configure.ac | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 disable forcing of libtool --silent

* Disable the forcing of --silent mode in Libtool since Debian build log
  analysis wants verbose logs.

configure.ac | 53 4 + 49 - 0 !
saml/Makefile.am | 4 4 + 0 - 0 !
samlsign/Makefile.am | 4 4 + 0 - 0 !
3 files changed, 12 insertions(+), 49 deletions(-)

 use pkg-config for log4shib/log4cpp

configure.ac | 27 2 + 25 - 0 !
saml/Makefile.am | 2 2 + 0 - 0 !
samlsign/Makefile.am | 2 2 + 0 - 0 !
samltest/Makefile.am | 5 4 + 1 - 0 !
4 files changed, 10 insertions(+), 26 deletions(-)

 use pkg-config for xmltooling

saml/saml2/metadata/impl/FolderMetadataProvider.cpp | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 use readdir for portability (no path_max)

Makefile.am | 6 0 + 6 - 0 !
configure.ac | 10 4 + 6 - 0 !
m4/ax_create_pkgconfig_info.m4 | 349 0 + 349 - 0 !
m4/ax_pkg_check_modules.m4 | 69 69 + 0 - 0 !
opensaml.pc.in | 13 13 + 0 - 0 !
5 files changed, 86 insertions(+), 361 deletions(-)

 propagate requirements into our pkg-config file

configure.ac | 13 3 + 10 - 0 !
saml/Makefile.am | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+), 10 deletions(-)

 localize boost and pthread library flags

configure.ac | 61 2 + 59 - 0 !
saml/Makefile.am | 4 4 + 0 - 0 !
2 files changed, 6 insertions(+), 59 deletions(-)

 use pkg-config for zlib and openssl

configure.ac | 3 0 + 3 - 0 !
saml/Makefile.am | 2 0 + 2 - 0 !
2 files changed, 5 deletions(-)

 we don't use openssl directly

configure.ac | 32 7 + 25 - 0 !
m4/ax_restore_flags.m4 | 52 52 + 0 - 0 !
m4/ax_save_flags.m4 | 71 71 + 0 - 0 !
saml/Makefile.am | 2 2 + 0 - 0 !
samlsign/Makefile.am | 2 2 + 0 - 0 !
samltest/Makefile.am | 2 2 + 0 - 0 !
6 files changed, 136 insertions(+), 25 deletions(-)

 use pkg-config for xerces

configure.ac | 25 1 + 24 - 0 !
saml/Makefile.am | 2 2 + 0 - 0 !
samltest/Makefile.am | 2 2 + 0 - 0 !
3 files changed, 5 insertions(+), 24 deletions(-)

 use pkg-config for xmlsec

Makefile.am | 1 0 + 1 - 0 !
configure.ac | 1 1 + 0 - 0 !
2 files changed, 1 insertion(+), 1 deletion(-)

 make pkgconfigdir configurable

This requires pkg.m4 from pkg-config-0.27 or newer.

configure.ac | 6 6 + 0 - 0 !
opensaml.pc.in | 2 2 + 0 - 0 !
schemas/Makefile.am | 2 0 + 2 - 0 !
3 files changed, 8 insertions(+), 2 deletions(-)

 make pkgxmldir configurable and export it via pkg-config

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove .pl extension of cxxtestgen

Makefile.am | 6 5 + 1 - 0 !
samltest/Makefile.am | 6 0 + 6 - 0 !
2 files changed, 5 insertions(+), 7 deletions(-)

 check build_unittest in the main makefile.am

samltest/Makefile.am | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 the .cpp dependencies are well known, no need to declare them

samltest/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 automake automatically includes the "user" variable cxxflags here

samltest/Makefile.am | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 don't install the test program, but use it for make check

samltest/Makefile.am | 16 6 + 10 - 0 !
1 file changed, 6 insertions(+), 10 deletions(-)

 refactor test source generation

samltest/Makefile.am | 2 2 + 0 - 0 !
samltest/data/saml2/metadata/HTTPMetadataProvider.xml | 4 2 + 2 - 0 !
samltest/data/saml2/metadata/XMLMetadataProvider.xml | 4 2 + 2 - 0 !
3 files changed, 6 insertions(+), 4 deletions(-)

 derive correct test data paths from srcdir

Beyond making the tests succeed, in theory this also helps with VPATH
builds (other problems still disallow that, though).

../samltest could be abbreviated to .; I left that convention alone.

samltest/internal.h | 6 6 + 0 - 0 !
samltest/saml2/metadata/XMLMetadataProviderTest.h | 4 4 + 0 - 0 !
2 files changed, 10 insertions(+)

 enable skipping tests which require network access

These either require a fresh download of the InCommon metadata
or online access to it.  However, buildds don't provide network
access and an arbitrary snapshot would eventually expire.

configure.ac | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 enable the dot feature of doxygen

saml/saml2/metadata/impl/DynamicMetadataProvider.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 security fix from v2.6.1 (cppost-105)

(cherry picked from commit 6182b0acf2df670e75423c2ed7afe6950ef11c9d)

Dynamic MetadataProvider fails to install security filters
============================================================
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Note Regarding OpenSAML Library
=================================
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability.

Credits
=========
Rod Widdowson, Steading System Software LLP

URL for the full Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20171115.txt