opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high

  * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to
    detect parameter smuggling.
    Security fix cherry-picked from v3.3.1 (upstream commit
    22a610b322e2178abd03e97cdbc8fb50b45efaee).
    Parameter manipulation allows the forging of signed SAML messages
    =================================================================
    A number of vulnerabilities in the OpenSAML library used by the
    Shibboleth Service Provider allowed for creative manipulation of
    parameters combined with reuse of the contents of older requests
    to fool the library's signature verification of non-XML based
    signed messages.
    Most uses of that feature involve very low or low impact use cases
    without critical security implications; however, there are two
    scenarios that are much more critical, one affecting the SP and
    one affecting some implementers who have implemented their own
    code on top of our OpenSAML library and done so improperly.
    The SP's support for the HTTP-POST-SimpleSign SAML binding for
    Single Sign-On responses is its critical vulnerability, and
    it is enabled by default (regardless of what one's published
    SAML metadata may advertise).
    The other critical case involves a mistake that does *not*
    impact the Shibboleth SP, allowing SSO to occur over the
    HTTP-Redirect binding contrary to the plain language of the
    SAML Browser SSO profile. The SP does not support this, but
    other implementers may have done so.
    Contrary to the initial publication of this advisory, there is no
    workaround within the SP configuration other than to remove the
    "SimpleSigning" security policy rule from the security-policy.xml
    file entirely.
    That will also prevent support of legitimate signed requests or
    responses via the HTTP-Redirect binding, which is generally used
    only for logout messages within the SP itself. Removing support
    for that binding in favor of HTTP-POST in any published metadata
    is an option of course.
    Full advisory:
    https://shibboleth.net/community/advisories/secadv_20250313.txt
    Thanks to Scott Cantor (Closes: #1100464)

 -- Ferenc Wágner <wferi@debian.org>  Fri, 14 Mar 2025 21:47:50 +0100

opensaml (3.2.1-3) unstable; urgency=medium

  * [02e846c] Update Standards-Version to 4.6.2 (no changes required)
  * [455d86e] Update debian/* copyright year
  * [4314c52] Add debian/upstream/metadata

 -- Ferenc Wágner <wferi@debian.org>  Wed, 18 Jan 2023 19:21:05 +0100

opensaml (3.2.1-2) unstable; urgency=medium

  [ Debian Janitor ]
  * [4e9e337] Remove constraints unnecessary since buster
    * Build-Depends: Drop versioned constraint on liblog4shib-dev and
      libxml-security-c-dev.
    Changes-By: deb-scrub-obsolete

  [ Ferenc Wágner ]
  * [ed49134] Update Standards-Version to 4.6.1 (no changes required)
  * [58344a4] Switch to Debhelper compatibility level 13
  * [634452b] Replace override_dh_{install,missing} with debian/not-installed
  * [086eed2] Suppress GCC deprecation warnings, they probably won't be heeded
  * [cb72407] Do not require cxxtest under the nocheck build profile.
    To enable crossbuilding.

 -- Ferenc Wágner <wferi@debian.org>  Fri, 22 Jul 2022 19:12:18 +0200

opensaml (3.2.1-1) unstable; urgency=medium

  * [b88df44] New upstream release: 3.2.1 (Closes: #997246)
  * [297fed7] Update Standards-Version to 4.6.0 (no changes required)

 -- Ferenc Wágner <wferi@debian.org>  Sat, 20 Nov 2021 19:08:29 +0100

opensaml (3.2.0-2) unstable; urgency=medium

  * [4b3ae7f] Revert "New patch: Require XMLTooling 3.2 via pkg-config as well"
    This reverts commit 99cf9d42db5f552a43791459ce118dfec9a6485f.
    According to upstream there's no real build requirement here.
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Wed, 06 Jan 2021 10:41:14 +0100

opensaml (3.2.0-1) experimental; urgency=medium

  * [5697847] Bump watch file format version to 4
  * [a9a01ce] Advertise that our autopkgtest needs internet access
  * [2629b5a] New upstream release: 3.2.0
  * [f253903] All of our patches are upstream now
  * [1a8db85] Revert "Work around our Debian patch in the autopkgtest"
    We no longer carry the incriminated patch.
  * [6f3dabb] Depend on XMLTooling 3.2
  * [4408423] Rename library package for upstream SONAME bump
  * [473be6f] Update Standards-Version to 4.5.1 (no changes required)
  * [99cf9d4] New patch: Require XMLTooling 3.2 via pkg-config as well

 -- Ferenc Wágner <wferi@debian.org>  Sun, 27 Dec 2020 16:54:45 +0100

opensaml (3.1.0-2) unstable; urgency=medium

  * [a43c7ce] We transitioned to versionless package names in buster
  * [6ce2f94] Add forgotten link library to autopkgtest
  * [428228d] Work around our Debian patch in the autopkgtest
  * [03750bb] New patch: Move testHTTPProvider to the front
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Wed, 24 Jun 2020 19:20:22 +0200

opensaml (3.1.0-1) experimental; urgency=medium

  * [9746b82] Don't single out the amd64 architecture in the Lintian override
  * [2f098f5] New upstream release: 3.1.0
  * [4257f38] Remove upstreamed patches (all of them)
  * [51829e5] Tests requiring network access are skipped by default now
  * [9a6d804] Rename library package for upstream SONAME bump
  * [ed81753] As an autopkgtest, build the unit tests against the installed
    package
  * [29e75c0] Enroll to basic Salsa CI
  * [ff1ebd5] Upgrade Standards-Version to 4.5.0 (no changes required)
  * [648c639] Switch to Debhelper compat level 12
  * [78f97bb] Enable rootless build
  * [cdfb5b0] New patch: Forgot to update xmltooling check.
    Thanks to Scott Cantor
  * [3d18a77] Require XMLTooling 3.1
  * [8883ee3] New patch: CPPOST-117 - Fix for failing test.
    Thanks to Scott Cantor
  * [983e213] Strip extra signatures from the upstream tarball signing key
  * [98f0715] Update packaging list email address

 -- Ferenc Wágner <wferi@debian.org>  Thu, 23 Apr 2020 17:54:51 +0200

opensaml (3.0.1-1) unstable; urgency=medium

  * [d1daef5] Revert "Temporarily ignore build test failures"
  * [792ec83] New upstream release: 3.0.1
  * [dd69be3] Delete released patch fixing the tests, refresh the rest
  * [5ec41bf] Update Standards-Version to 4.3.0 (no changes required)
  * [38ff832] Update library version number in Lintian override

 -- Ferenc Wágner <wferi@debian.org>  Sat, 16 Mar 2019 20:36:55 +0100

opensaml (3.0.0-2) unstable; urgency=medium

  * [eb1b88f] New patch: CPPOST-110 Rebenchmark tests with SHA256 disgest.
    Thanks to Rod Widdowson
  * [2704b86] New patch: testBadSig requires fresh InCommon metadata
  * [a8a62a4] Update Standards-Version to 4.2.1 (no changes required)
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Sun, 25 Nov 2018 11:26:24 +0100

opensaml (3.0.0-1) experimental; urgency=medium

  [ Russ Allbery ]
  * [9fdb478] Remove myself from Uploaders

  [ Etienne Dysli Metref ]
  * [eedef99] Migrate VCS URLs to salsa.debian.org/shib-team

  [ Ferenc Wágner ]
  * [13a968c] Use the 'replace' merge mode.
    The debian directory is not upstream territory, so this is safer.
    Unrelated change: the pristine-tar option is generic.
  * [42aa2bf] Update Standards-Version to 4.1.5 (no changes required)
  * [e825ff7] Revert "Provide a GCC 7 build with strict enough shlibs"
    The GCC7 switchover is long done, this constraint isn't needed anymore.
  * [9639147] Switch to Debhelper compat level 11
  * [934499b] Stop repeating the common part of the package descriptions
  * [bfbd108] Multiarch doesn't need Pre-Depends anymore
  * [7ebea10] New upstream release: 3.0.0
  * [d6dda65] Remove upstreamed patches, refresh the remaining one
  * [2b541f0] Rename library package according to the new soversion
  * [5cf0582] Shibboleth SP 3 requires XML-Security 2 and log4shib 2
  * [b9355a2] We do not ship the libtool archive files
  * [b4a16f4] Update debian/copyright
  * [26bae95] Update Standards-Version to 4.2.0 (no changes required)
  * [e2bd25f] Temporarily ignore build test failures
  * [fea0e7e] Rework compiler flag handling in configure.
    This enables debug info generation and optimization by default, and also
    makes the --enable-debug option uninteresting for Debian.
  * [d144f73] Clean up trailing whitespace in debian/changelog
  * [5cef4c3] Lintian does not emit embedded-javascript-library for Doxygen
    anymore
  * [f3941fe] Revert "Build-Depend explicitly on automake"
    We now require Debhelper compatibility level 11, which pulls in automake
    only, not automaken.
  * [fd52caa] Drop the 2 suffix from package names and reorganize documentation.
    With the release of OpenSAML 3 version 2 became unsupported, so it looks
    unlikely we'll ever need to package two major versions concurrently.
    Thus we're removing the version number suffix from the package names.
    The new libsaml-doc does not break and replace the old libsaml2-doc,
    because at the same time we move the HTML API documentation shipped in
    libsaml-doc under usr/share/doc/libsaml-dev as recommended by Policy:
    this location is independent of the current dev/doc packaging split.  In
    the same vein we use libsaml-api as the document ID for doc-base.
  * [6d1906c] Add Lintian overrides for descriptions of transitional packages
  * [1735df8] I don't plan to provide a symbols file

 -- Ferenc Wágner <wferi@debian.org>  Wed, 08 Aug 2018 15:52:32 +0200

opensaml2 (2.6.1-1) unstable; urgency=high

  * [0c08870] New upstream release (2.6.1)
    Security fix for CVE-2017-16853:
    Rod Widdowson of Steading System Software LLP discovered a coding error in
    the OpenSAML library, causing the DynamicMetadataProvider class to fail
    configuring itself with the filters provided and omitting whatever checks
    they are intended to perform.
  * [0795c42] Refresh our patches
  * [1f742ec] Update Standards-Version to 4.1.1 (no changes needed)
  * [5bed74f] Bump XMLTooling dependency version to 1.6.
    This isn't strictly required, but the stack is always updated in
    lockstep, so why not follow the upstream spec file in this respect.

 -- Ferenc Wágner <wferi@debian.org>  Mon, 20 Nov 2017 10:46:24 +0100

opensaml2 (2.6.0-5) unstable; urgency=medium

  [ Etienne Dysli Metref ]
  * [2268d5d] Add myself to uploaders

  [ Ferenc Wágner ]
  * [7051f39] Provide a GCC 7 build with strict enough shlibs.
    The Shibboleth SP fails to build with GCC 7 with OpenSAML built with
    GCC 6, because libsaml9 embeds references to XMLTooling symbols names
    without ABI tags.  Build with GCC 7 to refresh these embedded symbols.
  * [eb53724] Follow upstream URL change in watch file
  * [255e281] Switch to using HTTPS in the debian/copyright URLs
  * [897e680] Update Standards-Version to 4.1.0.
    The "extra" priority became deprecated, promote to "optional".

 -- Ferenc Wágner <wferi@debian.org>  Sat, 09 Sep 2017 20:43:13 +0200

opensaml2 (2.6.0-4) unstable; urgency=medium

  * [848c048] Export pkgxmldir (the correct name) via pkg-config.
    And call it pkgxmldir instead of xmldir in the configure script.
    (Closes: #836921)

 -- Ferenc Wágner <wferi@debian.org>  Wed, 07 Sep 2016 11:45:23 +0200

opensaml2 (2.6.0-3) unstable; urgency=medium

  * [1b95816] Don't ship the .map files from Doxygen
  * [67fdd97] Revert "Require experimental xmltooling for matching C++11
    strings"
    This reverts commit e726909dc35255f774e2632ee502bf92b2a00962.
    The recently uploaded xmltooling_1.6.0-2 was compiled with the same compiler
    (GCC-6, because the default has already changed in unstable) that's going to
    compile us.
  * [36839b7] Update copyright years
  * [d7b472e] Migrate to my Debian address
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Fri, 02 Sep 2016 22:21:03 +0200

opensaml2 (2.6.0-2) experimental; urgency=medium

  * [c4900c2] Build-Depend on zlib1g-dev (not pulled in by libssl-dev >= 1.1)
    (Closes: #835790)
  * [b9c7f00] Our header files include zlib headers, so depend on them
  * [b23e409] Enable parallelism during the test steps
  * [7299078] Build-Depend explicitly on automake
    dh-autoreconf depends on automake or automaken, and the latter is provided
    by automake1.11 as well, but that does not run our tests properly.
  * [bff9592] Switch gbp dch to verbose changelog entries
  * [c536b07] Revert "New patch Don-t-generate-the-tag-file-it-
    isn-t-reproducible.patch"
    This reverts commit ff1d78066a13708deee8d1cab20f50866d1341fb.
    The tag file is used during the build as a "stamp" file; not generating it
    results in repeated Doxygen runs.
  * [e542531] The Doxygen tag file is unreproducible, don't ship it.
    It uses absolute paths for some reason, capturing the build directory.
  * [5eeb896] New patch Enable-the-dot-feature-of-Doxygen.patch.
    Enable the dot feature of Doxygen
  * [144bd63] Don't ship the .md5 files from Doxygen.
    These are generated since we use dot with Doxygen.

 -- Ferenc Wágner <wferi@niif.hu>  Thu, 01 Sep 2016 00:23:02 +0200

opensaml2 (2.6.0-1) experimental; urgency=medium

  * [35ec294] New upstream release (2.6.0)
  * [3f3833b] Enable parallel builds
  * [6cf6cf1] Fix spelling in samlsign man page: resouce -> resource
  * [b95e975] Update Standards-Version to 3.9.8 (no changes needed)
  * [16a5f09] Simplify removal of documentation files
  * [e346976] Drop superfluous libssl-dev build dependency
  * [cc53146] New patch Use-pkg-config-for-log4shib-log4cpp.patch
  * [3ada081] New patch Use-pkg-config-for-xmltooling.patch
  * [5a9ad82] New patch Use-readdir-for-portability-no-PATH_MAX.patch
  * [038186c] Rename library package for upstream SONAME bump
  * [72d47c7] Move doxygen and graphviz into Build-Depends-Indep
  * [27fddf0] Switch to secure VCS URIs
  * [bfcfbd4] Add 6 patches migrating to pkg-config fully
  * [7d272bb] Remove remnants of the old pkg-config management
  * [22eb9d9] The build system now links with the needed libraries only
  * [f95990c] Pthread seems to work correctly with libtool now
  * [2fbe084] New patch Make-pkgconfigdir-configurable.patch
  * [e1050c0] New patch Make-pkgxmldir-configurable-and-export-it-via-pkg-
    co.patch
  * [4965d41] Run the internal tests during package build
  * [e726909] Require experimental xmltooling for matching C++11 strings
  * [ff1d780] New patch Don-t-generate-the-tag-file-it-isn-t-reproducible.patch

 -- Ferenc Wágner <wferi@niif.hu>  Fri, 26 Aug 2016 15:31:53 +0200

opensaml2 (2.5.5-1) unstable; urgency=medium

  [ Russ Allbery ]
  * [973b999] Disable forcing of libtool --silent

  [ Ferenc Wágner ]
  * [d6aeea7] Add debian/gbp.conf for DEP-14 layout
  * [470ce76] Convert our single upstream patch into a gbp patch queue
  * [ecdaabb] Run wrap-and-sort -ast on the package
  * [7b69f53] Correct my name in Uploaders
  * [3662b4c] Switch watch file to check for bzip-compressed archives
  * [b50fd9b] Check signature in watch file
  * [7cf3194] New upstream release (Closes: #794851)
  * [39cb932] Rename libsaml8 package to libsaml8v5 (Closes: #797623)
  * [f86c155] dh_auto_configure uses --disable-dependency-tracking by default
  * [17ccfe8] The default compressor is xz since jessie
  * [1a6d0e6] Enable all hardening features
  * [ea4722b] Update Standards-Version to 3.9.6 (no changes needed)
  * [fbcd266] Replacing the jquery.js embedded by Doxygen risks breaking the
    docs
  * [8752a86] No need to separate the doc-base files by extension
  * [3d02cde] Use a fresher m4/ax_create_pkgconfig_info.m4
  * [cfc875a] Ship the installed documentation, not the one from the build tree
  * [1ee8adf] Update debian/copyright

 -- Ferenc Wágner <wferi@niif.hu>  Fri, 15 Jan 2016 12:36:52 +0100

opensaml2 (2.5.3-2.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Call cpp with -P in boost config. Closes: #778047.

 -- Matthias Klose <doko@debian.org>  Mon, 13 Jul 2015 17:15:55 +0200

opensaml2 (2.5.3-2) unstable; urgency=low

  * Upload to unstable.

 -- Russ Allbery <rra@debian.org>  Sat, 13 Jul 2013 14:06:29 -0700

opensaml2 (2.5.3-1) experimental; urgency=low

  * New upstream release.
    - Fix samlsign with -dig option.

 -- Russ Allbery <rra@debian.org>  Tue, 18 Jun 2013 14:40:01 -0700

opensaml2 (2.5.2-1) experimental; urgency=low

  * New upstream release.
    - Fix some clone and constructor methods.
    - Fix incorrect clearing of the peer entity name, forcing TrustEngine
      name matching.
    - Metadata provider now checks validity before replacing old metadata.
    - Filter IdPs that don't declare themselves "ready".
    - Support loading folders of metadata.
    - Add metadata filter that can add EntityAttribute tags.
    - Add metadata:rpi schema.
  * Add build dependency on libboost-dev.
  * Use log4shib instead of log4cpp.
  * Force build dependency on xml-security-c 1.7 or later and xmltooling
    1.5 or later for consistent build results.
  * Add Multi-Arch: same to libsaml2-dev and Multi-Arch: foreign to
    opensaml2-utils, opensaml2-schemas, and libsaml2-doc.
  * Remove version from libxerces-c-dev dependency, satisified since
    oldstable (squeeze).
  * Move single-debian-patch to local-options and patch-header to
    local-patch-header so that they only apply to the packages built from
    the canonical Git repository and NMUs get regular version-numbered
    patches.
  * Switch to xz compression for *.debian.tar and the *.deb packages.
  * Canonicalize the URLs in the Vcs-Git and Vcs-Browser control fields.
  * Remove obsolete README.source file that documented symbols file
    maintenance.
  * Update standards version to 3.9.4.
    - Update debian/copyright to specify copyright-format 1.0.

 -- Russ Allbery <rra@debian.org>  Wed, 29 May 2013 11:17:17 -0700

opensaml2 (2.4.3-4) unstable; urgency=low

  * Revert changes to add symbols file.  Due to churn in weak symbols for
    inlined functions, it doesn't appear maintainanable with existing
    tools, and for this library the shlibs behavior seems sufficient.
  * Force linking with -lpthread, working around a bug in libtool that
    drops the linkage because it uses -nostdlib.  See #468555.
  * Pass --as-needed to the linker to reduce unnecessary shared library
    dependencies.
  * Enable PIE for the opensaml2-tools binaries.
  * Strip all of the build flags added by Debian from the pkgconfig
    configuration file installed by the package.

 -- Russ Allbery <rra@debian.org>  Tue, 31 Jan 2012 17:20:53 -0800

opensaml2 (2.4.3-3) unstable; urgency=low

  * Update symbols file from the failed build logs of the remaining
    supported Debian architectures.
  * Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that
    the package can use the output of pkgkde-symbolshelper.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Jan 2012 22:29:13 -0800

opensaml2 (2.4.3-2) unstable; urgency=low

  * Update to debhelper compatibility level V9.
    - Enable hardening build flags.  (Closes: #656006)
    - Enable multiarch support.
  * Add symbols file constructed with pkgkde-symbolshelper.  Add a
    README.source file with a pointer to the documentation.
  * Use dh_autoreconf to regenerate the build system.  This was being done
    already, but not in a controlled way, due to timestamp issues, so just
    do it on every build.
  * Make removal of the Doxygen-installed jquery.js file conditional on
    its existence, since some versions of Doxygen don't install it.
  * Use the latest directory in debian/watch instead of the versioned
    directories.
  * Update the upstream homepage.
  * Update the upstream download location in debian/copyright.
  * Minor format updates to debian/copyright for the new DEP-5.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Jan 2012 19:15:17 -0800

opensaml2 (2.4.3-1) unstable; urgency=high

  * Set urgency to high for security fix.
  * New upstream release.
    - SECURITY: Fix vulnerability to a "wrapping attack" that could allow
      a remote, unauthenticated attacker to craft messages that can be
      successfully verified but contain arbitrary content.  This may allow
      an attacker to subvert the security of software using OpenSAML and
      supply an unauthenticated login identity and data under the guise of
      a trusted issuer.  (CVE-2011-1411)
    - Fix unmarshalling of RespondWith element
    - Make library init routines idempotent
  * Update the Debian-provided samlsign.1 man page for new flags supported
    by the upstream utility.
  * Update debian/watch for the new upstream distribution location.
  * Update standards version to 3.9.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Mon, 25 Jul 2011 13:35:54 -0700

opensaml2 (2.4.1-1) unstable; urgency=low

  * New upstream release.
    - Don't download remote metadata if it hasn't changed
    - Verify that fetched metadata is valid, even after filters, before
      overwriting the previous metadata.  Improve metadata downloads.
    - Logging improvements for OpenSAML.MetadataProvider.XML
    - Add keywords/tags element to UIInfo extension and disco feed
    - Fix overuse of InclusivePrefixes list when signing
    - Do not use cacheDuration for validity
    - Fix memory leaks
    - Fix crash when encrypting unmarshalled object
    - Resolve sibling EncryptedKey element for decryption
    - Add xml prefix on newly-created xml:lang attributes
    - Duplication and line feed fixes for DiscoFeed.
    - Fix reload interval backoff after reload failures
    - Strip whitespace from SAMLRequest URL parameter values
  * Change package names for the upstream SONAME change.
  * Install the new upstream pkg-config file in libsaml2-dev.
  * Build-depend on xmltooling 1.4 or later.
  * Force build dependency on xml-security-c 1.6 or later for consistent
    build results.
  * Add build dependency on pkg-config, which upstream now uses to find
    the SSL libraries.
  * Add build dependency on graphviz for better API documentation.
  * Replace the version of jQuery installed by Doxygen in the
    documentation package with a symlink to the version supplied by the
    Debian package and add a dependency.
  * Update to debhelper compatibility level V8.
    - Use the autotools-dev debhelper module for config.{sub,guess}.
    - Use debhelper rule minimization.
  * Update debian/copyright to the current DEP-5 specification.
  * Change to Debian source format 3.0 (quilt).  Force a single Debian
    patch for simplicity since the packaging is maintained in Git using
    branches, and include a patch header explaining why.
  * Update standards version to 3.9.1 (no changes required).

 -- Russ Allbery <rra@debian.org>  Sun, 03 Apr 2011 18:57:10 -0700

opensaml2 (2.3-2) unstable; urgency=low

  * Force source format 1.0 for now since it makes backporting easier.
  * Add ${misc:Depends} to all package dependencies.
  * Update debhelper compatibility level to V7.
    - Use dh_prep instead of dh_clean -k.
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 13 May 2010 10:21:12 -0700

opensaml2 (2.3-1) unstable; urgency=high

  * Urgency set to high for security fix.
  * New upstream release.
    - SECURITY: Partial fix for improper handling of URLs that could be
      abused for script injection and other cross-site scripting attacks.
      The complete fix also requires newer xmltooling and shibboleth-sp2
      packages.  (CVE-2009-3300)
    - Fix crash on assertions with missing SubjectConfirmation.
    - Remove inline functions except for templates or RAII patterns.
    - Remove xml from the inclusive prefix list to avoid bugs in Apache
      Java xmlsec.
    - Honor digest algorithm in whole document signing with empty URI.
  * Rename library package for upstream SONAME bump.
  * Build-depend on libxmltooling-dev 1.3 or later and make libsaml2-dev
    depend on libxmltooling-dev 1.3 or later for the fixes for URL
    sanitization.
  * Build-depend on libxml-security-c-dev 1.5 or later to ensure
    that all builds are consistent.

 -- Russ Allbery <rra@debian.org>  Fri, 06 Nov 2009 15:09:04 -0800

opensaml2 (2.2.1-1) unstable; urgency=low

  * New upstream release.
    - Fix crash when generating unsigned ECP AuthnRequest.
    - Correct check of key usage against KeyDescriptor use.
  * Remove temporary build-depend on libicu-dev and tighten the build
    dependency on libxerces-c-dev to require the fixed version.

 -- Russ Allbery <rra@debian.org>  Mon, 07 Sep 2009 18:35:47 -0700

opensaml2 (2.2-1) unstable; urgency=low

  * New upstream release.
    - Use CRLs in the metadata signature during PKIX path validation.
    - Fix cacheDuration handling in metadata parsing.
    - Set HTTP no-cache headers when redirecting client to IdP via POST.
    - Allow verbs for GET-based bindings to be overridden.
  * Rename library package for upstream SONAME bump.
  * Build against Xerces-C 3.0.
  * Build-depend and depend on xmltooling 1.2 or later.
  * Temporarily add libicu-dev to Build-Depends to work around Bug#540964
    in libxerces-c-dev.
  * Update standards version to 3.8.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 18 Aug 2009 16:36:16 -0700

opensaml2 (2.1-1) unstable; urgency=low

  [ Russ Allbery ]
  * New upstream bug-fix release.
  * Bump SONAME of libsaml following upstream's versioning.  The names of
    libsaml2-dev and libsaml2-doc have not changed; the "2" in those names
    refers to the major version of the package, not to the SONAME of the
    library.
  * Build-depend on libxmtooling-dev >= 1.1 following the upstream spec
    file.
  * Flesh out debian/copyright with entries for build system files and
    convert to the latest draft of the copyright format proposal.
  * Remove duplicated Section header in the libsaml3 control stanza.

  [ Ferenc Wagner ]
  * Fix watch file for upstream directory structure.

 -- Russ Allbery <rra@debian.org>  Sun, 22 Feb 2009 13:16:05 -0800

opensaml2 (2.0-2) unstable; urgency=low

  * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-7
    (Metadata with EncryptionMethod elements fails to load)
  * Include fix for https://bugs.internet2.edu/jira/browse/CPPOST-11
    (SignatureMetadataFilter fails to validate signed EntityDescriptor)

 -- Ferenc Wagner <wferi@niif.hu>  Wed, 21 Jan 2009 16:30:46 +0100

opensaml2 (2.0-1) unstable; urgency=low

  [ Ferenc Wagner ]
  * Initial release (Closes: #480289)

 -- Russ Allbery <rra@debian.org>  Mon, 16 Jun 2008 21:28:28 -0700