Change log for xml-security-c package in Debian
| 1 → 41 of 41 results | First • Previous • Next • Last |
xml-security-c (2.0.4-2) unstable; urgency=medium
* [b474d78] Revert "Enable XPath/XSLT support via Xalan"
Upstream strongly recommends building without Xalan support to reduce
the attack surface of Shibboleth installations, because Xalan is
dead upstream and pulling it in carries a considerable risk. The
Shibboleth stack is the only known consumer of the xml-security-c
library in Debian, so we follow upstream's recommendation.
* [96a3e92] Update Standards-Version to 4.6.2 (no changes required)
* [c251283] Since version 2.0.3 --disable-static is the upstream default
* [4fbcaf5] Update debian/* copyright year
-- Ferenc Wágner <email address hidden> Sat, 07 Jan 2023 19:04:53 +0100
Available diffs
xml-security-c (2.0.4-1) unstable; urgency=medium * [0d065ab] New upstream version: 2.0.4 -- Ferenc Wágner <email address hidden> Sun, 07 Nov 2021 23:01:58 +0100
Available diffs
- diff from 2.0.3-1 to 2.0.4-1 (2.8 KiB)
xml-security-c (2.0.3-1) unstable; urgency=medium * [d8541ef] New upstream version: 2.0.3 * [04b7137] Remove Debian patches (everything went upstream) * [c6e8b1e] Upgrade Standards-Version to 4.6.0 (no changes required) -- Ferenc Wágner <email address hidden> Thu, 28 Oct 2021 22:21:25 +0200
Available diffs
- diff from 2.0.2-4 to 2.0.3-1 (186.9 KiB)
xml-security-c (2.0.2-4) unstable; urgency=medium
[ Ferenc Wágner ]
* [8650c80] New patch: Update for Xalan 1.12.
Thanks to Bill Blough (Closes: #977568)
* [00a0870] Update Standards-Version to 4.5.1 (no changes required)
* [5b6dd82] Enable rootless build
* [cc4e8d1] Switch to Debhelper compat level 13
* [4d59fb3] Bump watch file format version to 4
* [bedf01a] Minimize the upstream public key
* [6cded27] I don't plan to provide a symbols file
* [278dbd4] Enroll to basic Salsa CI
[ Debian Janitor ]
* [a6fa24a] Use secure URI in Homepage field.
Fixes: lintian: homepage-field-uses-insecure-uri
-- Ferenc Wágner <email address hidden> Sun, 27 Dec 2020 12:38:29 +0100
Available diffs
| Published in stretch-release |
xml-security-c (1.7.3-4+deb9u3) stretch; urgency=medium
* [02c3993] New patch: Fix a length bug in concat method.
Thanks to Scott Cantor (Closes: #922984)
-- Ferenc Wágner <email address hidden> Sat, 04 Jul 2020 12:47:24 +0200
| Superseded in stretch-release |
xml-security-c (1.7.3-4+deb9u2) stretch; urgency=medium
* [12dd825] New patches: DSA verification crashes OpenSSL on invalid
combinations of key content.
Particular KeyInfo combinations result in incomplete DSA key structures
that OpenSSL can't handle without crashing. In the case of Shibboleth
SP software this manifests as a crash in the shibd daemon. Exploitation
is believed to be possible only in deployments employing the PKIX trust
engine, which is generally recommended against.
The upstream patches backported from 2.0.2 apply analogous safeguards to
the RSA and ECDSA key handling as well.
Upstream bug: https://issues.apache.org/jira/browse/SANTUARIO-496
CVE: not assigned
Thanks to Scott Cantor (Closes: #913136)
-- Ferenc Wágner <email address hidden> Mon, 10 Dec 2018 11:45:41 +0100
xml-security-c (2.0.2-3) unstable; urgency=medium * [494511e] We now use Xalan * [c03764e] New patch: DSA: pad r and s to 20 bytes -- Ferenc Wágner <email address hidden> Mon, 26 Nov 2018 12:39:01 +0100
Available diffs
- diff from 2.0.1-1 to 2.0.2-3 (13.6 KiB)
- diff from 2.0.2-2 to 2.0.2-3 (1.7 KiB)
xml-security-c (2.0.2-2) unstable; urgency=medium * [1063100] Enable XPath/XSLT support via Xalan * [ce58199] Add build system patches for better FLAGS handling * Upload to unstable -- Ferenc Wágner <email address hidden> Sat, 24 Nov 2018 01:32:20 +0100
xml-security-c (1.7.3-4+deb9u1) stretch-security; urgency=high
* [93b87c6] New patch: Default KeyInfo resolver doesn't check for empty
element content.
The Apache Santuario XML Security for C++ library contained a
number of code paths at risk of dereferencing null pointers when
processing various kinds of malformed KeyInfo hints typically found
in signed or encrypted XML. The usual effect is a crash, and in the
case of the Shibboleth SP software, a crash in the shibd daemon.
Upstream bug:
https://issues.apache.org/jira/projects/SANTUARIO/issues/SANTUARIO-491
CVE: not assigned yet
Thanks to Scott Cantor (Closes: #905332)
-- Ferenc Wágner <email address hidden> Fri, 03 Aug 2018 11:32:52 +0200
| Deleted in experimental-release (Reason: None provided.) |
xml-security-c (2.0.2-1) experimental; urgency=medium * [46a70ae] New upstream version: 2.0.2 * [a8697a7] Update Standards-Version to 4.2.1 (no changes needed) -- Ferenc Wágner <email address hidden> Mon, 05 Nov 2018 21:37:18 +0100
| Superseded in experimental-release |
xml-security-c (2.0.1-1) experimental; urgency=medium * [a5a2016] Follow repository branch renaming in gbp config * [fb2e12d] New upstream version: 2.0.1 (Closes: #905332) * [20cb886] Upgrade Standards-Version to 4.2.0 (no changes needed) -- Ferenc Wágner <email address hidden> Fri, 03 Aug 2018 14:10:55 +0200
Available diffs
- diff from 1.7.3-4build1 (in Ubuntu) to 2.0.1-1 (507.0 KiB)
| Superseded in experimental-release |
xml-security-c (2.0.0-1) experimental; urgency=medium
[ Russ Allbery ]
* [de75387] Remove myself from Uploaders
[ Etienne Dysli Metref ]
* [a926c02] Migrate VCS URLs to salsa.debian.org/shib-team
[ Ferenc Wágner ]
* [8e6452c] Cleanup trailing whitespace in debian/changelog
* [00c41f9] Update Standards-Version to 4.1.5 (no changes required)
* [94e0326] Set priority to optional, extra is deprecated
* [c90d894] Switch to Debhelper compat level 11
* [5a9fe8c] Stop repeating the common part of the package descriptions
* [3a5827e] Multiarch doesn't need Pre-Depends anymore
* [5565edc] Use HTTPS for copyright format
* [cf2bb8d] Add autopkgtest invoking xsec-xtest
* [6b1c9a5] Use the 'replace' merge mode and verbose changelog.
The debian directory is not upstream territory, so this is safer.
Unrelated change: the pristine-tar option is generic.
* [263b9d1] New upstream version: 2.0.0 (Closes: #874600)
* [e1e9fa8] Delete upstreamed or misguided patches.
Modern glibc systems aren't affected by the _REENTRANT define, which is
the only effect of using Pthreads in our setting, but other systems
require more care. All the rest was accepted (and fixed) upstream.
* [76a7c56] Rename library package according to the new soversion
* [5df89ad] Enable building with OpenSSL 1.1 (Closes: #859829)
* [d797dab] Add another autopkgtest building and running a sample program
* [03ae1df] We do not ship the libtool archive file
* [acdea58] Use secure URL in the watch file
* [847af35] Partially update copyright years
-- Ferenc Wágner <email address hidden> Mon, 30 Jul 2018 20:54:07 +0200
| Deleted in buster-release (Reason: None provided.) |
| Superseded in stretch-release |
| Superseded in sid-release |
xml-security-c (1.7.3-4) unstable; urgency=medium [ Etienne Dysli Metref ] * [73c1622] Add myself to uploaders [ Ferenc Wágner ] * [dd93312] Stay with OpenSSL 1.0 (Closes: #828607) * [d775f9f] Migrate to my Debian address -- Ferenc Wágner <email address hidden> Tue, 08 Nov 2016 21:52:45 +0100
Available diffs
- diff from 1.7.3-3 to 1.7.3-4 (913 bytes)
xml-security-c (1.7.3-3) unstable; urgency=medium
* [dee8abd] New patch Only-add-found-packages-to-the-pkg-config-
dependenci.patch
-- Ferenc Wágner <email address hidden> Thu, 21 Jul 2016 19:24:49 +0200
Available diffs
- diff from 1.7.3-2 to 1.7.3-3 (965 bytes)
xml-security-c (1.7.3-2) unstable; urgency=medium
* [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos
(Closes: #811620)
* [eb1af76] Update Standards-Version to 3.9.8 (no changes needed)
* [e742472] Switch to secure VCS URIs
* [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and-
provid.patch
* [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Windows-
onl.patch
* [a5a8a19] The build system now links with the needed libraries only
-- Ferenc Wágner <email address hidden> Thu, 21 Jul 2016 13:41:14 +0200
Available diffs
- diff from 1.7.3-1 to 1.7.3-2 (18.5 KiB)
xml-security-c (1.7.3-1) unstable; urgency=medium
* [df661d6] Check signature in watch file
* [b78a045] Add debian/gbp.conf enabling pristine-tar
* [ca9476a] Imported Upstream version 1.7.3
* [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where possible"
* [9d2337f] Switch watch file to check for bzip-compressed archives
* [f95b4ef] The default compressor is xz since jessie
* [ed19f44] Renaming of the binaries happends via a patch since 4771f62 and
017dc35
* [34dd591] Enable all hardening features
* [893eda7] Remove superfluous dh_clean override
* [2207b52] Fail package build if any installed file is left out in the future
* [62c8d2f] Add myself to Uploaders
* [4afa12e] Update Standards-Version to 3.9.6 (no changes needed)
* [d338569] Since 2b8a713 we've got proper patch files
* [cd68dec] Enable commit ids in gbp dch
* [71cc459] Add version number to the manual pages
* [e544a7b] Run wrap-and-sort -ast on the package
* [cf73c2b] Get rid of patch numbers
* [0832cf9] New patch
Avoid-forward-incompatibility-warnings-from-Automake.patch
* [3099c82] Comment the --as-needed tricks
* [e26686c] Update debian/copyright
* [3fad239] Add NOTICE.txt to all binary packages
* [4eaef76] Incorporate the 1.7.2-3.1 NMU. Thanks to Julien Cristau.
-- Ferenc Wágner <email address hidden> Sun, 29 Nov 2015 19:59:37 +0100
Available diffs
- diff from 1.7.2-3.1 to 1.7.3-1 (322.2 KiB)
xml-security-c (1.7.2-3.1) unstable; urgency=medium * Non-maintainer upload. * Rename library packages for g++5 ABI transition (closes: 791323). -- Julien Cristau <email address hidden> Sun, 16 Aug 2015 17:56:43 +0200
Available diffs
xml-security-c (1.7.2-3) unstable; urgency=medium
* Avoid use of PATH_MAX where possible by using getcwd to allocate the
appropriate size string. Fixes FTBFS on GNU/Hurd. Patch from Svante
Signell. (Closes: #735162)
* Convert all Debian patches to separate patch files managed via gbp pq.
* Update standards version to 3.9.5 (no changes required).
-- Russ Allbery <email address hidden> Mon, 07 Apr 2014 17:10:56 -0700
Available diffs
- diff from 1.7.2-2 to 1.7.2-3 (3.4 KiB)
| Published in squeeze-release |
xml-security-c (1.5.1-3+squeeze3) oldstable-security; urgency=high
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
-- Russ Allbery <email address hidden> Thu, 27 Jun 2013 15:15:18 -0700
| Published in wheezy-release |
xml-security-c (1.6.1-5+deb7u2) stable-security; urgency=high
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
-- Russ Allbery <email address hidden> Thu, 27 Jun 2013 13:54:03 -0700
xml-security-c (1.7.2-2) unstable; urgency=low * Upload to unstable. -- Russ Allbery <email address hidden> Wed, 10 Jul 2013 23:02:08 -0700
Available diffs
- diff from 1.6.1-7 to 1.7.2-2 (99.0 KiB)
xml-security-c (1.6.1-7) unstable; urgency=high
* The attempted fix to address CVE-2013-2154 introduced the possibility
of a heap overflow, possibly leading to arbitrary code execution, in
the processing of malformed XPointer expressions in the XML Signature
Reference processing code. Apply upstream patch to fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
-- Russ Allbery <email address hidden> Thu, 27 Jun 2013 13:44:56 -0700
Available diffs
- diff from 1.6.1-6 to 1.6.1-7 (1.3 KiB)
| Deleted in experimental-release (Reason: None provided.) |
xml-security-c (1.7.2-1) experimental; urgency=high
* New upstream release.
- The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in
the XML Signature Reference processing code. Fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
-- Russ Allbery <email address hidden> Thu, 27 Jun 2013 13:00:54 -0700
xml-security-c (1.6.1-6) unstable; urgency=high
* Apply upstream patch to fix a spoofing vulnerability that allows an
attacker to reuse existing signatures with arbitrary content.
(CVE-2013-2153)
* Apply upstream patch to fix a stack overflow in the processing of
malformed XPointer expressions in the XML Signature Reference
processing code. (CVE-2013-2154)
* Apply upstream patch to fix processing of the output length of an
HMAC-based XML Signature that could cause a denial of service when
processing specially chosen input. (CVE-2013-2155)
* Apply upstream patch to fix a heap overflow in the processing of the
PrefixList attribute optionally used in conjunction with Exclusive
Canonicalization, potentially allowing arbitrary code execution.
(CVE-2013-2156)
-- Russ Allbery <email address hidden> Mon, 17 Jun 2013 22:25:32 -0700
Available diffs
- diff from 1.6.1-5 to 1.6.1-6 (4.6 KiB)
| Superseded in experimental-release |
xml-security-c (1.7.1-1) experimental; urgency=high
* New upstream release.
- Fix a spoofing vulnerability that allows an attacker to reuse
existing signatures with arbitrary content. (CVE-2013-2153)
- Fix a stack overflow in the processing of malformed XPointer
expressions in the XML Signature Reference processing code.
(CVE-2013-2154)
- Fix processing of the output length of an HMAC-based XML Signature
that could cause a denial of service when processing specially
chosen input. (CVE-2013-2155)
- Fix a heap overflow in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization,
potentially allowing arbitrary code execution. (CVE-2013-2156)
- Reduce entity expansion limits when parsing.
- New --id option to the xenc-checksig utility.
* Rename the binaries in the xml-security-c-utils package to start with
xsec-* instead of xmlsec-*. This reflects the common abbreviation
used by the package.
-- Russ Allbery <email address hidden> Mon, 17 Jun 2013 21:27:58 -0700
| Deleted in experimental-release (Reason: None provided.) |
xml-security-c (1.7.0-1) experimental; urgency=low
* New upstream release.
- AES-GCM support.
- XML Encryption 1.1 OAEP enhancements.
* Increase versioned dependency on libssl-dev to ensure that we have
AES-GCM support. (This only matters for backports to squeeze.)
* Mark libxml-security-c-dev as Multi-Arch: same.
* Add new xml-security-c-utils package that contains the utility
programs included with the library. Rename the binaries to add
"xmlsec-" to the beginning of the names, since some of the programs
are otherwise rather generic. Add man pages for each of the programs.
(Closes: #682830)
* Switch from autotools-dev to dh-autoreconf and regenerate the entire
build system during the build, not just the config.guess and
config.sub scripts, and add --as-needed.
* Add -fPIE to hardening flags since we're now installing binaries.
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages built from
the canonical Git repository and NMUs get regular version-numbered
patches.
* Switch to xz compression for *.debian.tar and the *.deb packages.
* Use canonical URLs for Vcs-Browser and Vcs-Git.
* Update standards version to 3.9.4.
- Update debian/copyright to specify copyright-format 1.0.
-- Russ Allbery <email address hidden> Thu, 23 May 2013 00:05:09 -0700
xml-security-c (1.6.1-5) unstable; urgency=low
* Revert changes to add symbols file. Due to churn in weak symbols for
inlined functions, it doesn't appear maintainanable with existing
tools, and for this library the shlibs behavior seems sufficient.
* Minor update to the format of the debian/copyright file.
-- Russ Allbery <email address hidden> Tue, 31 Jan 2012 11:25:27 -0800
Available diffs
xml-security-c (1.6.1-4) unstable; urgency=low
* Update symbols files for all non-i386 architectures currently built by
the buildds except mipsel (which will hopefully be the same as mips).
* Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that
the package can use the output of pkgkde-symbolshelper.
-- Russ Allbery <email address hidden> Fri, 27 Jan 2012 20:29:57 -0800
xml-security-c (1.6.1-3) unstable; urgency=low
* Also enable bindnow hardening build flags and use the correct syntax
to add additional hardening flags.
* Add symbols file constructed with pkgkde-symbolshelper. Add a
README.source file with a pointer to the documentation.
-- Russ Allbery <email address hidden> Fri, 27 Jan 2012 12:36:07 -0800
xml-security-c (1.6.1-2) unstable; urgency=low
* Update to debhelper compatibility level V9.
- Enable hardening build flags. (Closes: #656658)
- Enable multiarch support.
-- Russ Allbery <email address hidden> Wed, 25 Jan 2012 17:58:22 -0800
| Published in lenny-release |
xml-security-c (1.4.0-3+lenny3) oldstable-security; urgency=high
* Apply upstream patch to fix buffer overflow when signing or verifying
files with big asymmetric keys. (Closes: #632973, CVE-2011-2516)
-- Russ Allbery <email address hidden> Thu, 07 Jul 2011 11:43:25 -0700
xml-security-c (1.5.1-3+squeeze1) stable-security; urgency=high * Apply upstream patch to fix buffer overflow when signing or verifying files with big asymmetric keys. (Closes: #632973, CVE-2011-2516) -- Russ Allbery <email address hidden> Thu, 07 Jul 2011 10:45:08 -0700
xml-security-c (1.6.1-1) unstable; urgency=high * Urgency high for security fix. * New upstream release. - DSIGObject::load method crashes for ds:Object without Id attribute - Buffer overflow when signing or verifying files with big asymmetric keys (Closes: #632973, CVE-2011-2516) - Memory bug inside XENCCipherImpl::deSerialise - Function cleanURIEscapes always throws XSECException, when any escape sequence occurs - Function isHexDigit doesn't recognize invalid escape sequences - Percent-encoded multibyte (UTF-8) sequences unrecognized - RSA-OAEP handler only allows SHA-1 digests * Update debian/watch for the new organization of Apache downloads. -- Russ Allbery <email address hidden> Thu, 07 Jul 2011 09:10:33 -0700
xml-security-c (1.6.0-2) unstable; urgency=low * Force build dependency on libssl-dev 1.0 or later for consistent build results. If some Shibboleth-related libraries are built against earlier versions of libssl, it produces linking failures when building the Shibboleth SP package. * Remove Makefile.in on debian/rules clean since we regenerate these files by running Automake during the build. * Update standards version to 3.9.2 (no changes required). -- Russ Allbery <email address hidden> Thu, 07 Apr 2011 14:17:37 -0700
xml-security-c (1.6.0-1) unstable; urgency=low
* New upstream releaes. - Expose algorithm URI on Signature and Reference objects - White/blacklisting of otherwise registered algorithms - Allow selected XML Signature 1.1 KeyInfo extensions - Add elliptic curve keys and signatures via ECDSA - Support debugging of Reference/SignedInfo data - Add methods for Reference removal to DSIGSignature and DSIGSignedInfo classes - Lots of various bug fixes * Add build dependency on pkg-config, which upstream now uses to find the SSL libraries. * Remove --with-xerces from the configure flags, since "yes" is interpreted as a path to libraries and headers. * Remove unnecessary --with-openssl from configure flags. * Update to debhelper compatibility level V8. - Use the autotools-dev debhelper module for config.{sub,guess}. - Use debhelper rule minimization. - Move files to clean into a separate clean control file. * Use autoreconf instead of running the tools separately. * Update package home page for new upstream location. * Update package long description for the new official upstream name. * Update debian/copyright to the current DEP-5 specification. * Install the upstream NOTICE.txt file. * Change to Debian source format 3.0 (quilt). Force a single Debian patch for simplicity since the packaging is maintained in Git using branches, and include a patch header explaining why. * debian/watch fixes for upstream distribution and versioning. - Mangle a tilde into upstream rc version numbers. - Update the upstream distribution URL. - Avoid matching signature and checksum files. * Update standards version to 3.9.1 (no changes required). -- Russ Allbery <email address hidden> Sun, 06 Mar 2011 20:29:13 -0800
xml-security-c (1.5.1-3) unstable; urgency=low
* Force source format 1.0 for now since it makes backporting easier.
* Add ${misc:Depends} to all package dependencies.
* Update debhelper compatibility level to V7.
- Use dh_prep instead of dh_clean -k.
* Update standards version to 3.8.4 (no changes required).
-- Russ Allbery <email address hidden> Wed, 12 May 2010 20:59:25 -0700
| Superseded in lenny-release |
xml-security-c (1.4.0-3+lenny2) stable-security; urgency=high * Bump version number to correct the upload queue. No source changes. -- Russ Allbery <email address hidden> Mon, 27 Jul 2009 13:29:25 -0700
xml-security-c (1.5.1-2) unstable; urgency=low
* Fix the dependencies of libxml-security-c-dev to depend on Xerces-C
3.x and stop depending on Xalan, reflecting the changes to the library
build.
-- Russ Allbery <email address hidden> Thu, 06 Aug 2009 08:32:16 -0700
xml-security-c (1.5.1-1) unstable; urgency=low
* New upstream release.
- Rename library package for upstream SONAME bump.
* Upstream now ships an older version of libtool, so run libtoolize and
aclocal before the build. Add build dependencies on automake and
libtool.
* Build against Xerces-C 3.0.
* Stop building against Xalan. The Xalan packages for Debian have been
orphaned, the current Xalan release does not support Xerces-C 3.0, and
porting it is not trivial.
-- Russ Allbery <email address hidden> Wed, 05 Aug 2009 14:11:52 -0700
xml-security-c (1.4.0-4) unstable; urgency=high
* CVE-2009-0217: Apply upstream patch to sanity-check the HMAC
truncation length. Closes a vulnerability that could allow an
attacker to spoof HMAC-based signatures and bypass authentication.
* Remove duplicate section for libxml-security-c14.
* Update standards version to 3.8.2 (no changes required).
-- Russ Allbery <email address hidden> Fri, 24 Jul 2009 15:02:55 -0700
xml-security-c (1.4.0-3) unstable; urgency=low
* Drop the suggests of libxml-security-c-doc since upstream no longer
includes the documentation.
-- Russ Allbery <email address hidden> Tue, 26 Aug 2008 16:38:08 -0700
| 1 → 41 of 41 results | First • Previous • Next • Last |
