-shibboleth-sp2 (2.2.1+dfsg-1) UNRELEASED; urgency=low
+shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
+
+ [ Russ Allbery ]
+ * Urgency set to high for security fix.
+ * New upstream release.
+ - SECURITY: Partial fix for improper handling of URLs that could be
+ abused for script injection and other cross-site scripting attacks.
+ The complete fix also requires newer xmltooling and opensaml2
+ packages. (Closes: #555608, CVE-2009-3300)
+ - Avoid shibd crash on dead memcache server.
+ - Pass the affiliation name to the session initiator.
+ - Correctly handle a bogus ACS.
+ - Allow overriding the URL that's passed to the DS.
+ - Add schema types for new attribute decoders introduced in 2.2.
+ - Handle success with partial logout in the logout UI code.
+ - Fix POST data preservation with empty parameters and empty forms.
+ - Fix SAML 1 specification of attributes in the query plugin.
+ - Shorten ePTId-type persistent identifiers.
+ - Use an ID rather than a whole doc reference for generated metadata.
+ - Fix spelling of scopeDelimiter in the configuration parser, making
+ the code and documentation match the schema.
+ * Rename library package for upstream SONAME bump.
+ * Tighten build and package dependencies on xmltooling and opensaml2 to
+ require the versions with the security fix.
+ * Fix watch file for the new version mangling.
+ * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
+ * Remove unnecessary patches to upstream files regenerated during the
+ build from the source package diff.
+
+ [ Faidon Liambotis ]
+ * Run make install with NOKEYGEN=1 and stop rm-ing generated
+ certificates. Fixes FTBFS.
+
+ [ Ferenc Wagner ]
+ * Run shibd as non-root.
+
+ -- Russ Allbery <rra@debian.org> Tue, 10 Nov 2009 16:56:06 -0800
+
+shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
+
+ * Change the libapache2-mod-shib2 section to httpd, matching override.
+ * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
+ recommended configuration update for the 2.2 version. Thanks, Scott
+ Cantor and Kristof BAJNOK.
+
+ -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
+
+shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
* New upstream release.
- SECURITY: Fix improper handling of certificate names containing nul
- SECURITY: Correctly validate the use attribute of KeyDescriptors,
preventing use of a key for signing or for encryption if its use
field says it may not be used for that purpose.
+ - New shib-metagen script for generating Shibboleth SP metadata.
- Support preserving form data across user authentication.
- Support internal server redirection while maintaining protection.
- Fix incompatibility between lazy sessions and servlet containers.
get-orig-source from debian/changelog.
* Update libapache2-mod-shib2's README.Debian for changes to the
TestShib web pages.
+ * Use the automatically-extracted package version as the version number
+ for the man pages.
* Update standards version to 3.8.3.
- Create /var/run/shibboleth in the init script if it doesn't exist.
- Don't ship /var/run/shibboleth in the package.
- Remove /var/run/shibboleth in postrm if it exists.
- -- Russ Allbery <rra@debian.org> Fri, 24 Jul 2009 15:29:01 -0700
+ -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low