Author: Thomas Goirand
Revision Date: 2012-06-08 16:26:38 UTC

* New upstream version with the following changes:
- [ Collective patches ] :
  o Safer template.php with more mysql escape call, just to be sure.
  o Fixes cron job parameter escaping (potential security issue).
- [ Javier Marcon ] :
  o Separated backup cron from the rest of the dtc cron jobs.
  o Fixed shared hosting reminder to admins (Javier Marcon).
- [ Jesse Norell ] :
  o Forces mailboxes to be lowercase.
  o Support for dovecot.conf overwrite in a conf.d folder.
  o New anti-spam "move to folder sends to sa-learn" functionality.
- [ Thomas Goirand ] :
  o Always copy the new site template, not depending on security model
  anymore.
  o Fixed scp of invoices.
  o New domain_migrate.sh script, to move a domain from one server to another.
  o Now creating new users using the sbox_aufs mode by default.
  o Adds a mail_max_userip_connections directive in Dovecot.
- [ Damien Mascord ] :
  o Fixes managesieve symlink and default .dovecot.sieve handling so that
  activating the default rules doesn't delete it.
- [ Jan-Class Dirks ] :
  o Fixes a cron job warning if a user had no domain.

Author: Thomas Goirand
Revision Date: 2011-09-11 05:15:26 UTC

* QA upload fixing:
  - Removed old iGlobalWall folder which included unwanted information.
  - Removed sourceless OSX mod_log_sql.so files (Closes: #637469).
  - Fixes lists shell injection issue (Closes: #637477).
  - Sets unix rights to non-world readable for the apache2.conf file,
  since it contains SQL access password (Closes: #637485).
  - Now htmlspecialchars() the output of DNS & MX, preventing a possible
  HTML injection issue (Closes: #637584).
  - Fixes "package installer includes php files in untrusted directories"
  if some package install packages are installed (Closes: #637629, #637630).
  - Adds htmlspecialchars() in the ticket display.
  - Fixes sudo access to chrootuid is giving access to root using the new
  dtc-chroot-wrapper (Closes: #637618).
  - Not using htpasswd -b to create .htpasswd files (Closes: #637537).
  - Checks $_SERVER["addrlink"] input correctly, since it could lead to very
  bad SQL insertion (Closes: #637487 ).
  - Fixes an SQL injection in package installer (Closes: #637632).
  - Fixes an SQL injection in the draw_user_admin.php (Closes: #637669).

Author: Thomas Goirand
Revision Date: 2011-08-12 09:04:11 UTC

* New upstream version with lots of security fixes:
  - Passwords are now hashed (Closes: #566654).
  - The addrlink is now checked properly, thanks to Ansgar Burchardt
  <ansgar@debian.org> for reporting it (Closes: #637487).
  - Mailing lists tunables options are now correcly escaped before the files
  are being written with an echo, thanks to Ansgar Burchardt
  <ansgar@debian.org> for reporting it (Closes: #637477).
  - Removed sourceless built of OSX mod_log_sql, removed unwanted iglobalwall
  useless files, thanks to Ansgar Burchardt <ansgar@debian.org> for reporting
  it (Closes: #637469).
  - Fixes logPushlet input checking, thanks to Mike O'Connor <stew@vireo.org>
  for reporting it (Closes: #637498).
  - Removes grayboard skin as it is missing some js scripts, thanks to Mike
  O'Connor <stew@vireo.org> for reporting it (Closes: #637505).
  - Sets apache2.conf not to be world readable because it contains the
  password for accessing the dtcdaemon database (Closes: #637485).
  - Adds output escaping in the DNS & MX form (Closes: #637584).
  - Install now does chmod 640 /var/log/dtc.log chown root:adm
  /var/log/dtc.log (Closes: #637617).
  - Checks for validity of package name in the package installer before
  installing a package (Closes: #637629).
  - Now using a dtc-chroot-wrapper to avoid giving a too permissive access
  to chrootuid, which was giving root access to apache (Closes: #637618).
  - Don't use htpasswd -b, since it's showing the password on a ps. Using
  crypt() and fwrite() now. (Closes: #637537).
* Added ja.po debconf translation thanks to Hideki Yamane
  <henrich@debian.org> (Closes: #599087).
* Changed reference to mysql-server-5.0 to mysql-server-5.1, thanks to
  Mike O'Connor <stew@vireo.org> for reporting it (Closes: #633617).

Author: Thomas Goirand
Revision Date: 2010-06-25 12:25:19 UTC

* New upstream release fixing the following:
  - [v0.30.19] Corrects some spelling issues in debian/control, adds the
  debian/source/format file (still format 1.0 as there's no need for patches,
  because upstream == debian maintainer).
  - [v0.30.19] Non debian-specific bugfixing as follow:
    - Orders the "Add VPS" by server_hostname,vps_xen_name
    - check for existance of maildirsize before attempting chown
    - fixed a typo when redirecting the postsuper output
    - chown of some files for xen servers nodes were missing
    - forbids certain names for mysql dbs (mysql, apachelogs, etc.)
    - makes an SSL vhost available when a user holding one is deleted
    - checks if os is 64 bits when managing lib64 folder
    - a typo in the email signatures
    - a button to delete a support ticket thread silently
    - Using an export XML file to import all the configuration of a virtual
    administrator now works (previously, it was working only with a single
    domain name). MySQL db definition exports are now also working, and
    UID/GID are fixed as they should in the DB for FTP/SSH/MAIL.
    - Using mkdir -p instead of just mkdir when creating a new user path.
  - [v0.30.20] Non debian-specific bugfixing as follow:
    - Removed the total_du warning in the "My Account" screen.
    - Now rendering the statistics table with CSS and not ugly html
    - Killed the code for "repairing" http_accounting table that was in fact
    reseting user bandwidth stats for the current month at each upgrade.
    - Now /dtcadmin (vs /dtcadmin/) works again
    - Renamed the HTTPRequest class to dtc_HTTPRequest in order to avoid
    conflicts with the PHP PEAR library.
  - Added a global graphic overview of VPS servers (I/O, CPU, net...)