- New version 3.2.19.
- Fixes for the following security vulnerabilities:
  + CVE-2023-31047 Potential bypass of validation when uploading multiple files using one form field

- New version 0.9.6 (Fixes: CVE-2023-1017, CVE-2023-1018).

- New version 3.0.3
- Security fixes:
 + CVE-2021-46743 : Firebase PHP-JWT key/algorithm type confusion
 + CVE-2022-31403 : XSS vulnerability via /itop/pages/ajax.render.php
 + CVE-2022-31402 : XSS vulnerability via /itop/webservices/export-v2.php
- Added itop-php8.0
- Deleted itop-php7

- 2.29.0 -> 2.31.0 (fixes: CVE-2023-32681).

- 1.5.2 (Fixes: CVE-2023-0676, CVE-2023-0677, CVE-2023-0678, CVE-2023-1211, CVE-2023-1212).

- New version 10.0.7
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-28849 : SQL injection and Stored XSS via inventory agent request
 + CVE-2023-28632 : Account takeover by authenticated user
 + CVE-2023-28838 : SQL injection through dynamic reports
 + CVE-2023-28852 : Stored XSS through dashboard administration
 + CVE-2023-28636 : Stored XSS on external links
 + CVE-2023-28639 : Reflected XSS in search pages
 + CVE-2023-28634 : Privilege Escalation from technician to super-admin
 + CVE-2023-28633 : Blind Server-Side Request Forgery (SSRF) in RSS feeds

- 15.3 (Fixes CVE-2023-2454, CVE-2023-2455)

- 14.8 (Fixes CVE-2023-2454, CVE-2023-2455)

- 13.11 (Fixes CVE-2023-2454, CVE-2023-2455)

- 12.15 (Fixes CVE-2023-2454, CVE-2023-2455)

- 11.20 (Fixes CVE-2023-2454, CVE-2023-2455)

- 15.3 (Fixes CVE-2023-2454, CVE-2023-2455)

- 4.0.5
- Fixes:
    * CVE-2023-1994 GQUIC dissector crash.
    * CVE-2023-1993 LISP dissector large loop.
    * CVE-2023-1992 RPCoRDMA dissector crash.
    * CVE-2023-1161 ISO 15765 and ISO 10681 dissector crash.

- 2.17.6 (Fixes: CVE-2021-3905, CVE-2023-1668, CVE-2022-4337, CVE-2022-4338)

- 2.10.4 (Fixes: CVE-2023-29469, CVE-2023-28484)

- 2.33.7 -> 2.33.8 (fixes: CVE-2023-25652, CVE-2023-25815, CVE-2023-29007).

- Autobuild version bump to 10.01.1
- (Fixes: CVE-2023-28879)

- Fixed arbitrary command execution via a tag file with
  a crafted filename (fixes CVE-2022-4515).

- 1.10.3.
- switch to meson.
- Security fixes for CVE-2020-11721, CVE-2020-19668.

- Update to maintenance release of Samba 4.17 with update libldb to 2.6.2:
  + ldb wildcard matching makes excessive allocations (Samba#15331).

- Security fixes (Samba#15276, Samba#15270, Samba#15315, Samba#14810):
  + CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
                   but otherwise unprivileged users to delete this attribute from
                   any object in the directory.
                   https://www.samba.org/samba/security/CVE-2023-0225.html

  + CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                   remote LDAP server, will by default send new or reset
                   passwords over a signed-only connection.
                   https://www.samba.org/samba/security/CVE-2023-0922.html

  + CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                   Confidential attribute disclosure via LDAP filters was
                   insufficient and an attacker may be able to obtain
                   confidential BitLocker recovery keys from a Samba AD DC.
                   Installations with such secrets in their Samba AD should
                   assume they have been obtained and need replacing.
                   https://www.samba.org/samba/security/CVE-2023-0614.html

  + CVE-2020-25720 Create Child permission should not allow full write to all
                   attributes (additional changes).

- 0.9.76 released (fixes: CVE-2023-27371)

- 1.1.4 (Fixes CVE-2023-27478)
- Change URL to new upstream project
- Use CMAKE

- Added patches from upstream git:
  + Avoid undefined behaviour with the ctype(3) functions
  + Fix --rev-server option
  + Fix possible SEGV when no servers defined
  + Set the default maximum DNS UDP packet size to 1232
    (fixes: CVE-2023-28450)
  + Fix DHCPv6 "use multicast" response which previously failed

- 1.14.4 (fixed CVE-2023-28100, CVE-2023-28101)

- 0.103.8 (CVE-2023-20032, CVE-2023-20052)

- 5.9.3
- Fixes: CVE-2022-44792, CVE-2022-44793
- Add patches from fedora.
- Drop libucd-snmp and libucd-snmp-devel packages.
- Drop net-snmp-config package and move script net-snmp-config to devel.
- Add libnet-snmp-agent package and move agent library.

- 4.0.1 (Fixes: CVE-2023-22745)

- Updated to 3.7.9 (fixes: CVE-2023-0361).

- (Fixes: CVE-2022-3534, CVE-2022-3606).

- 8.0.27 -> 8.0.28 (Fixes: CVE-2023-0567, CVE-2023-0568, CVE-2023-0662)

- Updated to 3.6.2 (fixes CVE-2023-0286).

- (Fixes: CVE-2022-47016).

- 3.5.15 (fixes: CVE-2022-46285, CVE-2022-44617, CVE-2022-4883)

- New version
- Security fixes:
  + CVE-2022-24736: server crash by a specially crafted Lua script
  + CVE-2022-24735: overcome ACL rules via Lua scripts manipulation

- cherry pick upstream fixes for CVE-2018-19876, CVE-2020-35492

- Fixed libssl knob.
- Fixed License tag.
- Added Vcs tag.
- Patch from upstream:
  + Fixed crash when st_info_list is NULL (fixes: CVE-2022-4121).

- security (fixes: CVE-2022-36227)

- 3.1.13 (fixed CVE-2021-31439, CVE-2022-23121, CVE-2022-23122,
  CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194)

- Backported upstream commit "mpz/inp_raw.c: Avoid bit size overflows"
  (thx Marco Bodrato) (fixes CVE-2021-43618).

- E2K:
  + added mcst patches, mostly as-is except:
    - 0003-Add-copy-optimizations.patch: partially obsolete
    - 0006-Add-bug-workaround.patch: obsolete for arch > e2kv2
    - 0010-Restore-DRI1-support.{add,mod}.patch: need more reverts
    - 0040-Fix-CVE-2018-14665.patch: applied elsewhere upstream
    and specifically, including:
    - 0010-restore-DRI1-support-for-e1c.patch
    - mga2 related patch from mcst#5155
  + warning-related ftbfs workarounds

- Fixes (CVE-2021-46790, CVE-2022-30783, CVE-2022-30784, CVE-2022-30785,
  CVE-2022-30786, CVE-2022-30787, CVE-2022-30788, CVE-2022-30789,
  CVE-2022-40284)

- apply upstream commit a1f88e842e0216a5b4df1ab023caebe33c101395
  to fix CVE-2022-44638

- 7.4.32 -> 7.4.33 (Fixes: CVE-2022-31630, CVE-2022-37454)

- rename patch lib-DBD-File.pm-fix-CVE-2014-10401.patch
- fixes changelog

- Updated to 2.5.0 (fixes: CVE-2022-43680 Fix heap use-after-free after
  overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate
  in out-of-memory situations, DoS or potentially ACE).

- security (fixes: CVE-2020-29260)

- Fixes patch CVE-2015-0557-security-traversal-dir (ALT #44143).

- Add support LDAP add/mod operation to set/change password:
 + fix unable to join to active directory after KB5008380/CVE-2021-42287 with
   option '--ldap-passwd';
 + https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
- Add support fall back to LDAPS if CLDAP ping was not successful
 + If the --use-ldaps option is used and there is no reply on the CLDAP 389/udp
   port adcli will try to send the request to the LDAPS port 636/tcp.
- Fix write SID before secret to Samba's db looks like 'net changesecretpw'
- Add passwd-user sub-command for (re)set a user password.
- Add dont-expire-password option for computer.

- New version (2.38.1) (fixes: CVE-2023-0563).

- fixes CVE-2019-25051

- fixes CVE-2018-10195.

- fixes CVE-2021-4217

- Updated to 4.4.3-P1 (fixes: CVE-2022-2928,CVE-2022-2929).

- 0.25.4 (fixed CVE-2022-37706)

- Update to stable release 6.15 (Samba#15025, Samba#15026)
- mount.cifs: fix length check for ip option parsing (fixes: CVE-2022-27239)
- mount.cifs: fix verbose messages on option parsing (fixes: CVE-2022-29869)

- Update to DROPBEAR_2022.82 (2022-04-01). (Fixes: CVE-2018-15599,
  CVE-2018-5399, CVE-2018-20685, CVE-2019-12953, CVE-2020-15833,
  CVE-2020-36254).
- Disable DSS keys.
- Allow password auth.
- Undo authkey_fp patch (as it does not apply to the new codebase).
- Use bundled libtom{crypt,math} maintained by the authors of Dropbear.
- Doc and client packages are merged into main package.
- Add systemd services.
- Correct sftp-server path (to openssh-server binary).

- Secutiry update (fixed: CVE-2015-20107).
- Fixed Url field.

- Version bump
- Many bugfixes, including security, including:
  Fixes: CVE-2022-24106, CVE-2022-27135

- Autobuild version bump to 6.1.7
- Fixes: CVE-2022-30333

- 2.5.0 (fixed CVE-2013-4289, CVE-2013-4290, CVE-2019-6988, 
  CVE-2018-20846, CVE-2018-16376, CVE-2021-29338)

- New version.
- Security fixes:
  + CVE-2021-28544 Subversion servers reveal copyfrom paths that should be hidden according to configured path-based authorization (authz) rules.
  + CVE-2022-24070 mod_dav_svn is prone to a use-after-free vulnerability when looking up path-based authorization rules, which can result in denial of service (crash of HTTPD worker handling the request).

- NMU (fixes: CVE-2021-4034).
- Applied upstream fix for a trivially exploitable local root vulnerability,
  see https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

- E2K: apply mcst patches, including CVE-2018-6621 fix

- new version 1.41 (Fixes: CVE-2022-23096, CVE-2022-23097, CVE-2022-23098)

- 2.4.3 (Fixes: CVE-2021-4122).

- 2.1.38 -> 2.1.39 (fixes for CVE-2021-42097 and CVE-2021-44227).

- Applied SUSE combchar.diff to prevent DoS via crafted UTF-8 character
  sequence (fixes CVE-2021-26937).

- 0.2.5 (fixed CVE-2021-39358)

- New version (Fixes: CVE-2020-15158).

- fix build, apply patches from upstream
- .service: use /run instead of /var/run
- CVE-2021-32749

- 3.2.8 (fixes: CVE-2021-33582)

- new version
- security (fixes: CVE-2021-3634)

- 1.2.18
- Fixes:
  + CVE-2020-35701 SQL Injection was possible due to incorrect validation order
  + CVE-2020-14424 Lack of escaping on file input fields can lead to XSS exposure under midwinter theme

- new version (1.3.0) with rpmgs script
- CVE-2020-9382, CVE-2020-35625

- avoid infinite-loop in avahi-daemon (closes: #39357) (fixes: CVE-2021-3468)

- Applied security fix from upstream (Fixes CVE-2018-16789).

- Applied security fix from upstream (Fixes CVE-2018-8754).

- Applied security patches from Debian and Gentoo (Fixes: CVE-2014-0466, CVE-2015-8107).

- Updated to upstream version 0.32.3 (Fixes: CVE-2017-5208,
  CVE-2017-5331, CVE-2017-5332, CVE-2017-5333).

- Applied security patch from Gentoo (Fixes: CVE-2017-9430).

- Updated to upstream version 1.2.1 (Fixes: CVE-2018-16741, CVE-2018-16742,
  CVE-2018-16743, CVE-2018-16744, CVE-2018-16745, CVE-2019-1010189, CVE-2019-1010190).

- Applied security fix from upstream (Fixes: CVE-2019-14495).

- Updated to upstream version 1.18.0 (Fixes: CVE-2017-5991, CVE-2018-10289,
  CVE-2018-16647, CVE-2018-16648, CVE-2019-14975, CVE-2020-26519).

- Updated to upstream version 1.2.2 (Fixes: CVE-2019-13045, CVE-2019-15717).

- Applied security patch from Fedora (Fixes: CVE-2019-19917, CVE-2019-19918)

- Updated to upstream version 0.19 (Fixes: CVE-2016-9601, CVE-2020-12268).

- 1.2.3
- securuty fixes: CVE-2016-7951, CVE-2016-7952

- 0.9.10
- securuty fixes: CVE-2016-7949, CVE-2016-7950

- Switched to CVE-2008-4935 fix from Debian.
- Added -Werror=implicit-function-declaration compiler flag.

- Updated to version 1.76 from Debian (Fixes: CVE-2009-1382, CVE-2009-2459).

- Cleaned up sources by importing sources from Debian.
- Forced using system build flags.
- Updated fix for CVE-2015-2063.

- Applied patches from Debian (Fixes: CVE-2013-4420).

- Applied patches from Debian (Fixes: CVE-2014-8123).

- Applied patches from Gentoo (Fixes: CVE-2015-8836, CVE-2015-8837).

- Updated to upstream version 1.2.2 (Fixes: CVE-2017-15953, CVE-2017-15954, CVE-2017-15955).

- Updated to upstream version 1.4.2 (Fixes: CVE-2020-24361).

- Updated to upstream version 2.0.29 (Fixes: CVE-2019-20917, CVE-2020-25269).

- Applied patches from Debian (Fixes: CVE-2005-3178).

- Applied patches from Debian and Gentoo (Fixes: CVE-2005-2536, CVE-2006-5869).
- Build now respects %optflags.

- Applied security fix from Debian (Fixes: CVE-2018-1000825).
- Updated license tag.