Change logs for xmltooling source package in Lenny

xmltooling (1.0-2+lenny1) stable-security; urgency=high


  * SECURITY: Certificate subject names were incorrectly matched against
    trusted "key names" when they contained nul characters.  This affects
    only Shibboleth deployments relying on the "PKIX" style of trust
    validation, used in the absence of explicit certificate information in
    the SAML metadata provided to the SP and reliance on certificate
    authorities found in the <KeyAuthority> metadata extension element.
    See <http://shibboleth.internet2.edu/secadv/secadv_20090817.txt>
  * SECURITY: Correctly handle decoding of malformed URLs, closing a
    possibly exploitable buffer overflow.
    See <http://shibboleth.internet2.edu/secadv/secadv_20090826.txt>
  * SECURITY: Correctly honor the "use" attribute of <KeyDescriptor> SAML
    metadata to honor restrictions to signing or encryption.  This is a
    partial fix; the complete fix also requires a new version of the
    OpenSAML library.
    See <http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt>

 -- Russ Allbery <email address hidden>  Tue, 22 Sep 2009 19:23:54 -0700

xmltooling (1.0-2) unstable; urgency=low


  [ Ferenc Wagner ]
  * Add dependencies to libxmltooling-dev for the packages whose header
    files are included by XMLTooling headers.
  * Include NOTICE.txt in all packages.

  [ Russ Allbery ]
  * Explicitly link with -lpthread to work around Bug#468555 in libtool.
  * Change package priorities to extra.  Xerces-C is extra, so all of the
    Shibboleth stack needs to be extra, and realistically it's somewhat of
    an edge package in Debian.
  * Add in copyright and license information for all of the other random
    files in the tree, including all the Autoconf support files.
  * Fix copyright file formatting to use the right syntax for Files.

 -- Russ Allbery <email address hidden>  Wed, 18 Jun 2008 20:18:21 -0700