Change logs for xmltooling source package in Lenny
-
xmltooling (1.0-2+lenny1) stable-security; urgency=high * SECURITY: Certificate subject names were incorrectly matched against trusted "key names" when they contained nul characters. This affects only Shibboleth deployments relying on the "PKIX" style of trust validation, used in the absence of explicit certificate information in the SAML metadata provided to the SP and reliance on certificate authorities found in the <KeyAuthority> metadata extension element. See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt> * SECURITY: Correctly handle decoding of malformed URLs, closing a possibly exploitable buffer overflow. See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt> * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML metadata to honor restrictions to signing or encryption. This is a partial fix; the complete fix also requires a new version of the OpenSAML library. See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt> -- Russ Allbery <email address hidden> Tue, 22 Sep 2009 19:23:54 -0700
-
xmltooling (1.0-2) unstable; urgency=low [ Ferenc Wagner ] * Add dependencies to libxmltooling-dev for the packages whose header files are included by XMLTooling headers. * Include NOTICE.txt in all packages. [ Russ Allbery ] * Explicitly link with -lpthread to work around Bug#468555 in libtool. * Change package priorities to extra. Xerces-C is extra, so all of the Shibboleth stack needs to be extra, and realistically it's somewhat of an edge package in Debian. * Add in copyright and license information for all of the other random files in the tree, including all the Autoconf support files. * Fix copyright file formatting to use the right syntax for Files. -- Russ Allbery <email address hidden> Wed, 18 Jun 2008 20:18:21 -0700