1 shibboleth-sp2 (2.4.2+dfsg-1) unstable; urgency=low
4 * Fix watch file. The 2.4 prerelease broke it.
7 * Enable and ship memcache-store.
10 * New upstream release.
11 - Move <SecurityPolicies> default to a separate configuration file
12 - Allow hard-coding the return URL after authentication
13 - Allow restrictions on signing/digest algorithms to accept
14 - New -o, -u, and -g flags to keygen
15 - Add SessionIndex of an AuthnStatement to environment variables
16 - Support for metadata extensions for algorithm support
17 - New extension for decoding base64 encoded attributes
18 - Allow configuration of XMLAccessControl rules in .htaccess
19 - Support explicit filtering of NameID by qualifiers
20 - New simplified configuration mechanism
21 - Allow inheritance of RelyingParty definitions in ApplicationOverride
22 - Provide more information in the status handler
23 - New endpoint producing JSON data for Discovery Service
24 - Generate the EntityDescriptor/ID via hashing for stability
25 - Allow using a regex to generate a URL from the entityID in dynamic
27 - Support for multibyte request paths
28 - New session cache option to avoid storing complete assertions
29 - Support MDX-style artifact lookup in dynamic MD plugin
30 - Allow storing and retrieving the session key from an HTTP header
31 - Support "unspecified" NameFormat without special configuration
32 - Allow overriding listener details to permit use of a shared config
33 - Add error information to attribute ResolutionContext
34 - Set the correct variables for log4cpp libraries (Closes: #606489)
36 * Rebuild with OpenSSL 1.0.0. (Closes: #620774)
37 * Change package names for the upstream SONAME change.
38 * Update Debian man pages for upstream utility changes.
39 * Build-depend on xmltooling 1.4 or later and OpenSAML 2.4 or later, and
40 also update schema and development package dependencies.
41 * Force build dependency on xml-security-c 1.6 or later for consistent
43 * Add build dependency on pkg-config, which upstream now uses to find
45 * Add build dependency on graphviz for better API documentation.
46 * Replace the version of jQuery installed by Doxygen in the
47 documentation package with a symlink to the version supplied by the
48 Debian package and add a dependency.
49 * Drop the *.la files from /usr/lib/shibboleth. Upstream does loading
50 by *.so files and doesn't use libltdl, and Debian is dropping *.la
52 * Fix LSB Description keyword formatting in the shibd init script.
53 * Empty the Default-Stop setting for the shibd init script. Just
54 killing the daemon as part of shutdown should be fine.
55 * Ignore the plugins in /usr/lib/shibboleth when running dh_makeshlibs.
56 They have SONAMEs but aren't actually libraries.
57 * Update to debhelper compatibility level V8.
58 - Use debhelper rule minimization.
59 * Update debian/copyright to the current DEP-5 specification.
60 * Change to Debian source format 3.0 (quilt). Force a single Debian
61 patch for simplicity since the packaging is maintained in Git using
62 branches, and include a patch header explaining why.
63 * Update standards version to 3.9.1 (no changes required).
65 -- Russ Allbery <rra@debian.org> Fri, 08 Apr 2011 13:01:21 -0700
67 shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high
69 * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after
70 merging upstream/2.3.1+dfsg into that. Original changlog entry:
72 Apply upstream fix for shibd removing the PID file when called with
73 the -F option. This prevents the check of certificate permissions in
74 the init script from removing the PID file of a running shibd.
78 -- Ferenc Wagner <wferi@niif.hu> Tue, 01 Feb 2011 16:44:15 +0100
80 shibboleth-sp2 (2.3.1+dfsg-4) unstable; urgency=low
82 * Only restart Apache if it is running. Thanks, Mehdi Dogguy, Michael
83 Biebl, and Ferenc Wagner.
85 -- Russ Allbery <rra@debian.org> Mon, 29 Nov 2010 14:29:42 -0800
87 shibboleth-sp2 (2.3.1+dfsg-3) unstable; urgency=low
90 * Restart Apache from the postinst script if the shib2 module is enabled
91 to avoid communication errors with the upgraded shibd. (Closes: #602328)
94 * Add myself to Uploaders.
95 * Enable and ship memcache-store.
97 -- Ferenc Wagner <wferi@niif.hu> Mon, 22 Nov 2010 22:17:57 +0100
99 shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low
101 * Modify shib-keygen to create the new certificate key group-readable by
102 _shibd and not world-readable. (Closes: #571631, CVE-2010-2450)
103 * Force source format 1.0 for now since it makes backporting easier.
104 * Update debhelper compatibility level to V7.
105 - Use dh_prep instead of dh_clean -k.
106 * Update standards version to 3.8.4 (no changes required).
108 -- Russ Allbery <rra@debian.org> Sat, 15 May 2010 15:25:12 -0700
110 shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low
112 * New upstream release.
113 - Don't sign messages for SOAP requests twice.
114 - Correctly generate metadata in the artifact resolution handler.
115 - Artifact resolution should return empty success on errors.
116 - Fixed crash in backchannel global logout.
117 - Fix duplicate indexes in metadata generation when multiple base URLs
119 - Correctly decrypt assertions in attribute responses.
120 * Apply upstream fix for shibd removing the PID file when called with
121 the -F option. This prevents the check of certificate permissions in
122 the init script from removing the PID file of a running shibd.
123 * Add ${shlibs:Depends} to the libshibsp-dev package dependencies.
124 * Add ${misc:Depends} to all package dependencies.
126 -- Russ Allbery <rra@debian.org> Sun, 03 Jan 2010 13:54:55 -0800
128 shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
131 * Urgency set to high for security fix.
132 * New upstream release.
133 - SECURITY: Partial fix for improper handling of URLs that could be
134 abused for script injection and other cross-site scripting attacks.
135 The complete fix also requires newer xmltooling and opensaml2
136 packages. (Closes: #555608, CVE-2009-3300)
137 - Avoid shibd crash on dead memcache server.
138 - Pass the affiliation name to the session initiator.
139 - Correctly handle a bogus ACS.
140 - Allow overriding the URL that's passed to the DS.
141 - Add schema types for new attribute decoders introduced in 2.2.
142 - Handle success with partial logout in the logout UI code.
143 - Fix POST data preservation with empty parameters and empty forms.
144 - Fix SAML 1 specification of attributes in the query plugin.
145 - Shorten ePTId-type persistent identifiers.
146 - Use an ID rather than a whole doc reference for generated metadata.
147 - Fix spelling of scopeDelimiter in the configuration parser, making
148 the code and documentation match the schema.
149 * Rename library package for upstream SONAME bump.
150 * Tighten build and package dependencies on xmltooling and opensaml2 to
151 require the versions with the security fix.
152 * Fix watch file for the new version mangling.
153 * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
154 * Remove unnecessary patches to upstream files regenerated during the
155 build from the source package diff.
158 * Run make install with NOKEYGEN=1 and stop rm-ing generated
159 certificates. Fixes FTBFS.
162 * Run shibd as non-root.
164 -- Russ Allbery <rra@debian.org> Wed, 11 Nov 2009 14:39:44 -0800
166 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
168 * Change the libapache2-mod-shib2 section to httpd, matching override.
169 * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
170 recommended configuration update for the 2.2 version. Thanks, Scott
171 Cantor and Kristof BAJNOK.
173 -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
175 shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
177 * New upstream release.
178 - SECURITY: Fix improper handling of certificate names containing nul
180 - SECURITY: Correctly validate the use attribute of KeyDescriptors,
181 preventing use of a key for signing or for encryption if its use
182 field says it may not be used for that purpose.
183 - New shib-metagen script for generating Shibboleth SP metadata.
184 - Support preserving form data across user authentication.
185 - Support internal server redirection while maintaining protection.
186 - Fix incompatibility between lazy sessions and servlet containers.
187 - Fix some problems with dynamic metadata resolution.
188 - Fix incompatibility with mod_include.
189 - Fix single logout via SOAP.
190 - Fix shibd crash with invalid metadata.
191 - Fix crash in chaining attribute resolver.
192 - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
193 - Fix handling of some Unicode data in relaystate data in URLs.
194 - Correctly return Success to LogoutRequest where appropriate.
195 - Avoid chunked encoding in back-channel calls.
196 - Correctly check Recipient values in assertions.
197 - Fix attributePrefix handling in some contexts.
198 - Fix generated metadata DiscoveryResponse.
199 - Fix handling of unsigned responses with encryption.
200 - Fix handling of InProcess property.
201 * Rename library package for upstream SONAME bump.
202 * Tighten build dependencies and schema package dependencies on
203 opensaml2 and xmltooling.
204 * Build against Xerces-C 3.0.
205 * Dynamically determine the Debian and upstream package versions for
206 get-orig-source from debian/changelog.
207 * Update libapache2-mod-shib2's README.Debian for changes to the
209 * Use the automatically-extracted package version as the version number
211 * Update standards version to 3.8.3.
212 - Create /var/run/shibboleth in the init script if it doesn't exist.
213 - Don't ship /var/run/shibboleth in the package.
214 - Remove /var/run/shibboleth in postrm if it exists.
216 -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
218 shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low
220 * Redo the variable quoting in doxygen.m4 so that configure can be
221 rebuilt with Autoconf 2.63. (Closes: #518039)
223 -- Russ Allbery <rra@debian.org> Tue, 03 Mar 2009 15:03:10 -0800
225 shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low
228 * New upstream version.
229 - New memory cache storage backend.
230 - Schema validation is now optional.
232 * Bump SONAME of libshibsp following upstream's versioning.
233 * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
234 and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
235 * Fix the name of the tarball created by get-orig-source.
237 * Tighten the dependency versioning; the 2.1 SP library requires the
238 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
240 * Remove duplicate Section field for libapache2-mod-shib2.
243 * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
244 * Remove the Shibboleth minor version number from README.Debian.
245 * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
246 shibboleth-sp2-schemas and document how to enable it again.
248 -- Russ Allbery <rra@debian.org> Fri, 27 Feb 2009 20:54:51 -0800
250 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
253 * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
254 libapache2-mod-shib package. Otherwise its Apache config file breaks our
256 * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
257 Schober for noticing)
260 * Add a postinst to disable the old configuration on upgrade and enable
261 the module if it had been enabled under the old configuration name.
262 * Wait for shibd to exit on stop or restart. This fixes a bug in
263 restart that could lead to no new shibd being started because the old
264 one had not yet exited.
265 * Fix a syntax error in the shibd man page.
267 -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 21:47:36 -0700
269 shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low
272 * Avoid brace expansion in debian/rules, dash does not like it.
276 * Add logcheck rules to ignore some of the routine messages from the
277 Apache module. This only covers startup and teardown; more will
279 * Fix watch file for new upstream tarball naming.
281 -- Russ Allbery <rra@debian.org> Tue, 19 Aug 2008 19:04:35 -0700
283 shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low
285 * Apply upstream fix for variable sizes in the ODBC code. Fixes a
286 FTBFS on 64-bit platforms. (Closes: #492101)
288 -- Russ Allbery <rra@debian.org> Thu, 24 Jul 2008 08:44:50 -0700
290 shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low
293 * Initial release (Closes: #480290)
295 -- Russ Allbery <rra@debian.org> Wed, 25 Jun 2008 20:06:10 -0700