release 1.1.9.2: also check CSRF token in collection-edit.php

2026-05-25 02:34:17 +00:00 · 2019-12-06 19:52:08 +08:00 · 2019-12-06 19:52:08 +08:00 · 699d077834
commit 699d077834
parent 007bf95589
8 changed files with 32 additions and 11 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2019-12-06 Florian Schlichting <fsfs@debian.org>
+	* use foreach() instead of deprecated each() (fixes #190)
+	* HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings
+
+2019-12-06 Niels van Gijzen <niels.van.gijzen@gmail.com>
+	* Fix CSRF not being checked in collection-edit.php
+
 2019-11-29 Niels van Gijzen <niels.van.gijzen@gmail.com>
 	* Correct reflected cross-site scripting (XSS) vulnerability
 	* Correct persistent XSS vulnerability in user/group/resource details
--- a/2
+++ b/2
@ -1 +1 @@
-1.1.9.1
+1.1.9.2
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,17 @@
+davical (1.1.9.2-1) unstable; urgency=medium
+
+  * New upstream release (closes: #934106)
+    + fixes CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
+  * Drop dependency on rst2pdf to clear the blocker for testing migration
+  * Use debian-compat dependency, level 12
+  * Put API documentation into davical directory (instead of davical-doc), as
+    has been suggested by policy for a while
+  * Fix capitalization on Vcs- fields
+  * Declare compliance with Debian Policy 4.4.1
+  * Add a basic upstream metadata file, as suggested by the Debian Janitor
+
+ -- Florian Schlichting <fsfs@debian.org>  Thu, 12 Dec 2019 00:20:46 +0800
+
 davical (1.1.8-1) unstable; urgency=medium

  * New upstream release
--- a/debian/compat
+++ b/debian/compat
@ -1 +0,0 @@
-9
--- a/debian/control
+++ b/debian/control
@ -4,17 +4,16 @@ Priority: optional
 Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
 Uploaders: Andrew McMillan <awm@debian.org>,
 Florian Schlichting <fsfs@debian.org>
-Standards-Version: 4.3.0
-Build-Depends: debhelper (>= 9),
+Standards-Version: 4.4.1
+Build-Depends: debhelper-compat (= 12),
 dh-exec,
 jdupes,
 libawl-php (>= 0.60-1~), libawl-php (<< 0.61),
 gettext,
 doxygen,
- php-cli | php5-cli,
- rst2pdf
-Vcs-git: https://gitlab.com/davical-project/davical.git
-Vcs-browser: https://gitlab.com/davical-project/davical
+ php-cli | php5-cli
+Vcs-Git: https://gitlab.com/davical-project/davical.git
+Vcs-Browser: https://gitlab.com/davical-project/davical
 Homepage: https://www.davical.org/

 Package: davical
--- a/debian/davical-doc.doc-base.api
+++ b/debian/davical-doc.doc-base.api
@ -8,5 +8,5 @@ Abstract: Technical documentation for DAViCal
 documentation details the classes and methods in die DAViCal programs.

 Format: HTML
-Index: /usr/share/doc/davical-doc/api/index.html
-Files: /usr/share/doc/davical-doc/api/*.html
+Index: /usr/share/doc/davical/api/index.html
+Files: /usr/share/doc/davical/api/*.html
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@ -0,0 +1,2 @@
+Repository: https://gitlab.com/davical-project/davical.git
+Repository-Browse: https://gitlab.com/davical-project/davical
--- a/htdocs/always.php
+++ b/htdocs/always.php
@ -287,7 +287,7 @@ if ( function_exists('awl_set_locale') ) {
 */
 $c->code_version = 0;
 $c->want_awl_version = '0.60';
-$c->version_string = '1.1.9.1'; // The actual version # is replaced into that during the build /release process
+$c->version_string = '1.1.9.2'; // The actual version # is replaced into that during the build /release process
 if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
  $c->code_major = $matches[1];
  $c->code_minor = $matches[2];
 @ -1 +1 @@
 .1.9.1
 .1.9.2