1 shibboleth-sp2 (2.5+dfsg~moonshot1-1) unstable; urgency=low
3 * New moonshot pre-release
6 -- Sam Hartman <hartmans@debian.org> Mon, 25 Apr 2011 13:30:44 -0400
8 shibboleth-sp2 (2.4.2+dfsg-1) unstable; urgency=low
11 * Fix watch file. The 2.4 prerelease broke it.
14 * Enable and ship memcache-store.
17 * New upstream release.
18 - Move <SecurityPolicies> default to a separate configuration file
19 - Allow hard-coding the return URL after authentication
20 - Allow restrictions on signing/digest algorithms to accept
21 - New -o, -u, and -g flags to keygen
22 - Add SessionIndex of an AuthnStatement to environment variables
23 - Support for metadata extensions for algorithm support
24 - New extension for decoding base64 encoded attributes
25 - Allow configuration of XMLAccessControl rules in .htaccess
26 - Support explicit filtering of NameID by qualifiers
27 - New simplified configuration mechanism
28 - Allow inheritance of RelyingParty definitions in ApplicationOverride
29 - Provide more information in the status handler
30 - New endpoint producing JSON data for Discovery Service
31 - Generate the EntityDescriptor/ID via hashing for stability
32 - Allow using a regex to generate a URL from the entityID in dynamic
34 - Support for multibyte request paths
35 - New session cache option to avoid storing complete assertions
36 - Support MDX-style artifact lookup in dynamic MD plugin
37 - Allow storing and retrieving the session key from an HTTP header
38 - Support "unspecified" NameFormat without special configuration
39 - Allow overriding listener details to permit use of a shared config
40 - Add error information to attribute ResolutionContext
41 - Set the correct variables for log4cpp libraries (Closes: #606489)
43 * Rebuild with OpenSSL 1.0.0. (Closes: #620774)
44 * Change package names for the upstream SONAME change.
45 * Update Debian man pages for upstream utility changes.
46 * Build-depend on xmltooling 1.4 or later and OpenSAML 2.4 or later, and
47 also update schema and development package dependencies.
48 * Force build dependency on xml-security-c 1.6 or later for consistent
50 * Add build dependency on pkg-config, which upstream now uses to find
52 * Add build dependency on graphviz for better API documentation.
53 * Replace the version of jQuery installed by Doxygen in the
54 documentation package with a symlink to the version supplied by the
55 Debian package and add a dependency.
56 * Drop the *.la files from /usr/lib/shibboleth. Upstream does loading
57 by *.so files and doesn't use libltdl, and Debian is dropping *.la
59 * Fix LSB Description keyword formatting in the shibd init script.
60 * Empty the Default-Stop setting for the shibd init script. Just
61 killing the daemon as part of shutdown should be fine.
62 * Ignore the plugins in /usr/lib/shibboleth when running dh_makeshlibs.
63 They have SONAMEs but aren't actually libraries.
64 * Update to debhelper compatibility level V8.
65 - Use debhelper rule minimization.
66 * Update debian/copyright to the current DEP-5 specification.
67 * Change to Debian source format 3.0 (quilt). Force a single Debian
68 patch for simplicity since the packaging is maintained in Git using
69 branches, and include a patch header explaining why.
70 * Update standards version to 3.9.1 (no changes required).
72 -- Russ Allbery <rra@debian.org> Fri, 08 Apr 2011 13:01:21 -0700
74 shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high
76 * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after
77 merging upstream/2.3.1+dfsg into that. Original changlog entry:
79 Apply upstream fix for shibd removing the PID file when called with
80 the -F option. This prevents the check of certificate permissions in
81 the init script from removing the PID file of a running shibd.
85 -- Ferenc Wagner <wferi@niif.hu> Tue, 01 Feb 2011 16:44:15 +0100
87 shibboleth-sp2 (2.3.1+dfsg-4) unstable; urgency=low
89 * Only restart Apache if it is running. Thanks, Mehdi Dogguy, Michael
90 Biebl, and Ferenc Wagner.
92 -- Russ Allbery <rra@debian.org> Mon, 29 Nov 2010 14:29:42 -0800
94 shibboleth-sp2 (2.3.1+dfsg-3) unstable; urgency=low
97 * Restart Apache from the postinst script if the shib2 module is enabled
98 to avoid communication errors with the upgraded shibd. (Closes: #602328)
101 * Add myself to Uploaders.
102 * Enable and ship memcache-store.
104 -- Ferenc Wagner <wferi@niif.hu> Mon, 22 Nov 2010 22:17:57 +0100
106 shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low
108 * Modify shib-keygen to create the new certificate key group-readable by
109 _shibd and not world-readable. (Closes: #571631, CVE-2010-2450)
110 * Force source format 1.0 for now since it makes backporting easier.
111 * Update debhelper compatibility level to V7.
112 - Use dh_prep instead of dh_clean -k.
113 * Update standards version to 3.8.4 (no changes required).
115 -- Russ Allbery <rra@debian.org> Sat, 15 May 2010 15:25:12 -0700
117 shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low
119 * New upstream release.
120 - Don't sign messages for SOAP requests twice.
121 - Correctly generate metadata in the artifact resolution handler.
122 - Artifact resolution should return empty success on errors.
123 - Fixed crash in backchannel global logout.
124 - Fix duplicate indexes in metadata generation when multiple base URLs
126 - Correctly decrypt assertions in attribute responses.
127 * Apply upstream fix for shibd removing the PID file when called with
128 the -F option. This prevents the check of certificate permissions in
129 the init script from removing the PID file of a running shibd.
130 * Add ${shlibs:Depends} to the libshibsp-dev package dependencies.
131 * Add ${misc:Depends} to all package dependencies.
133 -- Russ Allbery <rra@debian.org> Sun, 03 Jan 2010 13:54:55 -0800
135 shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
138 * Urgency set to high for security fix.
139 * New upstream release.
140 - SECURITY: Partial fix for improper handling of URLs that could be
141 abused for script injection and other cross-site scripting attacks.
142 The complete fix also requires newer xmltooling and opensaml2
143 packages. (Closes: #555608, CVE-2009-3300)
144 - Avoid shibd crash on dead memcache server.
145 - Pass the affiliation name to the session initiator.
146 - Correctly handle a bogus ACS.
147 - Allow overriding the URL that's passed to the DS.
148 - Add schema types for new attribute decoders introduced in 2.2.
149 - Handle success with partial logout in the logout UI code.
150 - Fix POST data preservation with empty parameters and empty forms.
151 - Fix SAML 1 specification of attributes in the query plugin.
152 - Shorten ePTId-type persistent identifiers.
153 - Use an ID rather than a whole doc reference for generated metadata.
154 - Fix spelling of scopeDelimiter in the configuration parser, making
155 the code and documentation match the schema.
156 * Rename library package for upstream SONAME bump.
157 * Tighten build and package dependencies on xmltooling and opensaml2 to
158 require the versions with the security fix.
159 * Fix watch file for the new version mangling.
160 * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
161 * Remove unnecessary patches to upstream files regenerated during the
162 build from the source package diff.
165 * Run make install with NOKEYGEN=1 and stop rm-ing generated
166 certificates. Fixes FTBFS.
169 * Run shibd as non-root.
171 -- Russ Allbery <rra@debian.org> Wed, 11 Nov 2009 14:39:44 -0800
173 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
175 * Change the libapache2-mod-shib2 section to httpd, matching override.
176 * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
177 recommended configuration update for the 2.2 version. Thanks, Scott
178 Cantor and Kristof BAJNOK.
180 -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
182 shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
184 * New upstream release.
185 - SECURITY: Fix improper handling of certificate names containing nul
187 - SECURITY: Correctly validate the use attribute of KeyDescriptors,
188 preventing use of a key for signing or for encryption if its use
189 field says it may not be used for that purpose.
190 - New shib-metagen script for generating Shibboleth SP metadata.
191 - Support preserving form data across user authentication.
192 - Support internal server redirection while maintaining protection.
193 - Fix incompatibility between lazy sessions and servlet containers.
194 - Fix some problems with dynamic metadata resolution.
195 - Fix incompatibility with mod_include.
196 - Fix single logout via SOAP.
197 - Fix shibd crash with invalid metadata.
198 - Fix crash in chaining attribute resolver.
199 - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
200 - Fix handling of some Unicode data in relaystate data in URLs.
201 - Correctly return Success to LogoutRequest where appropriate.
202 - Avoid chunked encoding in back-channel calls.
203 - Correctly check Recipient values in assertions.
204 - Fix attributePrefix handling in some contexts.
205 - Fix generated metadata DiscoveryResponse.
206 - Fix handling of unsigned responses with encryption.
207 - Fix handling of InProcess property.
208 * Rename library package for upstream SONAME bump.
209 * Tighten build dependencies and schema package dependencies on
210 opensaml2 and xmltooling.
211 * Build against Xerces-C 3.0.
212 * Dynamically determine the Debian and upstream package versions for
213 get-orig-source from debian/changelog.
214 * Update libapache2-mod-shib2's README.Debian for changes to the
216 * Use the automatically-extracted package version as the version number
218 * Update standards version to 3.8.3.
219 - Create /var/run/shibboleth in the init script if it doesn't exist.
220 - Don't ship /var/run/shibboleth in the package.
221 - Remove /var/run/shibboleth in postrm if it exists.
223 -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
225 shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low
227 * Redo the variable quoting in doxygen.m4 so that configure can be
228 rebuilt with Autoconf 2.63. (Closes: #518039)
230 -- Russ Allbery <rra@debian.org> Tue, 03 Mar 2009 15:03:10 -0800
232 shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low
235 * New upstream version.
236 - New memory cache storage backend.
237 - Schema validation is now optional.
239 * Bump SONAME of libshibsp following upstream's versioning.
240 * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
241 and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
242 * Fix the name of the tarball created by get-orig-source.
244 * Tighten the dependency versioning; the 2.1 SP library requires the
245 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
247 * Remove duplicate Section field for libapache2-mod-shib2.
250 * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
251 * Remove the Shibboleth minor version number from README.Debian.
252 * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
253 shibboleth-sp2-schemas and document how to enable it again.
255 -- Russ Allbery <rra@debian.org> Fri, 27 Feb 2009 20:54:51 -0800
257 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
260 * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
261 libapache2-mod-shib package. Otherwise its Apache config file breaks our
263 * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
264 Schober for noticing)
267 * Add a postinst to disable the old configuration on upgrade and enable
268 the module if it had been enabled under the old configuration name.
269 * Wait for shibd to exit on stop or restart. This fixes a bug in
270 restart that could lead to no new shibd being started because the old
271 one had not yet exited.
272 * Fix a syntax error in the shibd man page.
274 -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 21:47:36 -0700
276 shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low
279 * Avoid brace expansion in debian/rules, dash does not like it.
283 * Add logcheck rules to ignore some of the routine messages from the
284 Apache module. This only covers startup and teardown; more will
286 * Fix watch file for new upstream tarball naming.
288 -- Russ Allbery <rra@debian.org> Tue, 19 Aug 2008 19:04:35 -0700
290 shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low
292 * Apply upstream fix for variable sizes in the ODBC code. Fixes a
293 FTBFS on 64-bit platforms. (Closes: #492101)
295 -- Russ Allbery <rra@debian.org> Thu, 24 Jul 2008 08:44:50 -0700
297 shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low
300 * Initial release (Closes: #480290)
302 -- Russ Allbery <rra@debian.org> Wed, 25 Jun 2008 20:06:10 -0700