1 shibboleth-sp2 (2.3.1+dfsg-5) UNRELEASED; urgency=low
4 * Fix watch file. The 2.4 prerelease broke it.
7 * Enable and ship memcache-store.
9 -- Russ Allbery <rra@debian.org> Mon, 29 Nov 2010 15:54:07 -0800
11 shibboleth-sp2 (2.3.1+dfsg-4) unstable; urgency=low
13 * Only restart Apache if it is running. Thanks, Mehdi Dogguy, Michael
14 Biebl, and Ferenc Wagner.
16 -- Russ Allbery <rra@debian.org> Mon, 29 Nov 2010 14:29:42 -0800
18 shibboleth-sp2 (2.3.1+dfsg-3) unstable; urgency=low
21 * Restart Apache from the postinst script if the shib2 module is enabled
22 to avoid communication errors with the upgraded shibd. (Closes: #602328)
25 * Add myself to Uploaders.
26 * Enable and ship memcache-store.
28 -- Ferenc Wagner <wferi@niif.hu> Mon, 22 Nov 2010 22:17:57 +0100
30 shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low
32 * Modify shib-keygen to create the new certificate key group-readable by
33 _shibd and not world-readable. (Closes: #571631, CVE-2010-2450)
34 * Force source format 1.0 for now since it makes backporting easier.
35 * Update debhelper compatibility level to V7.
36 - Use dh_prep instead of dh_clean -k.
37 * Update standards version to 3.8.4 (no changes required).
39 -- Russ Allbery <rra@debian.org> Sat, 15 May 2010 15:25:12 -0700
41 shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low
43 * New upstream release.
44 - Don't sign messages for SOAP requests twice.
45 - Correctly generate metadata in the artifact resolution handler.
46 - Artifact resolution should return empty success on errors.
47 - Fixed crash in backchannel global logout.
48 - Fix duplicate indexes in metadata generation when multiple base URLs
50 - Correctly decrypt assertions in attribute responses.
51 * Apply upstream fix for shibd removing the PID file when called with
52 the -F option. This prevents the check of certificate permissions in
53 the init script from removing the PID file of a running shibd.
54 * Add ${shlibs:Depends} to the libshibsp-dev package dependencies.
55 * Add ${misc:Depends} to all package dependencies.
57 -- Russ Allbery <rra@debian.org> Sun, 03 Jan 2010 13:54:55 -0800
59 shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high
62 * Urgency set to high for security fix.
63 * New upstream release.
64 - SECURITY: Partial fix for improper handling of URLs that could be
65 abused for script injection and other cross-site scripting attacks.
66 The complete fix also requires newer xmltooling and opensaml2
67 packages. (Closes: #555608, CVE-2009-3300)
68 - Avoid shibd crash on dead memcache server.
69 - Pass the affiliation name to the session initiator.
70 - Correctly handle a bogus ACS.
71 - Allow overriding the URL that's passed to the DS.
72 - Add schema types for new attribute decoders introduced in 2.2.
73 - Handle success with partial logout in the logout UI code.
74 - Fix POST data preservation with empty parameters and empty forms.
75 - Fix SAML 1 specification of attributes in the query plugin.
76 - Shorten ePTId-type persistent identifiers.
77 - Use an ID rather than a whole doc reference for generated metadata.
78 - Fix spelling of scopeDelimiter in the configuration parser, making
79 the code and documentation match the schema.
80 * Rename library package for upstream SONAME bump.
81 * Tighten build and package dependencies on xmltooling and opensaml2 to
82 require the versions with the security fix.
83 * Fix watch file for the new version mangling.
84 * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
85 * Remove unnecessary patches to upstream files regenerated during the
86 build from the source package diff.
89 * Run make install with NOKEYGEN=1 and stop rm-ing generated
90 certificates. Fixes FTBFS.
93 * Run shibd as non-root.
95 -- Russ Allbery <rra@debian.org> Wed, 11 Nov 2009 14:39:44 -0800
97 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
99 * Change the libapache2-mod-shib2 section to httpd, matching override.
100 * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
101 recommended configuration update for the 2.2 version. Thanks, Scott
102 Cantor and Kristof BAJNOK.
104 -- Russ Allbery <rra@debian.org> Wed, 09 Sep 2009 12:15:08 -0700
106 shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high
108 * New upstream release.
109 - SECURITY: Fix improper handling of certificate names containing nul
111 - SECURITY: Correctly validate the use attribute of KeyDescriptors,
112 preventing use of a key for signing or for encryption if its use
113 field says it may not be used for that purpose.
114 - New shib-metagen script for generating Shibboleth SP metadata.
115 - Support preserving form data across user authentication.
116 - Support internal server redirection while maintaining protection.
117 - Fix incompatibility between lazy sessions and servlet containers.
118 - Fix some problems with dynamic metadata resolution.
119 - Fix incompatibility with mod_include.
120 - Fix single logout via SOAP.
121 - Fix shibd crash with invalid metadata.
122 - Fix crash in chaining attribute resolver.
123 - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
124 - Fix handling of some Unicode data in relaystate data in URLs.
125 - Correctly return Success to LogoutRequest where appropriate.
126 - Avoid chunked encoding in back-channel calls.
127 - Correctly check Recipient values in assertions.
128 - Fix attributePrefix handling in some contexts.
129 - Fix generated metadata DiscoveryResponse.
130 - Fix handling of unsigned responses with encryption.
131 - Fix handling of InProcess property.
132 * Rename library package for upstream SONAME bump.
133 * Tighten build dependencies and schema package dependencies on
134 opensaml2 and xmltooling.
135 * Build against Xerces-C 3.0.
136 * Dynamically determine the Debian and upstream package versions for
137 get-orig-source from debian/changelog.
138 * Update libapache2-mod-shib2's README.Debian for changes to the
140 * Use the automatically-extracted package version as the version number
142 * Update standards version to 3.8.3.
143 - Create /var/run/shibboleth in the init script if it doesn't exist.
144 - Don't ship /var/run/shibboleth in the package.
145 - Remove /var/run/shibboleth in postrm if it exists.
147 -- Russ Allbery <rra@debian.org> Mon, 07 Sep 2009 16:14:29 -0700
149 shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low
151 * Redo the variable quoting in doxygen.m4 so that configure can be
152 rebuilt with Autoconf 2.63. (Closes: #518039)
154 -- Russ Allbery <rra@debian.org> Tue, 03 Mar 2009 15:03:10 -0800
156 shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low
159 * New upstream version.
160 - New memory cache storage backend.
161 - Schema validation is now optional.
163 * Bump SONAME of libshibsp following upstream's versioning.
164 * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
165 and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
166 * Fix the name of the tarball created by get-orig-source.
168 * Tighten the dependency versioning; the 2.1 SP library requires the
169 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
171 * Remove duplicate Section field for libapache2-mod-shib2.
174 * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
175 * Remove the Shibboleth minor version number from README.Debian.
176 * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
177 shibboleth-sp2-schemas and document how to enable it again.
179 -- Russ Allbery <rra@debian.org> Fri, 27 Feb 2009 20:54:51 -0800
181 shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low
184 * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
185 libapache2-mod-shib package. Otherwise its Apache config file breaks our
187 * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
188 Schober for noticing)
191 * Add a postinst to disable the old configuration on upgrade and enable
192 the module if it had been enabled under the old configuration name.
193 * Wait for shibd to exit on stop or restart. This fixes a bug in
194 restart that could lead to no new shibd being started because the old
195 one had not yet exited.
196 * Fix a syntax error in the shibd man page.
198 -- Russ Allbery <rra@debian.org> Tue, 14 Oct 2008 21:47:36 -0700
200 shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low
203 * Avoid brace expansion in debian/rules, dash does not like it.
207 * Add logcheck rules to ignore some of the routine messages from the
208 Apache module. This only covers startup and teardown; more will
210 * Fix watch file for new upstream tarball naming.
212 -- Russ Allbery <rra@debian.org> Tue, 19 Aug 2008 19:04:35 -0700
214 shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low
216 * Apply upstream fix for variable sizes in the ODBC code. Fixes a
217 FTBFS on 64-bit platforms. (Closes: #492101)
219 -- Russ Allbery <rra@debian.org> Thu, 24 Jul 2008 08:44:50 -0700
221 shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low
224 * Initial release (Closes: #480290)
226 -- Russ Allbery <rra@debian.org> Wed, 25 Jun 2008 20:06:10 -0700