1 shibboleth-sp2 (2.3+dfsg-1) UNRELEASED; urgency=low
4 * New upstream release.
5 - SECURITY: Partial fix for improper handling of URLs that could be
6 abused for script injection and other cross-site scripting attacks.
7 The complete fix also requires newer xmltooling and opensaml2
8 packages. (Closes: #555608, CVE-2009-3300)
9 - Avoid shibd crash on dead memcache server.
10 - Pass the affiliation name to the session initiator.
11 - Correctly handle a bogus ACS.
12 - Allow overriding the URL that's passed to the DS.
13 - Add schema types for new attribute decoders introduced in 2.2.
14 - Handle success with partial logout in the logout UI code.
15 - Fix POST data preservation with empty parameters and empty forms.
16 - Fix SAML 1 specification of attributes in the query plugin.
17 - Shorten ePTId-type persistent identifiers.
18 - Use an ID rather than a whole doc reference for generated metadata.
19 - Fix spelling of scopeDelimiter in the configuration parser, making
20 the code and documentation match the schema.
21 * Tighten build and package dependencies on xmltooling and opensaml2 to
22 require the versions with the security fix.
23 * Fix watch file for the new version mangling.
26 * Run shibd as non-root.
28 -- Russ Allbery <rra@debian.org> Tue, 10 Nov 2009 14:55:56 -0800
30 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
32 * Change the libapache2-mod-shib2 section to httpd, matching override.
33 * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
34 recommended configuration update for the 2.2 version. Thanks, Scott
35 Cantor and Kristof BAJNOK.
37 -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
39 shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
41 * New upstream release.
42 - SECURITY: Fix improper handling of certificate names containing nul
44 - SECURITY: Correctly validate the use attribute of KeyDescriptors,
45 preventing use of a key for signing or for encryption if its use
46 field says it may not be used for that purpose.
47 - New shib-metagen script for generating Shibboleth SP metadata.
48 - Support preserving form data across user authentication.
49 - Support internal server redirection while maintaining protection.
50 - Fix incompatibility between lazy sessions and servlet containers.
51 - Fix some problems with dynamic metadata resolution.
52 - Fix incompatibility with mod_include.
53 - Fix single logout via SOAP.
54 - Fix shibd crash with invalid metadata.
55 - Fix crash in chaining attribute resolver.
56 - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
57 - Fix handling of some Unicode data in relaystate data in URLs.
58 - Correctly return Success to LogoutRequest where appropriate.
59 - Avoid chunked encoding in back-channel calls.
60 - Correctly check Recipient values in assertions.
61 - Fix attributePrefix handling in some contexts.
62 - Fix generated metadata DiscoveryResponse.
63 - Fix handling of unsigned responses with encryption.
64 - Fix handling of InProcess property.
65 * Rename library package for upstream SONAME bump.
66 * Tighten build dependencies and schema package dependencies on
67 opensaml2 and xmltooling.
68 * Build against Xerces-C 3.0.
69 * Dynamically determine the Debian and upstream package versions for
70 get-orig-source from debian/changelog.
71 * Update libapache2-mod-shib2's README.Debian for changes to the
73 * Use the automatically-extracted package version as the version number
75 * Update standards version to 3.8.3.
76 - Create /var/run/shibboleth in the init script if it doesn't exist.
77 - Don't ship /var/run/shibboleth in the package.
78 - Remove /var/run/shibboleth in postrm if it exists.
80 -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
82 shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low
84 * Redo the variable quoting in doxygen.m4 so that configure can be
85 rebuilt with Autoconf 2.63. (Closes: #518039)
87 -- Russ Allbery <rra@debian.org> Tue, 03 Mar 2009 15:03:10 -0800
89 shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low
92 * New upstream version.
93 - New memory cache storage backend.
94 - Schema validation is now optional.
96 * Bump SONAME of libshibsp following upstream's versioning.
97 * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
98 and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
99 * Fix the name of the tarball created by get-orig-source.
101 * Tighten the dependency versioning; the 2.1 SP library requires the
102 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
104 * Remove duplicate Section field for libapache2-mod-shib2.
107 * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
108 * Remove the Shibboleth minor version number from README.Debian.
109 * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
110 shibboleth-sp2-schemas and document how to enable it again.
112 -- Russ Allbery <rra@debian.org> Fri, 27 Feb 2009 20:54:51 -0800
114 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
117 * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
118 libapache2-mod-shib package. Otherwise its Apache config file breaks our
120 * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
121 Schober for noticing)
124 * Add a postinst to disable the old configuration on upgrade and enable
125 the module if it had been enabled under the old configuration name.
126 * Wait for shibd to exit on stop or restart. This fixes a bug in
127 restart that could lead to no new shibd being started because the old
128 one had not yet exited.
129 * Fix a syntax error in the shibd man page.
131 -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 21:47:36 -0700
133 shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low
136 * Avoid brace expansion in debian/rules, dash does not like it.
140 * Add logcheck rules to ignore some of the routine messages from the
141 Apache module. This only covers startup and teardown; more will
143 * Fix watch file for new upstream tarball naming.
145 -- Russ Allbery <rra@debian.org> Tue, 19 Aug 2008 19:04:35 -0700
147 shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low
149 * Apply upstream fix for variable sizes in the ODBC code. Fixes a
150 FTBFS on 64-bit platforms. (Closes: #492101)
152 -- Russ Allbery <rra@debian.org> Thu, 24 Jul 2008 08:44:50 -0700
154 shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low
157 * Initial release (Closes: #480290)
159 -- Russ Allbery <rra@debian.org> Wed, 25 Jun 2008 20:06:10 -0700