes multiple vulnerabilities (Ref: SA-CORE-2009-008)
      (Closes: #547140)

  * debian/control
    - Bumped Standard-Version to 3.8.3, no change needed

  * debian/compat
    - Switch debhelper compatibility to 7

  * debian/copyright
    - Added reference to copyright file with version

 -- Luigi Gangitano <luigi@debian.org>  Sun, 20 Sep 2009 04:57:57 +0200

drupal6 (6.13-1) UNRELEASED; urgency=low

  * New upstream release

 -- Luigi Gangitano <luigi@debian.org>  Mon, 13 Jul 2009 19:42:38 +0200

drupal6 (6.12-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Apply upstream patch to fix:
    - XSS in the forum module
    - Input format access bypass via signatures
    - Password leakage via URLs
    (no CVE id yet; SA-CORE-2009-007; Closes: #535435).

 -- Nico Golde <nion@debian.org>  Mon, 06 Jul 2009 20:27:45 +0200

drupal6 (6.12-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: #529309)
    (Acknoledges NMU by Security Team) (Closes: #531386)
    - Removed security patch integrate upstream
      + 20_xss

  * debian/{control,rules,links}
    - Removed dependency on libjs-jquery and use jquery.js from drupal
      sources to avoid conflict with newer version of jquery
      (Closes: #530779)

 -- Luigi Gangitano <luigi@debian.org>  Tue, 02 Jun 2009 18:25:58 +0200

drupal6 (6.11-1.1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix several XSS issues (SA-CORE-2009-006; Closes: #529190).

 -- Nico Golde <nion@debian.org>  Thu, 28 May 2009 20:45:35 +0200

drupal6 (6.11-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes XSS vulnerability (Ref: SA-CORE-2009-005, CVE-2009-1575,
      CVE-2009-1576) (Closes: #526378)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 04 May 2009 19:56:12 +0200

drupal6 (6.10-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - This version fixes two Windows-only security issues
      (Ref: SA-CORE-2009-003, SA-CORE-2009-004)
      Debian is not affected by this vulnerabilites

 -- Luigi Gangitano <luigi@debian.org>  Sun, 01 Mar 2009 18:26:25 +0100

drupal6 (6.9-1) unstable; urgency=low

  [ Luigi Gangitano ]  
  * New upstream release
    - Removed security patch integrate upstream
      + 12_SA-2008-073
      + 13_SA-CORE-2009-001

  * debian/cron.sh
    - Handle sites/all correctly (Closes: #513522)

 -- Luigi Gangitano <luigi@debian.org>  Mon, 16 Feb 2009 19:37:31 +0100

drupal6 (6.6-3) unstable; urgency=high

  [ Luigi Gangitano ]  
  * Urgency high due to security fixes

  * debian/patches/13_SA-CORE-2009-001
    - Added upstream patch fixing multiple vulnerabilities
      (Ref: SA-CORE-2009-001, CVE-TBD)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 16 Jan 2009 01:49:58 +0100

drupal6 (6.6-2) unstable; urgency=high

  * debian/patches/12_SA-2008-073
    - Moved NMU changes to dpatch file

  * debian/control
    - Added dependency on ${misc:Depends} to make lintian happy

  * debian/drupal6.{postinst,postrm}
    - Changed apache configuration link name to drupal6.conf, to avoid
      collision with drupal5 (Closes: #509769, #505146)
    - Set default Postgres encoding to UTF8 (Closes: #508506)

  * debian/README.Debian
    - Fixed link to installation script (Closes: 507914)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 08 Jan 2009 20:49:51 +0100

drupal6 (6.6-1.1) unstable; urgency=high

  * Non-maintainer upload.
  * Urgency high because this fixes a security issue
  * Include upstream patch for SA-2008-073, to fix a security issue:
    The update system is vulnerable to Cross site request forgeries. Malicious
    users may cause the superuser (user 1) to execute old updates that may
    damage the database.
    (Ref: SA-2008-073, CVE-2008-6170, CVE-2008-6532, CVE-2008-6533) (Closes: #508473)

 -- Patrick Schoenfeld <schoenfeld@debian.org>  Fri, 12 Dec 2008 09:30:28 +0100

drupal6 (6.6-1) unstable; urgency=high

  [ Luigi Gangitano ]  
  * Urgency high due to security fixes

  * New upstream release
    - Fixes two security vulnerabilities
      (Ref: SA-2008-067, CVE-TBA) (Closes: #503222)

  * debian/drual6.postrm
    - Fixed missing -e option to make lintian happy

  * debian/patches/10_cronjob.dpatch
    - Added patch descritpion to make lintian happy

  * debian/control
    - Bumped Standard-Version to 3.8.0, no change needed

  * debian/{control,rules,links}
    - Added dependency on libjs-jquery and use jquery.js from it

 -- Luigi Gangitano <luigi@debian.org>  Fri, 24 Oct 2008 23:06:15 +0200

drupal6 (6.5-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Removed security patch integrate upstream
      + 11-SA-2008-060

 -- Luigi Gangitano <luigi@debian.org>  Mon, 20 Oct 2008 23:59:27 +0200

drupal6 (6.4-2) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * debian/patches/11-SA-2008-060
    - Added upstream patch fixing several security vulnerabilities
      (Ref: SA-2008-060, CVE-TBA) (Closes: #501640)

  * debian/README.Debian
    - Added a notice about cookie security and session.cookie_secure
      configuration (Ref: CVE-2008-3661) (Closes: #501058)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 14 Oct 2008 15:47:20 +0200

drupal6 (6.4-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes several XSS vulnerabilities
      (Ref: SA-2008-047, CVE-TBD)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 15 Aug 2008 01:35:59 +0200

drupal6 (6.3-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release (Closes: 465833)

  * debian/links
    - Changed files directory link to match new upstream configuration

  * debian/README.Debian
    - Fixed references to database population script and added instructions
      to enable apache2 mod_rewrite.

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Aug 2008 19:16:04 +0200

drupal6 (6.0-1) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * New upstream branch 6.0

  * debian/*
    - Rename file and directories from 5 to 6
    - In debian/control switch to Source: drupal6

 -- Luigi Gangitano <luigi@debian.org>  Mon, 11 Aug 2008 12:00:12 +0100

drupal5 (5.7-1) unstable; urgency=low

  [ Luigi Gangitano ]
  * New upstream release
    - Fixes several non-security related bugs (Closes: #464876)

  * debian/po/hu.po
    - Updated Hungarian debconf templates translation (Thanks to Miklos
      Lukacs) (Closes: #459378)

  * debian/cron.sh
    - Fixed cron script for multisite setup (thanks to Fernando Lucas
      Rodriguez) (Closes: #464599)

  * debian/watch
    - Removed unused 'uupdate' token

 -- Luigi Gangitano <luigi@debian.org>  Tue, 12 Feb 2008 11:40:29 +0100

drupal5 (5.6-2) unstable; urgency=low

  [ Luigi Gangitano ]
  * debian/cron.d
    - Fix typo in cron script that makes it running every minutes, set it
      to one hour (Closes: #456182)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 26 Jan 2008 20:51:39 +0100

drupal5 (5.6-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes Cross site request forgery in Aggregator module
      (Ref: SA-2008-005, CVE-TBA)
    - Fixes Cross site scripting vulnerability with IE6 and user submitted
      UTF8 input (Ref: SA-2008-006, CVE-TBA)

  * debian/cron.d
    - Run cron script every hour and not every 5 minutes (Closes: #456182)

  * debian/rules
    - Removed binary-arch section, moved all actions to binary-indep

  * debian/control
    - Swapped httpd | apache2 order to comply with policy
    - Bumped Standard-Version to 3.7.3, no change needed

 -- Luigi Gangitano <luigi@debian.org>  Fri, 11 Jan 2008 15:02:09 +0100

drupal5 (5.5-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes SQL Injection vulnerability in contributed modules
      (Ref: DRUPAL-SA-2007-031, CVE-2007-6299)

  * debian/cron.sh
    - Added check of BASE_URL in baseurl.php (Closes: #448774)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 07 Dec 2007 21:29:18 +0100

drupal5 (5.3-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes
  
  * New upstream release
    - Fixes several security vulnerabilities
      + DRUPAL-SA-2007-024 (Ref: CVE-2007-5595)
      + DRUPAL-SA-2007-025 (Ref: CVE-2007-5593)
      + DRUPAL-SA-2007-026 (Ref: CVE-2007-5596)
      + DRUPAL-SA-2007-029 (Ref: CVE-2007-5594)
      + DRUPAL-SA-2007-030 (Ref: CVE-2007-5597)


 -- Luigi Gangitano <luigi@debian.org>  Sat, 20 Oct 2007 09:52:38 +0200

drupal5 (5.2-3) unstable; urgency=low

  * debian/drupal5.install
    - Install default robots.txt (Closes: #440291)

  * debian/control
    - Changed Recommends to postgresql

 -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Aug 2007 15:44:15 +0200

drupal5 (5.2-2) unstable; urgency=low

  * debian/README.Debian
    - Fixed references to configuration directory

  * debian/etc/settings.php
    - Apply fixes from upstream version (Closes: #435433)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 27 Jul 2007 02:12:20 +0200

drupal5 (5.2-1) unstable; urgency=high

  [ Luigi Gangitano ]
  * Urgency high due to security fixes

  * New upstream release
    - Fixes XSS in server variables (Ref: DRUPAL-SA-2007-018, CVE: TBD)
    - Fixes XSRF in Forms API (Ref: DRUPAL-SA-2007-017, CVE: TBD)

  * debian/copyright
    - Fixed FSF address to make lintian happy

  * debian/control
    - Removed dependencies on php4
    - Updated httpd real package dependency to apache2
    - Changed Build-Depend-Indep to Build-Depend (policy 7.6)

 -- Luigi Gangitano <luigi@debian.org>  Fri, 27 Jul 2007 01:48:04 +0200

drupal5 (5.1-3) unstable; urgency=low

  [ Luigi Gangitano ]
  * debian/control
    - Removed dependencies on 8.1 version of postgresql packages
    - Fixed typo in postgresql-server package (Closes: #429229)

 -- Luigi Gangitano <luigi@debian.org>  Wed, 29 Jun 2007 21:39:33 +0200

drupal5 (5.1-2) unstable; urgency=low

  [ Luigi Gangitano ]
  - debian/control
    * Added Xs-Vcs-{Svn,Browser} tags

  - debian/README.Debian
    * Added istructions on Postgres database install and PHP memory limit
      (Closes: #427001)

  [ Bart Cornelis (cobaco) ]
  - New Norwegian Bokmael translation by Hans Fredrik Nordhaug

 -- Luigi Gangitano <luigi@debian.org>  Tue, 13 Mar 2007 00:21:14 +0100

drupal5 (5.1-1) unstable; urgency=low
  
  [ Luigi Gangitano ]
  * New upstream release (Closes: #409522)

  * debian/{links,drupal5.install,cron.d,etc/apache.conf}
    - Applied patch from Karl-Heinz Nirschl fixing paths

  [ Bart Cornelis ]
  Translations
  * Updated Dutch translation by Bart Cornelis
  * Updated Japanese translation by Hideki Yamane
  * Updated German translation by  Helge Kreutzmann (Closes: #413891)
  * Updated Portuguese translation by Miguel Figueiredo (Closes: #413905)
  * New Swedisch Translation by Daniel Nylander
  * New Tamil translation by Tirumurti Vasudevan (Closes: #413824)
  * New Czech translation by Miroslav Kure (Closes: #413798)
  * New Russion translation by Yuriy Talakan (Closes: #414063)
  * New Basque translation by  Piarres Beobide (Closes: #413966)
  * New Galician translation by Jacobo Tarrio (Closes: #413764)

 -- Luigi Gangitano <luigi@debian.org>  Sat, 10 Mar 2007 20:04:24 +0100

drupal5 (5.0-1) UNRELEASED; urgency=low

  * (NOT RELEASED YET) New upstream release

  * debian/*
    - Rename file and directories from 4.7 to 5
    - In debian/control switch to Source: drupal5
    - Add watch file

  * debian/control
    - Removed Suggests on ssl enabled packages
    - Removed dependencies on apache and added dependency on httpd | apache
    - Added dependency on php4-gd | php5-gd

  * debian/{rules,drupal5.install}
    - Removed reference to not-existing directory 'database'

  * debian/patches/10_cronjob.dpatch
    - Updated patch to new cron script

 -- Luigi Gangitano <luigi@debian.org>  Fri, 26 Jan 2007 20:04:24 +0100

drupal (4.7.5-2) UNRELEASED; urgency=low

  [ Luigi Gangitano ]
  * NOT RELEASED YET

  * debian/control
    - Bumped Standards-Version to 3.7.2 (no change needed)
    - Removed dependency on postgsql-{client,server}-8.0 which is not in
      the archive anymore

  * Translations
    - Updated Dutch translations by Bart Cornelis

 -- Bart Cornelis (cobaco) <cobaco@linux.be>  Tue, 23 Jan 2007 11:50:45 +0100

drupal (4.7.5-1) unstable; urgency=low

  * New upstream release
    - Fixes Denial of Service (DRUPAL-SA-2007-002)
    - Fixes CSS Vulnerability (DRUPAL-SA-2007-001)

 -- Luigi Gangitano <luigi@debian.org>  Sun,  7 Jan 2007 00:33:33 +0100

drupal (4.7.4-3) unstable; urgency=low

  * debian/po/fr.po
    - Updated French debconf templates translation (Thanks to Thomas Huriaux)
      (Closes: #404967)
  
  * debian/control
    - Add php5 dependency (Closes: #405162)

 -- Luigi Gangitano <luigi@debian.org>  Sun,  7 Jan 2007 00:13:36 +0100

drupal (4.7.4-2) unstable; urgency=low

  * debian/control
    - Fixed dependency on postgresql-client
    - Removed dependency on makepasswd (not needed since we use
      dbconfig.common)
    - Removed dependency on php4-cli (not needed with new cron script)
    - Promote Recommends: php4 to Depends: php4

  * debian/etc/settings.php
    - Fix warning if baseurl.php does not exists

  * debian/copyright
    - Fixed copyright information as requested by ftp-master

 -- Luigi Gangitano <luigi@debian.org>  Tue,  5 Dec 2006 15:37:25 +0100

drupal (4.7.4-1) unstable; urgency=low

  * Prepare package for new inclusion in Debian
    - Thanks to Karl-Heinz Nirschl for keeping this package in his repository
      and allowing me to start from his work
    - Change (binary) package name to drupal-4.7 allowing for multiple version
      to be installed concurrently, so admins can control upgrade between
      releases
    - Add dependency on dbconfig-common and switch custom config script to use
      functions provided by dbconfig-common (Closes: #366692)
    - Removed unused templates
    - Added dependency on curl for cron script execution
    - Take over removal request (Closes: #375496)
    - Update to latest revision (Closes: #307821, #365047, #365709)

 -- Luigi Gangitano <luigi@debian.org>  Thu, 23 Nov 2006 21:53:19 +0100

drupal (4.7.4-0brainlog1) unstable; urgency=low

  * new upstream release because patches do not apply cleanly
  * fixes: DRUPAL-SA-2006-024, DRUPAL-SA-2006-025, DRUPAL-SA-2006-026

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Fri, 20 Oct 2006 19:26:16 +0200

drupal (4.7.2-0brainlog4) unstable; urgency=low

  * add security fix DRUPAL-SA-2006-011
    XSS Vulnerability in user module
  * move scripts dir to doc

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Thu,  3 Aug 2006 19:46:57 +0200

drupal (4.7.2-0brainlog3) unstable; urgency=low

  * fix initial database generation - now checks for mysql version

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Sat,  8 Jul 2006 13:13:12 +0200

drupal (4.7.2-0brainlog2) unstable; urgency=low

  * Using a fresh tarball and no .svn files.
  * Fix x. permissions.
  * Use debian mysql maint password for mysql install

 -- Tzafrir Cohen <tzafrir@cohens.org.il>  Fri,  7 Jul 2006 15:59:41 +0300

drupal (4.7.2-0brainlog1) unstable; urgency=low

  * new upstream release
  * add patch handling to package
    - make cron job less verbose

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Fri, 16 Jun 2006 17:13:50 +0200

drupal (4.7.1-0brainlog1) unstable; urgency=low

  * new upstream version

 -- Karl-Heinz Nirschl <khn@manatorg.ath.cx>  Mon, 29 May 2006 14:01:48 +0200

drupal (4.6.5-0brainlog1) unstable; urgency=low

  * update to drupal 4.6.5 (new upstream)

 -- Karl-Heinz Nirschl <khn@maggie.ubi>  Mon, 29 May 2006 13:58:55 +0200

drupal (4.6.3-0brainlog1) unstable; urgency=low

  * New upstream version (Closes: #307821)
  * based on the drupal 4.5.2-4 debian package
  * remove the auto update database stuff
  * added debconf entry for the base_url

 -- Karl-Heinz Nirschl <khn@bluejack.ath.cx>  Thu, 29 Sep 2005 19:10:17 +0200

drupal (4.5.2-4) unstable; urgency=low

  * [Miguel Figueiredo <elmig@debianpt.org>] Added Portuguese translation
    (Closes: #301394)
  * [Valentina Commissari <ayor@quaqua.net>] Added Italian translation 
    (Closes: #301946)
  * [Gleydson Mazioli da Silva <gleydson@debian.org>] Updated Brazilian
    Portuguese translation.
  * Fixed typo in package description (Closes: #306997)

 -- Hilko Bengen <bengen@debian.org>  Thu, 19 May 2005 21:23:27 +0200

drupal (4.5.2-3) unstable; urgency=high

  * Fixes "Bypass access via comments" problem mentioned in
    http://drupal.org/node/19009.  Patch from Gerhard Killesreiter, thanks.
    I consider this a critical bug, hence urgency=high.
  * [Sergio Talens-Oliag <sto@debian.org>] Updated Spanish and Catalan
    Debconf translations and converted them to UTF-8.

 -- Hilko Bengen <bengen@debian.org>  Tue, 22 Mar 2005 11:14:36 +0100

drupal (4.5.2-2) unstable; urgency=low

  * Changed includes/bootstrap.inc: conf.php (or $site.php) is loaded from
    /etc/drupal directly, without the need for any link.
  * Removed indentations from sed script which is used to edit the
    configuration file.
  * Rolled back session.inc to version found in 4.5.1; fixes bug documented
    in http://drupal.org/node/15666
  * Added documentation about manual update procedure in README.Debian
    and Debconf templates (Closes: #293804)
  * Added documentation about adding modules and themes that are not
    part of the package.
  * NEWS.Debian mentions where to get Marvin and UnConeD themes that used
    to be part of the Drupal distribution.

 -- Hilko Bengen <bengen@debian.org>  Tue, 15 Mar 2005 15:16:26 +0100

drupal (4.5.2-1) unstable; urgency=low

  * New upstream version (Closes: #290745; That was fast, wasn't it?)
  * Updates Japanese Debconf template, thanks to Hideki Yamane 
    (Closes: #290439)
  * The config file /etc/drupal/conf.php is only generated if it hasn't
    existed. It is no longer edited.

 -- Hilko Bengen <bengen@debian.org>  Sun, 16 Jan 2005 14:49:50 +0100

drupal (4.5.1-2) unstable; urgency=low

  * /etc/drupal/conf.php is no longer a conffile (Closes: #289624)
  * Should install with mysql-client-4.1 now (Closes: #285733)

 -- Hilko Bengen <bengen@debian.org>  Wed, 12 Jan 2005 02:16:28 +0100

drupal (4.5.1-1) unstable; urgency=low

  * New upstream version (Closes: #277547, #289216, #278345)
  * Marvin and UnConeD have been split off into separate packages, as they
    are not officially supported by upstream any longer.
  * Added Japanese Debconf template (Closes: #288040)

 -- Hilko Bengen <bengen@debian.org>  Sun,  9 Jan 2005 04:21:03 +0100

drupal (4.4.2-2) unstable; urgency=low

  * Bump version dependency to 0.0.37 where better support for PostgreSQL
    is included (Closes: 263730)
  * Another patch to node.module for DB-independennce (Closes: 258015)

 -- Hilko Bengen <bengen@debian.org>  Wed, 18 Aug 2004 00:39:58 +0200

drupal (4.4.2-1) unstable; urgency=low

  * New upstream bugfix release
    - PostgreSQL support fixed in node.module
      (Closes: #258015, #258016)
  * Fixed sed statement in postinst so it will work with woody's sed.
    (Closes: #257529)
  * Depends: sharutils (Closes: #258156)
  * Cron script checks whether /usr/share/drupal/scripts/cron.sh exists
    and is executable (Closes: #251853)

 -- Hilko Bengen <bengen@debian.org>  Tue, 20 Jul 2004 00:03:06 +0200

drupal (4.4.1-3) unstable; urgency=low

  * Included Marvin and Unconed themes from contrib (Closes: #255039)

 -- Hilko Bengen <bengen@debian.org>  Mon, 28 Jun 2004 14:34:40 +0200

drupal (4.4.1-2) unstable; urgency=high

  * Applied admin_node.patch from <http://drupal.org/node/view/7096>
    against the "Invalid argument supplied for foreach() in
    /usr/share/drupal/modules/node.module" error (Closes: #242992)
  * Fixed removal of links in webserver directories
  * Shut up cron.sh (Closes: #251853)
  * Install misc/ directory (images and css) (Closes: #253550)
  * Fixed PostgreSQL removal, added some docs (Closes: #253282)

 -- Hilko Bengen <bengen@debian.org>  Thu, 10 Jun 2004 16:06:47 +0200

drupal (4.4.1-1) unstable; urgency=low

  * New upstream version (Closes: #246307)
  * Added <CR> to cron.d (Closes: #242199)
  * Create language in database/database.pgsql (Closes: #242572)
  * Fixed dependencies (Closes: #242622):
    - Depends on php4-cgi (since it's used by maintainer scripts)
    - Recommends: php4 | libapache2-mod-php4 (After all, one _can_ run
      Drupal with a PHP-CGI setup
  * Fixed generation of links in webserver directories (Closes: #249488)
  * Out-of-the-box support for multiple sites (Closes: #246009)
  * Put themes directory under /usr/share/drupal. Themes are no longer
    handled as conffiles.
  * Fixed path to database.mysql in README.Debian (Closes: #246414)

 -- Hilko Bengen <bengen@debian.org>  Tue, 25 May 2004 10:12:34 +0200

drupal (4.3.2-3) unstable; urgency=low

  * Rewrote README.Debian, copying substantial parts from the INSTALL file
    (Closes: #240505)
  * Re-added a (commented-out) directive for restricting access to
    admin.php to htaccess file

 -- Hilko Bengen <bengen@debian.org>  Sun, 28 Mar 2004 17:38:11 +0200

drupal (4.3.2-2) unstable; urgency=low

  * [Bart Cornelis <cobaco@linux.be>] Added Dutch debconf translation
    (Closes: #232230)
  * [Sergio Talens-Oliag <sto@debian.org>] Added Spanish and Catalan
    debconf translations (Closes: #235018
  * [Gleydson Mazioli da Silva <gleydson@debian.org>] Added Brazilian
    Portugese debconf translation (Closes: #185829)
  * [Christian Perrier <bubulle@debian.org>] Added French debconf translation
    (Closes: #200722)
  * Added German debconf translation

 -- Hilko Bengen <bengen@debian.org>  Tue, 16 Mar 2004 00:43:55 +0100

drupal (4.3.2-1) unstable; urgency=low

  * New maintainer (Closes: #227771)
  * New upstream release (Closes: #204241, #220066)
    - Test shows that kuro5hin RSS feed can be imported just fine
      (Closes: #184252)
    - The encoding bug in ping.module appears to have been fixed
      (Closes:  #215643)
  * Revamped installation and automatic upgrade procedure
    - Update sets password in config.php _and_ database (Closes: #193545)
    - It's possible to install the package without performing any database
      setup at all (Closes: #201202)
  * Fixed /etc/drupal/apache.conf (Closes: #219143)
  * Basic PostgreSQL support -- user and database are created
    (Closes: #186563)
  * Should work with apache2 (Closes: #235912)

 -- Hilko Bengen <bengen@debian.org>  Thu, 11 Mar 2004 17:30:11 +0100

drupal (4.1.0-10) unstable; urgency=low

  * Maintainer field set to QA Group
  * New Brazilian Portuguese debconf template translation, provided by
    Andre Luis Lopes <andrelop@debian.org>. Closes: #228109
 
 -- Emanuele Rocca <ema@debian.org>  Sun,  1 Feb 2004 20:35:04 +0100

drupal (4.1.0-9.1) unstable; urgency=low

  * NMU
  * French debconf templates translation. Closes: #200722
  * Correction to english templates for (I guess) better english and
    formulations. Closes: #186566
  * Brazilian portuguese debconf tempaltes translation. Closes: #185829

 -- Christian Perrier <bubulle@debian.org>  Tue, 16 Sep 2003 08:55:38 +0200

drupal (4.1.0-9) unstable; urgency=low

  * Two corrections in postinst to allow manually setting up the DB 
    on upgrade.
  
 -- Hugo Espuny <hec@debian.org>  Wed, 19 Mar 2003 22:02:50 +0100

drupal (4.1.0-8) unstable; urgency=low

  * Added patch from drupal.org (Closes: #185217)
  * Minor typo on apache.conf 
  * Now htaccess is set up dynamically.
  * Example of restricted admin.php is now at htaccess
  * Debconf now does not repeat questions after preconfiguring.

 -- Hugo Espuny <hec@debian.org>  Wed, 19 Mar 2003 20:09:45 +0100

drupal (4.1.0-7) unstable; urgency=high

  * Added securing point to README.Debian
  * Alias directive on /etc/drupal/apache.conf now is changed
    dynamically according with debconf question.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 20:33:29 +0100

drupal (4.1.0-6) unstable; urgency=high

  * Corrected postrm problem whe downgrading to certain versions.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 19:38:15 +0100

drupal (4.1.0-5) unstable; urgency=low

  * Corrected mv themes order in rules file.

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 19:22:12 +0100

drupal (4.1.0-4) unstable; urgency=low

  * Corrected themes moving engine. (Closes: #184752)
  * Themes are now configfiles (since 4.1.0-2). I forgot to say...

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 17:30:45 +0100

drupal (4.1.0-3) unstable; urgency=low

  * Updated to policy version 3.5.9

 -- Hugo Espuny <hec@debian.org>  Fri, 14 Mar 2003 00:28:18 +0100

drupal (4.1.0-2) unstable; urgency=low

  * Corrected directive "AllowOverride None" to "AllowOverride All" in
    /etc/drupal/apache.conf. (Closes: #184183)
  * Corrected directive <DirectoryMatch> to <Directory> in
    /etc/drupal/apache.conf.
  * Corrected cron file, postinst and templates. Now debconf asks for the
    whole URL, not only TCP port. (Closes: #184182) (Closes: #184182)
    Thanks to John Goerzen <jgoerzen@complete.org> to point me those.  
  * News feed now works properly. (Closes: #184252) (Closes: #184253)

 -- Hugo Espuny <hec@debian.org>  Wed, 12 Mar 2003 18:25:35 +0100

drupal (4.1.0-1) unstable; urgency=high

  * New upstream version (Closes: #178506) (Closes: #173107)
  * Moved to use po-debconf.
  * Fixed README.Debian (Closes: #173103) (Closes: #184111)

 -- Hugo Espuny <hec@debian.org>  Fri,  7 Mar 2003 21:09:02 +0100

drupal (4.0-4) unstable; urgency=low

  * Corrected a bug on cron.d file. 

 -- Hugo Espuny <hec@debian.org>  Wed, 11 Dec 2002 22:39:16 +0100

drupal (4.0-3) unstable; urgency=low

   * Corrected /etc/cron.d/drupal (thanx to  Paul van Tilburg
     <paulvt@debian.org>). (Closes: #172153)
   * Corrected link in README.Debian. (Closes: #169949)
   * Changed priority to extra.
   * postrm now executes an abort install properly.
   * Updated policy standars to 3.5.8

 -- Hugo Espuny <hec@debian.org>  Tue, 10 Dec 2002 00:38:36 +0100

drupal (4.0-2) unstable; urgency=low

  * Minor typo correction in templates file.
  * Minor bug correction about webserver port in postinst.
  * Added versioned dependency on wget to support HTTPS
  * Moved update.php to /usr/share/doc/drupal/upgrades

 -- Hugo Espuny <hec@debian.org>  Wed, 30 Oct 2002 16:54:06 +0100

drupal (4.0-1) unstable; urgency=low

  * New debian package. (Closes: #164676)
  * Code taken from phpnuke package.

 -- Hugo Espuny <hec@debian.org>  Tue, 29 Oct 2002 21:21:26 +0100

