File: changelog

package info (click to toggle)
shibboleth-sp 3.4.1%2Bdfsg-2.1
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 7,128 kB
  • sloc: cpp: 42,703; sh: 5,332; makefile: 969; xml: 539; ansic: 90
file content (1037 lines) | stat: -rw-r--r-- 49,404 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
shibboleth-sp (3.4.1+dfsg-2.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Rename libraries for 64-bit time_t transition.  Closes: #1062895

 -- Benjamin Drung <bdrung@debian.org>  Thu, 29 Feb 2024 15:49:16 +0000

shibboleth-sp (3.4.1+dfsg-2) unstable; urgency=medium

  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Mon, 30 Jan 2023 08:04:53 +0100

shibboleth-sp (3.4.1+dfsg-1) experimental; urgency=medium

  [ Ferenc Wágner ]
  * [119a057] New patch: configure.ac: AC_MSG_ERROR can't be used as value-if-
    not-found
  * [59f87e2] Disable building Apache modules for shibsptest.
    They aren't needed and weren't built beforehand either because the
    Apache development tools aren't installed in the autopkgtest
    environment, but our latest patch fixed the configure script to fail
    in such cases as intended, so we have to be explicit from now on.
  * [8b58b70] Drop the obsolete lsb-base dependency
    sysvinit-utils_3.05-1 took over /lib/lsb/init-functions from lsb-base,
    which became an empty transitional package.  Sysvinit-utils is
    essential now, so we needn't depend on it explicitly, but if that ever
    changes (see #851747) the sysvinit-core package will still depend on
    it, providing the function library to our init script if it has a real
    chance to execute.  (The compatibility layer of systemd won't try to
    use the init script, because we provide a native systemd unit.)
    This change is unsuitable for bullseye backports.
  * [deee373] Update Standards-Version to 4.6.2 (no changes required)
  * [d8c04ea] Adapt Lintian overrides to new message format
  * [f992224] Update copyright of the packaging
  * [4fffee9] The repack number has always been 1, drop it
  * [22c7144] New upstream release: 3.4.1
  * [dc6bbc9] Refresh our patches
  * [c87bb46] Rename library package for upstream SONAME bump (libshibsp11)
  * [5a74ac0] Switch to Debhelper compat level 13.
    Change the name of our file in tmpfiles.d from shibd to
    shibboleth-sp-utils, because dh_installtmpfiles is not as flexible as
    dh_installsystemd was on level 12.
  * [25d661b] libapache2-mod-shib.NEWS was almost five years old, nothing new
  * [f862571] Add Forwarded: not-needed to some Debian-specific patches.
    To those which Lintian misidentifies as DEP3 and thus warns about.
    We use gbp pq, which does not produce DEP3 formatted patch files.
  * [e2173d1] Update upstream copyrights.
    Where the license permits via a special exception, change it to that
    of the main package (Apache-2.0) and collect the additional copyrights
    in the generic paragraph.
  * [37ff7c0] Add debian/upstream/metadata

  [ Debian Janitor ]
  * [0e325fc] Remove constraints unnecessary since buster
    * Build-Depends: Drop versioned constraint on liblog4shib-dev and
      libxml-security-c-dev.
    * Remove 3 maintscript entries from 1 files.
    Changes-By: deb-scrub-obsolete

 -- Ferenc Wágner <wferi@debian.org>  Sat, 21 Jan 2023 20:33:50 +0100

shibboleth-sp (3.3.0+dfsg1-1) unstable; urgency=medium

  * [0ce609d] New upstream release: 3.3.0
  * [57067e0] Drop upstreamed patches, refresh the rest

 -- Ferenc Wágner <wferi@debian.org>  Wed, 01 Dec 2021 21:44:29 +0100

shibboleth-sp (3.2.3+dfsg1-1) unstable; urgency=medium

  [ Ferenc Wágner ]
  * [147bb17] Remove stale comment from debian/copyright
    shibsp/paths.h has not been distributed since version 3.0.3.
  * [9488c47] Set field Upstream-Name in debian/copyright
  * [bbdedb6] New upstream release: 3.2.3
  * [15ea78b] Refresh our patches
  * [68f4827] Accommodate more context in the Lintian webapp warning
  * [9b29d1e] Update Standards-Version to 4.6.0 (no changes required)

  [ Debian Janitor ]
  * [b452f06] Use secure URI in Homepage field

 -- Ferenc Wágner <wferi@debian.org>  Sat, 02 Oct 2021 15:15:41 +0200

shibboleth-sp (3.2.2+dfsg1-1) unstable; urgency=high

  * [e44283d] New upstream release: 3.2.2
    High urgency because it fixes CVE-2021-31826:
    Session recovery feature contains a null pointer dereference
    The cookie-based session recovery feature added in V3.0 contains a
    flaw that is exploitable on systems *not* using the feature if a
    specially crafted cookie is supplied.
    This manifests as a crash in the shibd daemon.
    Because it is very simple to trigger this condition remotely, it
    results in a potential denial of service condition exploitable by
    a remote, unauthenticated attacker.
    Thanks to Scott Cantor (Closes: #987608)
  * [3a6ac33] Refresh our patches

 -- Ferenc Wágner <wferi@debian.org>  Tue, 27 Apr 2021 12:11:06 +0200

shibboleth-sp (3.2.1+dfsg1-1) unstable; urgency=high

  * [4ecfe4a] New upstream release: 3.2.1
    High urgency because it contains the fix for the phishing vulnerability
    https://shibboleth.net/community/advisories/secadv_20210317.txt.
  * [80b3470] Refresh our patches

 -- Ferenc Wágner <wferi@debian.org>  Wed, 17 Mar 2021 14:29:08 +0100

shibboleth-sp (3.2.0+dfsg1-2) unstable; urgency=medium

  * [84158eb] Revert "New patch: Require XMLTooling and OpenSAML 3.2 via pkg
    config as well"
    This reverts commit 431b176b3127bb0b0ebfb9621a798facec24cce3.
    According to upstream there's no real build requirement here.
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Wed, 06 Jan 2021 14:18:54 +0100

shibboleth-sp (3.2.0+dfsg1-1) experimental; urgency=medium

  * [6af8bd7] Bump watch file format version to 4
  * [ce7b33d] New upstream release: 3.2.0
  * [4a6d968] Delete upstream patch, refresh the rest
  * [431b176] New patch: Require XMLTooling and OpenSAML 3.2 via pkg config as
    well
  * [20a1f52] Depend on XMLTooling and OpenSAML 3.2
  * [3d4409a] Rename library package for upstream SONAME bump
  * [54cf316] Update Standards-Version to 4.5.1 (no changes required)

 -- Ferenc Wágner <wferi@debian.org>  Sun, 27 Dec 2020 22:13:32 +0100

shibboleth-sp (3.1.0+dfsg1-2) unstable; urgency=medium

  * [682128d] The transition to versionless package names is complete
  * [57c5b12] Enable unit tests
  * [e541bfc] New patch: Prefer the plain cxxtestgen program
  * [b1a7fbc] New patch: Turn shibsptest into an Automake test suite
  * [5ea553f] Autopkgtest for libshibsp
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Thu, 25 Jun 2020 22:28:20 +0200

shibboleth-sp (3.1.0+dfsg1-1) experimental; urgency=medium

  * [d507efb] Don't single out the amd64 architecture in the Lintian overrides
  * [1b21b7c] Fix POSIX incompatibility in maintainer script.
    Thanks to Ralf Treinen (Closes: #925006)
  * [badab37] New upstream release: 3.1.0
  * [5028ea6] Refresh our patches
  * [f96bc1f] New patch: Forgot to update xmltooling/opensaml check.
    Thanks to Scott Cantor
  * [4c2796c] Require XMLTooling and OpenSAML 3.1
  * [0d9d822] Rename library package for upstream SONAME bump
  * [2592aaf] Enroll to basic Salsa CI
  * [7955518] Upgrade Standards-Version to 4.5.0 (no changes required)
  * [5a0e440] Declare Debhelper compat level 12 the modern way
  * [27a7727] Enable rootless build
  * [dafcf4e] Strip extra signatures from the upstream tarball signing key
  * [d28a397] Update packaging list email address
  * [08a4f6d] NO_START functionality belongs to the init system

 -- Ferenc Wágner <wferi@debian.org>  Wed, 29 Apr 2020 16:37:32 +0200

shibboleth-sp (3.0.4+dfsg1-1) unstable; urgency=medium

  * [f284741] New upstream release: 3.0.4
  * [095e478] Refresh our patches
  * [129417f] Update Standards-Version to 4.3.0 (no changes required)

 -- Ferenc Wágner <wferi@debian.org>  Sat, 16 Mar 2019 20:51:16 +0100

shibboleth-sp (3.0.3+dfsg1-1) unstable; urgency=medium

  * [5ff63ef] New upstream release: 3.0.3
  * [11f51c2] Remove upstreamed patches, refresh the rest
  * [5944626] shibsp/paths.h is not distributed anymore

 -- Ferenc Wágner <wferi@debian.org>  Fri, 21 Dec 2018 02:15:22 +0100

shibboleth-sp (3.0.2+dfsg1-2) unstable; urgency=medium

  * [67b3246] Revert "Work around #909303 (empty usr/lib/debug directories left
    behind)"
    The bug was fixed in debhelper 11.4.1, so the previous workaround now
    breaks the build.
  * Upload to unstable (Closes: #909558)

 -- Ferenc Wágner <wferi@debian.org>  Sun, 25 Nov 2018 18:27:46 +0100

shibboleth-sp (3.0.2+dfsg1-1) experimental; urgency=medium

  [ Russ Allbery ]
  * [d2fc4d9] Remove myself from Uploaders

  [ Etienne Dysli Metref ]
  * [f861012] Migrate VCS URLs to salsa.debian.org/shib-team

  [ Ferenc Wágner ]
  * [163a0e2] Use the 'replace' merge mode.
    The debian directory is not upstream territory, so this is safer.
    Unrelated change: the pristine-tar option is generic.
  * [c8c44b8] Exclude new non-free schema files from the orig tarball
  * [1bf2666] Exclude shibsp/paths.h from the orig tarball until it's fixed
    upstream
  * [5498f6b] Rename the source package before import (drop the 2)
  * [0bd7a79] New upstream release: 3.0.2
  * [81ee41d] Remove upstreamed patches, refresh the rest
  * [0e0df7e] Switch to Debhelper compat level 11
  * [ddc9b74] Stop repeating the common part of the package descriptions
  * [1826990] Multiarch doesn't need Pre-Depends anymore
  * [4d3b36b] ws-addr.xsd is under the W3C software license
  * [3859fc6] We left out several schema files for license reasons
  * [6ce0df5] Clean up trailing whitespace in debian/changelog
  * [b62b750] Update years and ax_pthread in debian/copyright
  * [a1bcdb4] Rework compiler flag handling in configure.
    This enables debug info generation and optimization by default, and also
    makes the --enable-debug option uninteresting for Debian.
  * [8fc734e] Lintian 2.5.80 dropped the Apache module dependency complaint
  * [33f7adf] Drop the version number (2) from package names.
    Shibboleth SP 3 requires XML-Security 2, log4shib 2, XMLTooling 3 and
    OpenSAML 3.  On the other hand some existing version constraints are
    satisfied even in oldstable now; drop these.
  * [ebfa6f6] Rename library package according to the new soversion
  * [2e58b34] Native log switched to syslog, /var/log/shibboleth-www is no more
  * [f025f96] Add Lintian overrides for descriptions of transitional packages
  * [b4ac707] I don't plan to provide symbols files
  * [a4fc454] Lintian warnings for web applications don't apply here
  * [297c231] Correct the README: we fully open access to /Shibboleth.sso by
    default
  * [c61dfa7] Move documentation into /usr/share/doc/libshibsp-dev/html.
    As recommended by Policy: this location is independent of the current
    dev/doc packaging split.  In the same vein use libshibsp-api as the
    Document ID for doc-base.
    At the same time, remove references to version 2.
  * [29247b3] Back out of dh-exec, because it does not work with --fail-missing
  * [b40b1c2] Revert "Fix fallout from dh-exec migration"
    We don't use dh-exec anymore, time to be terse.
  * [7e525ce] We do not ship the libtool archive files
  * [f1f2d26] New patch: seckeygen defaults for Debian
  * [a119ac2] Ship the new seckeygen utility with a shib- prefix
  * [d0cebbb] Provide a man page for shib-seckeygen
  * [d3c5b5e] Use ${misc:Recommends} provided by dh_apache2.
    It's empty for now, but we'd better connect it to avoid warnings and in
    case things change eventually.
  * [f383870] New patch: Do not distribute, but clean the generated
    shibsp/paths.h
  * [fab8247] We needn't clean shibsp/paths.h during packaging anymore.
    It was excluded from the orig tarball, which we have to repack anyway
    for DFSG reasons.  Once the corresponding build system patch is accepted
    upstream, this exclusion can go as well.
  * [c4187e9] Take over the renamed conffiles of the renamed packages.
    The symlinks pointing to the old files are removed on upgrade with
    the help of apache2-maintscript-helper.
    Removing the obsolete conffiles is optional, but easy and gets rid of
    clutter before the newly transitional packages are purged.
    The module name changed, so shib2.load is obsolete as well.
  * [f89b1c0] Use /run in our tmpfile to avoid deprecation warning.
    Otherwise systemd complains:
    [shibd.conf:1] Line references path below legacy directory /var/run/,
    updating /var/run/shibboleth → /run/shibboleth;
    please update the tmpfiles.d/ drop-in file accordingly.
  * [c40be54] New patch: Use --runstatedir from future Autoconf 2.70.
    This way the code does not rely on the /var/run compatibility symlink.
  * [f6ed7ba] Update Standards-Version to 4.2.1 (no changes required)
  * [0a57ca6] Start shibd after the upgrade.
    On compat 11, Debhelper attempts to start services before unmasking them
    (#887904).  This would leave shibd stopped after the 2->3 upgrade.
    Let's switch to the experimental level 12 and require a Debhelper
    version containing the fix.  Niels intends to release compat 12 as
    stable before buster is released.
  * [0376397] Work around #909303 (empty usr/lib/debug directories left behind)

 -- Ferenc Wágner <wferi@debian.org>  Fri, 21 Sep 2018 12:33:42 +0200

shibboleth-sp2 (2.6.1+dfsg1-2) unstable; urgency=medium

  [ Etienne Dysli Metref ]
  * [2769cd5] Install upstream's default Apache 2.4 configuration.
    Install upstream's default Apache 2.4 configuration in addition to the
    module-loading directive. Notably, this configuration enables
    unrestricted access to the handler at `/Shibboleth.sso`. (Closes: #881724)
  * [7c68ed5] Install in conf-available instead of mods-available
  * [3ac4321] Mention the new shib2.conf in NEWS
  * [360c69a] Mention the new shib2.conf in README.Debian

  [ Ferenc Wágner ]
  * [f81dc2c] Update the download URL in README.Debian
  * [18edc54] Update Standards-Version to 4.1.3 (no changes required)

 -- Ferenc Wágner <wferi@debian.org>  Thu, 04 Jan 2018 17:30:38 +0100

shibboleth-sp2 (2.6.1+dfsg1-1) unstable; urgency=high

  * [a15d712] New upstream release (2.6.1)
    Security fix for CVE-2017-16852:
    Rod Widdowson of Steading System Software LLP discovered a coding error in
    the "Dynamic" metadata plugin of the Shibboleth Service Provider, causing
    the plugin to fail configuring itself with the filters provided and
    omitting whatever checks they are intended to perform.
  * [a86acfd] Remove an incorporated upstream patch, refresh the rest
  * [ceecf3a] Update Standards-Version to 4.1.1 (no changes needed)
  * [a09dc9f] The functionality of dh-systemd was merged into debhelper proper
  * [68b792b] Move repacking options into the watch file.
    We have to resort to unconditional repacking to be able to change
    the compression scheme.  However, mk-origtargz will warn if the
    file exclusion pattern does not match, so we can disable repacking
    whenever it gets unnecessary for DFSG reasons.
  * [1c10238] Drop now-unused Lintian override, #736360 is fixed in 2.5.57

 -- Ferenc Wágner <wferi@debian.org>  Mon, 20 Nov 2017 23:21:23 +0100

shibboleth-sp2 (2.6.0+dfsg1-5) unstable; urgency=medium

  * [50e20c1] Follow upstream URL change in debian/watch and debian/copyright
  * [a0b70b2] Update Standards-Version to 4.1.0.
    The "extra" priority became deprecated, promote to "optional".
    Switch to using HTTPS in the debian/copyright Format URL.

 -- Ferenc Wágner <wferi@debian.org>  Tue, 12 Sep 2017 15:01:51 +0200

shibboleth-sp2 (2.6.0+dfsg1-4) unstable; urgency=medium

  [ Ferenc Wágner ]
  * [f226ae4] Fix typo in shibboleth-sp2-utils description
  * [3d458a9] /lib/lsb/init-functions is in package lsb-base (>= 3.0-6)
  * [5cab41e] New patch Increase-the-timeouts-in-the-shibd-service-file.patch.
    Increase the timeouts in the shibd service file (Closes: #840056)

  [ Etienne Dysli Metref ]
  * [9c23ecb] Add myself to uploaders
  * [5b3a209] Update dependencies to OpenSAML 2.6 and XMLTooling 1.6.
    These versions are listed in the RPM spec file as dependencies.
    Also bumped required versions of shibboleth-sp2-utils and
    shibboleth-sp2-common to 2.6 to be in sync with the source package.
  * [518aa2b] Enable shibd.service during installation.
    Add a build-dependency on dh-systemd and 'dh --with systemd' to rules.
    This restores the behaviour of enabling shibd during installation that
    we had with the sysvinit file, but not with the systemd service unit.
    (Closes: #846608)

 -- Etienne Dysli Metref <etienne.dysli-metref@switch.ch>  Thu, 08 Dec 2016 10:06:50 +0100

shibboleth-sp2 (2.6.0+dfsg1-3) unstable; urgency=medium

  * [fa3baff] Revert "Require experimental xmltooling and libsaml for matching
    C++11 strings"
    This reverts commit 04424d9e0c1329017c3a1d67f439ed93425e5969.
    Our recently uploaded dependencies (xmltooling_1.6.0-2, opensaml2_2.6.0-3)
    were compiled with the same compiler (GCC-6, because the default has already
    changed in unstable) that's going to compile us.
  * [19a977e] Migrate to my Debian address
  * Upload to unstable

 -- Ferenc Wágner <wferi@debian.org>  Sat, 03 Sep 2016 08:27:45 +0200

shibboleth-sp2 (2.6.0+dfsg1-2) experimental; urgency=medium

  * [797b5cc] In arch-only builds there's no Doxygen tag file to remove
  * [952e7ee] Don't ship the .md5 and .map files from Doxygen.
    These are generated since we use dot with Doxygen.

 -- Ferenc Wágner <wferi@niif.hu>  Thu, 01 Sep 2016 10:43:17 +0200

shibboleth-sp2 (2.6.0+dfsg1-1) experimental; urgency=medium

  * [e70419a] New upstream release (2.6.0)
  * [052a745] Refresh our patches
  * [3f021f9] Document the new -n option of shib-keygen.
    It was introduced by upstream in d94c761.
  * [4a05921] Add several patches migrating to pkg-config
  * [f830920] Ship the pkg-config files
  * [d769d38] Rename library package for upstream SONAME bump
  * [54944c3] The build system now links with the needed libraries only.
    Separating the discovered dependency libraries into specific variables
    instead of putting everything into LIBS made the --as-needed linker
    options superfluous.
  * [14eef6f] upgrade.xsl was removed upstream.
    In commit 813ecb5: Remove long outdated style sheet for config migration.
  * [21b6b88] New patch The-plugins-use-GSSAPI-only-if-the-naming-
    extensions.patch.
    The plugins use GSSAPI only if the naming extensions are available
  * [c7e8862] Include some post-2.6 upstream fixes:
    5504c79: SSPCPP-704 Fix 'assignment as boolean'
    b173bb1: Fix misspelled error message.
  * [3c1d70e] Switch gbp dch to verbose changelog entries
  * [48c995c] Update copyright years
  * [04424d9] Require experimental xmltooling and libsaml for matching C++11
    strings.
    This change will be reverted during the transition into unstable, when
    xmltooling in unstable will have already been compiled with GCC 6 as well.
  * [9c44db0] Removal of unneeded files belongs to the dh_install step
  * [ab57aac] The Doxygen tag file is unreproducible, don't ship it.
    It uses absolute paths for some reason, capturing the build directory.
  * [997236c] New patch Enable-the-dot-feature-of-Doxygen.patch.
    Enable the dot feature of Doxygen

 -- Ferenc Wágner <wferi@debian.org>  Wed, 31 Aug 2016 16:05:52 +0200

shibboleth-sp2 (2.5.6+dfsg1-2) unstable; urgency=medium

  [ Faidon Liambotis ]
  * [db10c44] Remove myself (Faidon) from Uploaders

  [ Ferenc Wágner ]
  * [9e20440] Eliminate some path repetitions
  * [430bdd8] Simplify removal of documentation files
  * [f1a50f2] Empty directory structures don't trigger --fail-missing
  * [81f57c3] We ship the systemd service file only when it's usable
  * [4785164] Drop superfluous libssl-dev build dependency
  * [136119d] Update Standards-Version to 3.9.8 (no changes needed)
  * [9c11de5] Fix typo in README.Debian
  * [cfe5433] New patch Check-for-strerror_r-with-C-language-selected.patch
  * [91e4365] Fall back to --list-missing until #831786 is solved
    (Closes: #819416)
  * [676f4aa] /var/log/shibboleth-www is dh_installed in arch builds only

 -- Ferenc Wágner <wferi@niif.hu>  Thu, 11 Aug 2016 11:47:58 +0200

shibboleth-sp2 (2.5.6+dfsg1-1) unstable; urgency=medium

  * [60fd776] Replace obsolete libsystemd-daemon-dev B-D with libsystemd-dev
    (Closes: #813480)
  * [9dbea00] Move doxygen and graphviz into Build-Depends-Indep
  * [2dabf1d] Use systemd on Linux only
  * [f46e4ac] Rename files via dh-exec, now that we use it anyway
  * [36e1b4c] Let dh_fixperms make shib-keygen executable
  * [d90b945] New patch Add-Documentation-key-to-shibd-service-file.patch
  * [3e6b865] Install the Apache module by dh_install
  * [94c2670] Upstream version 2.5.6+dfsg1
  * [469e9f2] Remove two upstreamed patches, update the rest
  * [0047c9a] Update Standards-Version to 3.9.7 (no changes needed)
  * [cd08c31] Fix fallout from dh-exec migration

 -- Ferenc Wágner <wferi@niif.hu>  Fri, 11 Mar 2016 16:19:29 +0100

shibboleth-sp2 (2.5.5+dfsg1-1) unstable; urgency=medium

  * [62d4d8a] Add debian/gbp.conf for DEP-14 layout
  * [06926cf] Run wrap-and-sort -ast on the package
  * [9c6bd0a] Correct my name in Uploaders
  * [c67b7e5] Switch watch file to check for bzip-compressed archives
  * [c5c45a4] Check signature in watch file
  * [de0f61d] Upstream version 2.5.5
  * [c5b1307] Refresh patches
  * [a6ccea4] Reset native.logger (Apache module logs) to upstream behavior
  * [f1946c9] Rename libshibsp6 package to libshibsp6v5 (Closes: #797770)
  * [d271e5e] dh_auto_configure uses --disable-dependency-tracking by default
  * [20863ed] The default compressor is xz since jessie
  * [e17229c] Enable all hardening features
  * [0d96798] Update Standards-Version to 3.9.6 (no changes needed)
  * [4a20cce] Remove relics of the package split before jessie
  * [1ccc9e2] Include the js files in the doc-base Files declaration
  * [0c68702] Really enable debug mode in noopt builds
  * [502e709] Ship the installed documentation, not the one from the build tree
  * [e227a3b] Remove superfluous configure arguments
  * [9d9dc63] Upstream added systemd support, enable it
  * [f636fbe] The DOCS variable is unused since we stopped symlinking Doxygen's
    jQuery
  * [3d6bc29] Cut down repetition in manpage installation
  * [a2c6325] Support repacking by uscan
  * [cc7b5dd] Simplify the get-orig-source target
  * [179ec31] Enable parallel builds
  * [e2e71ac] Remove Amazon Linux init script
  * [cec9a85] We've got an apache2-api-YYYYMMNN dependency next to apache2-bin
  * [f3e2015] Switch to secure VCS URIs as Lintian suggests
  * [0a3d5c7] Try harder to override the jQuery Lintian warning
  * [9cda82e] New patches fixing typos
  * [f3021a8] Update debian/copyright
  * [fe391f3] /var/log/shibboleth is filled by shibd, part of shibboleth-
    sp2-utils
  * [059b366] Add cache and log dir to shibboleth-sp2-utils with suitable
    statoverrides
  * [1cb6750] Update TestShib instructions
  * [358c705] More detailed manual for shib-keygen -b

 -- Ferenc Wágner <wferi@niif.hu>  Tue, 26 Jan 2016 21:09:23 +0100

shibboleth-sp2 (2.5.3+dfsg-2.1) unstable; urgency=medium

  * Non maintainer upload.
  * Call cpp with -P for boost config. Closes: #778117.

 -- Matthias Klose <doko@debian.org>  Mon, 13 Jul 2015 15:56:14 +0200

shibboleth-sp2 (2.5.3+dfsg-2) unstable; urgency=high

  * Incorporate security fix from V2.5.4 for CVE-2015-2684: authenticated
    denial of service vulnerability that results in a crash on certain
    kinds of malformed SAML messages.

 -- Ferenc Wagner <wferi@niif.hu>  Tue, 24 Mar 2015 08:55:06 +0100

shibboleth-sp2 (2.5.3+dfsg-1) unstable; urgency=medium

  * New upstream release.
    - Fix server-side includes and directory indexes with Basic
      authentication when the Shibboleth module is loaded.
    - Fix preserved POST data size limit enforcement.
    - Fix POST data replay if a submit key is present.
    - Fix support for idpHistoryProps in Sessions.
  * Split libshibsp-plugins, shibboleth-sp2-common, and
    shibboleth-sp2-utils packages off of libapache2-mod-shib2, and merge
    shibboleth-sp2-schemas with shibboleth-sp2-common.
    shibboleth-sp2-schemas becomes a transitional package.
    shibboleth-sp2-common contains the configuration, which is also
    required by the shared library.  shibboleth-sp2-utils contains the
    shibd daemon plus the other utility commands that were in
    libapache2-mod-shib2.  libshibsp-plugins contains the library plugins
    (which eventually should be installed in a per-SONAME path and then be
    merged back with the library package).  (Closes: #740603)
  * Move /usr/include/shibsp/paths.h to the architecture-specific include
    directory, since it varies by architecture.  Thanks, Andreas
    Beckmann.  (Closes: #720036)
  * Disable the forcing of --silent mode in Libtool since Debian build log
    analysis wants verbose logs.
  * Stop symlinking the minimized jQuery installed by Doxygen and remove
    the dependency on libjs-jquery.  The Doxygen maintainers recommend
    against this approach since this file is apparently not just a
    straight copy of jQuery.
  * Remove the now-unnecessary dh_builddeb override to use xz compression.
  * Remove unnecessary dh_installinit parameters.  update-rc.d now uses
    LSB headers exclusively and no longer pays attention to any runlevel
    information on the command line.
  * Convert all Debian patches to separate patch files managed via gbp pq.
  * Update standards version to 3.9.5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Mon, 31 Mar 2014 20:33:42 -0700

shibboleth-sp2 (2.5.2+dfsg-2) unstable; urgency=low

  * Upload to unstable.

 -- Russ Allbery <rra@debian.org>  Sun, 14 Jul 2013 11:27:40 -0700

shibboleth-sp2 (2.5.2+dfsg-1) experimental; urgency=low

  * New upstream release.
    - New shib-session and shib-user Require authentication types added,
      which should be used in preference to Require valid-user or Require
      user with Shibboleth authentication is desired.
    - New ShibCompatValidUser Apache directive, which works around the way
      that Shibboleth hooks into Require valid-user and Require user so
      that those directives will continue to work with non-Shibboleth
      authentication types.  This directive will be needed for servers
      that use Shibboleth and other authentication methods and want to use
      Require valid-user or Require user with non-Shibboleth methods.
    - Fix implementation of shib-metagen -l.
    - Fix AttributeExtractor handling of multiple logos.
    - Fix metadata attribute extraction with non-ASCII characters.
    - Fix problems with Apache subrequests during server-side include
      handling of unprotected pages.
    - Add character set to DiscoFeed page header.
    - Avoid leaking shibd sockets to child processes.
  * Add NEWS entry for the authentication directive changes.
  * Update README.Debian instructions to add AuthType None to the URLs
    that have to be available to everyone and to use Require shib-session
    instead of Require valid-user.
  * Create /var/cache/shibboleth on install and remove it on purge.
  * Link the FastCGI programs with libxmltooling-lite since they call one
    of its interfaces directly.  (This shows up as a build failure
    otherwise due to the Debian build rules use of --as-needed.)

 -- Russ Allbery <rra@debian.org>  Tue, 18 Jun 2013 16:42:34 -0700

shibboleth-sp2 (2.5.1+dfsg-1) experimental; urgency=low

  * New upstream release.  (Closes: #685069)
    - Support for Apache 2.4.  Please note there are some configuration
      incompabilities between Apache 2.4 and Apache 2.2.  See the upstream
      documentation at
      https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
      for more information.  (Closes: #666804)
    - Disable the PKCS 1.5 algorithm for SAML assertion encryption by
      default for security reasons.  This can be re-enabled if necessary
      in the security-policy.xml configuration file.
    - The protocol between the Apache module and shibd has changed.  shibd
      will be restarted during upgrades, but if the module is configured
      to talk to a remote shibd over TCP, both the module and shibd must
      be upgraded at the same time.
    - Settings to limit redirections have been renamed from
      relayStateLimit and relayStateWhitelist to redirectLimit and
      redirectWhitelist respectively and the old names are deprecated (but
      still supported).
    - cookieProps has been simplified and warnings introduced if SSL
      restrictions are not enabled.
    - The <AttributeExtractor> element that loads the attribute-map.xml
      file now defaults to reloadChanges="false".  Restarting the SP when
      this file changes is recommended for security reasons.
    - Logging properties have been removed from the default configuration
      file and the absence of properties now indicates use of the default
      logging configuration files (shibd.logger and native.logger).
    - The native.log file is now created as root before Apache child
      initialization to minimize permission issues.
    - Files that persist across server restarts have been moved to
      /var/cache/shibboleth.
    - The example style sheet for error templates has been moved to a
      version-independent location in /usr/share/shibboleth.  A logo file
      is no longer included in the package to avoid accidental use of the
      Shibboleth logo on production sites.  If your existing error
      templates reference these files, you should correct this by copying
      files that you need to locations that you control.
    - The module should now be referenced as mod_shib.cpp in conditionals
      that want to reference a source file name.
    - Clients that bounce between IPv4 and IPv6 addresses should now be
      handled more smoothly.
    - SP initialization now fails if an external session cache is
      configured but cannot be opened.
  * Update libapache2-mod-shib2's README.Debian:
    - Use the Apache 2.4 authorization syntax.
    - Mention possibly having to grant access to /Shibboleth.sso.
    - The module is now enabled by default but still needs configuration.
    - Update the upstream configuration documentation URL.
    - The reason for switching native.logger to syslog is now obsolete
      (but the package still does that, possibly to be reconsidered
      later).
  * Remove the (undefined) warn_log destination from the default
    native.logger configuration file, restoring consistency with the
    Debian modification to log to syslog.  Since all native logs go to
    syslog, there's no need to have differentiated log destinations based
    on threshold.  The previous version of the file referenced a
    commented-out warn_log destination, which caused errors to be spammed
    to syslog.
  * Build with GSS-API support.
  * Build and install FastCGI programs in /usr/lib/<triplet>/shibboleth.
    For right now, these are still included in libapache2-mod-shib2, which
    makes them substantially less useful than they would be in their own
    package.  Further work is required to allow the FastCGI programs plus
    shibd to be installed independent of the Apache module.
  * Add build dependency on libboost-dev.
  * Use log4shib instead of log4cpp.
  * Force build dependencies and package dependencies on xml-security-c
    1.7 or later, xmltooling 1.5 or later, and opensaml2 2.5 or later to
    ensure everything is consistent.
  * Remove explicit build dependency on libtool.  This is now handled by
    dh-autoreconf.
  * Add Multi-Arch: same to libshibsp-dev and Multi-Arch: foreign to
    libshibsp-doc and shibboleth-sp2-schemas.
  * Remove Conflicts with libapache2-mod-shib.  lenny is dead.
  * Fix the libshibsp-doc package name in the Suggests on libshibsp-dev
    and remove the nonstandard version constraint.
  * Install the upstream doc/RELEASE.txt file as the upstream changelog.
    It's not exactly a changelog, but it has pointers to the upstream web
    documentation of changes, which is probably what people are looking for.
  * Drop postinst code to handle upgrades from the Shibboleth 1.x module,
    which was last included in lenny.
  * Switch to xz compression for the repackaged upstream
    source, *.debian.tar, and the *.deb packages.
  * Update upstream Homepage.
  * Canonicalize the URLs in the Vcs-Git and Vcs-Browser control fields.
  * Update standards version to 3.9.4.
    - Update debian/copyright to specify copyright-format 1.0.

 -- Russ Allbery <rra@debian.org>  Fri, 31 May 2013 16:09:24 -0700

shibboleth-sp2 (2.4.3+dfsg-5) unstable; urgency=low

  * Fix syntax error in the update-rc.d invocation for shibd, which was
    not visible on most Debian systems because of dependency-based boot.
    Thanks to Evan Broder and Steve Langasek for pointing me in the right
    direction.  (LP: #884402)
  * Add PIE to the hardening flags for the shibd binary.
  * Use memcached_last_error_message instead of the cached_errno member of
    the memcached_st struct, since the latter was removed in 1.0.  Thanks
    to Michael Fladischer for the patch.  Bump Build-Depends to require
    1.0 or later of libmemcached-dev.  (Closes: #658408)
  * Move single-debian-patch to local-options and patch-header to
    local-patch-header so that they only apply to the packages the team
    builds, and NMUs get regular version-numbered patches.

 -- Russ Allbery <rra@debian.org>  Thu, 16 Feb 2012 11:26:14 -0800

shibboleth-sp2 (2.4.3+dfsg-4) unstable; urgency=low

  * Update to debhelper compatibility level V9.
    - Enable hardening build flags.  (Closes: #656006)
    - Enable multiarch support.
  * Tighten shlibs for libshibsp5 since the plugin directory changed due
    to multiarch.
  * Rebuild the Autotools build system using dh-autoreconf instead of
    rolling our own version of the same thing.
  * Rewrite the shibd init script to use the LSB init script functions and
    implement the status action.

 -- Russ Allbery <rra@debian.org>  Thu, 02 Feb 2012 00:05:55 -0800

shibboleth-sp2 (2.4.3+dfsg-3) unstable; urgency=low

  * Remove the armel build dependency on g++-4.4 and the code in
    debian/rules to use it, since the g++ bug has been fixed.
    (Closes: #654745)

 -- Russ Allbery <rra@debian.org>  Thu, 05 Jan 2012 10:18:47 -0800

shibboleth-sp2 (2.4.3+dfsg-2) unstable; urgency=low

  * Build-depend on g++-4.4 on armel and build with that compiler since
    g++ 4.5 and 4.6 die with an internal compiler error even with no
    optimization.  Patch from Peter Green.  (Closes: #623263)
  * Change the default native.logger facility to 3 from 3 << 3, since the
    current log4cpp does indeed do the facility shift.  Thanks to Jeremy
    Maryott for the report.  (Closes: #638594)
  * Update the upstream download location in debian/copyright.
  * Fix some formatting issues in debian/copyright caught by Lintian.

 -- Russ Allbery <rra@debian.org>  Sun, 25 Sep 2011 14:44:15 -0700

shibboleth-sp2 (2.4.3+dfsg-1) unstable; urgency=low

  * New upstream release.
    - Expire redirects by default so that the browser doesn't cache them
      (turn off with ShibExpireRedirects off)
    - Make library init routines idempotent
    - <SSO>SAML2</SSO> now enables ECP support
    - Fix SELECT query in ODBC storage service plugin
    - Fix metagen to only create PAOS ACS elements once
    - Fix XML namespace in metagen-generated XML for HOSTS
    - DiscoFeed with no metadata provider returns an empty feed instead of
      throwing an exception
    - Fix calculation of time interval when maxTimeSinceAuthn is used and
      IdP time is ahead of SP time
    - Improve the IdP example metadata
  * Change update-rc.d invocation for the shibd init script to use the
    same run levels as the LSB headers, removing a warning during package
    installation.
  * Update debian/watch and debian/rules for the new upstream distribution
    location.

 -- Russ Allbery <rra@debian.org>  Mon, 25 Jul 2011 17:27:23 -0700

shibboleth-sp2 (2.4.2+dfsg-2) unstable; urgency=low

  * Include stddef.h for offsetof in apache/mod_apache.cpp, fixing FTBFS
    with g++ 4.6.  (Closes: #624877)
  * Remove ${shlibs:Depends} from libshibsp-dev, which doesn't contain any
    binaries.
  * Update standards version to 3.9.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Sun, 15 May 2011 20:07:24 -0700

shibboleth-sp2 (2.4.2+dfsg-1) unstable; urgency=low

  [ Ferenc Wagner ]
  * Fix watch file.  The 2.4 prerelease broke it.

  [ Faidon Liambotis ]
  * Enable and ship memcache-store.

  [ Russ Allbery ]
  * New upstream release.
    - Move <SecurityPolicies> default to a separate configuration file
    - Allow hard-coding the return URL after authentication
    - Allow restrictions on signing/digest algorithms to accept
    - New -o, -u, and -g flags to keygen
    - Add SessionIndex of an AuthnStatement to environment variables
    - Support for metadata extensions for algorithm support
    - New extension for decoding base64 encoded attributes
    - Allow configuration of XMLAccessControl rules in .htaccess
    - Support explicit filtering of NameID by qualifiers
    - New simplified configuration mechanism
    - Allow inheritance of RelyingParty definitions in ApplicationOverride
    - Provide more information in the status handler
    - New endpoint producing JSON data for Discovery Service
    - Generate the EntityDescriptor/ID via hashing for stability
    - Allow using a regex to generate a URL from the entityID in dynamic
      metadata plugin
    - Support for multibyte request paths
    - New session cache option to avoid storing complete assertions
    - Support MDX-style artifact lookup in dynamic MD plugin
    - Allow storing and retrieving the session key from an HTTP header
    - Support "unspecified" NameFormat without special configuration
    - Allow overriding listener details to permit use of a shared config
    - Add error information to attribute ResolutionContext
    - Set the correct variables for log4cpp libraries (Closes: #606489)
    - Multiple bug fixes
  * Rebuild with OpenSSL 1.0.0.  (Closes: #620774)
  * Change package names for the upstream SONAME change.
  * Update Debian man pages for upstream utility changes.
  * Build-depend on xmltooling 1.4 or later and OpenSAML 2.4 or later, and
    also update schema and development package dependencies.
  * Force build dependency on xml-security-c 1.6 or later for consistent
    build results.
  * Add build dependency on pkg-config, which upstream now uses to find
    the SSL libraries.
  * Add build dependency on graphviz for better API documentation.
  * Replace the version of jQuery installed by Doxygen in the
    documentation package with a symlink to the version supplied by the
    Debian package and add a dependency.
  * Drop the *.la files from /usr/lib/shibboleth.  Upstream does loading
    by *.so files and doesn't use libltdl, and Debian is dropping *.la
    files where possible.
  * Fix LSB Description keyword formatting in the shibd init script.
  * Empty the Default-Stop setting for the shibd init script.  Just
    killing the daemon as part of shutdown should be fine.
  * Ignore the plugins in /usr/lib/shibboleth when running dh_makeshlibs.
    They have SONAMEs but aren't actually libraries.
  * Update to debhelper compatibility level V8.
    - Use debhelper rule minimization.
  * Update debian/copyright to the current DEP-5 specification.
  * Change to Debian source format 3.0 (quilt).  Force a single Debian
    patch for simplicity since the packaging is maintained in Git using
    branches, and include a patch header explaining why.
  * Update standards version to 3.9.1 (no changes required).

 -- Russ Allbery <rra@debian.org>  Fri, 08 Apr 2011 13:01:21 -0700

shibboleth-sp2 (2.3.1+dfsg-5) unstable; urgency=high

  * Merge the forgotten pidfile fix from branch bug/unlink-pidfile after
    merging upstream/2.3.1+dfsg into that.  Original changlog entry:

    Apply upstream fix for shibd removing the PID file when called with
    the -F option.  This prevents the check of certificate permissions in
    the init script from removing the PID file of a running shibd.

    (Closes: 611614)

 -- Ferenc Wagner <wferi@niif.hu>  Tue, 01 Feb 2011 16:44:15 +0100

shibboleth-sp2 (2.3.1+dfsg-4) unstable; urgency=low

  * Only restart Apache if it is running.  Thanks, Mehdi Dogguy, Michael
    Biebl, and Ferenc Wagner.

 -- Russ Allbery <rra@debian.org>  Mon, 29 Nov 2010 14:29:42 -0800

shibboleth-sp2 (2.3.1+dfsg-3) unstable; urgency=low

  [ Ferenc Wagner ]
  * Restart Apache from the postinst script if the shib2 module is enabled
    to avoid communication errors with the upgraded shibd.  (Closes: #602328)

  [ Faidon Liambotis ]
  * Add myself to Uploaders.
  * Enable and ship memcache-store.

 -- Ferenc Wagner <wferi@niif.hu>  Mon, 22 Nov 2010 22:17:57 +0100

shibboleth-sp2 (2.3.1+dfsg-2) unstable; urgency=low

  * Modify shib-keygen to create the new certificate key group-readable by
    _shibd and not world-readable.  (Closes: #571631, CVE-2010-2450)
  * Force source format 1.0 for now since it makes backporting easier.
  * Update debhelper compatibility level to V7.
    - Use dh_prep instead of dh_clean -k.
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Sat, 15 May 2010 15:25:12 -0700

shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low

  * New upstream release.
    - Don't sign messages for SOAP requests twice.
    - Correctly generate metadata in the artifact resolution handler.
    - Artifact resolution should return empty success on errors.
    - Fixed crash in backchannel global logout.
    - Fix duplicate indexes in metadata generation when multiple base URLs
      are supplied.
    - Correctly decrypt assertions in attribute responses.
  * Apply upstream fix for shibd removing the PID file when called with
    the -F option.  This prevents the check of certificate permissions in
    the init script from removing the PID file of a running shibd.
  * Add ${shlibs:Depends} to the libshibsp-dev package dependencies.
  * Add ${misc:Depends} to all package dependencies.

 -- Russ Allbery <rra@debian.org>  Sun, 03 Jan 2010 13:54:55 -0800

shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high

  [ Russ Allbery ]
  * Urgency set to high for security fix.
  * New upstream release.
    - SECURITY: Partial fix for improper handling of URLs that could be
      abused for script injection and other cross-site scripting attacks.
      The complete fix also requires newer xmltooling and opensaml2
      packages.  (Closes: #555608, CVE-2009-3300)
    - Avoid shibd crash on dead memcache server.
    - Pass the affiliation name to the session initiator.
    - Correctly handle a bogus ACS.
    - Allow overriding the URL that's passed to the DS.
    - Add schema types for new attribute decoders introduced in 2.2.
    - Handle success with partial logout in the logout UI code.
    - Fix POST data preservation with empty parameters and empty forms.
    - Fix SAML 1 specification of attributes in the query plugin.
    - Shorten ePTId-type persistent identifiers.
    - Use an ID rather than a whole doc reference for generated metadata.
    - Fix spelling of scopeDelimiter in the configuration parser, making
      the code and documentation match the schema.
  * Rename library package for upstream SONAME bump.
  * Tighten build and package dependencies on xmltooling and opensaml2 to
    require the versions with the security fix.
  * Fix watch file for the new version mangling.
  * Improve documentation of DAEMON_OPTS in /etc/default/shibd.
  * Remove unnecessary patches to upstream files regenerated during the
    build from the source package diff.

  [ Faidon Liambotis ]
  * Run make install with NOKEYGEN=1 and stop rm-ing generated
    certificates.  Fixes FTBFS.

  [ Ferenc Wagner ]
  * Run shibd as non-root.

 -- Russ Allbery <rra@debian.org>  Wed, 11 Nov 2009 14:39:44 -0800

shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low

  * Change the libapache2-mod-shib2 section to httpd, matching override.
  * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the
    recommended configuration update for the 2.2 version.  Thanks, Scott
    Cantor and Kristof BAJNOK.

 -- Russ Allbery <rra@debian.org>  Wed, 09 Sep 2009 12:15:08 -0700

shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high

  * New upstream release.
    - SECURITY: Fix improper handling of certificate names containing nul
      characters.
    - SECURITY: Correctly validate the use attribute of KeyDescriptors,
      preventing use of a key for signing or for encryption if its use
      field says it may not be used for that purpose.
    - New shib-metagen script for generating Shibboleth SP metadata.
    - Support preserving form data across user authentication.
    - Support internal server redirection while maintaining protection.
    - Fix incompatibility between lazy sessions and servlet containers.
    - Fix some problems with dynamic metadata resolution.
    - Fix incompatibility with mod_include.
    - Fix single logout via SOAP.
    - Fix shibd crash with invalid metadata.
    - Fix crash in chaining attribute resolver.
    - Avoid infinite loop on empty attribute mapped to REMOTE_USER.
    - Fix handling of some Unicode data in relaystate data in URLs.
    - Correctly return Success to LogoutRequest where appropriate.
    - Avoid chunked encoding in back-channel calls.
    - Correctly check Recipient values in assertions.
    - Fix attributePrefix handling in some contexts.
    - Fix generated metadata DiscoveryResponse.
    - Fix handling of unsigned responses with encryption.
    - Fix handling of InProcess property.
  * Rename library package for upstream SONAME bump.
  * Tighten build dependencies and schema package dependencies on
    opensaml2 and xmltooling.
  * Build against Xerces-C 3.0.
  * Dynamically determine the Debian and upstream package versions for
    get-orig-source from debian/changelog.
  * Update libapache2-mod-shib2's README.Debian for changes to the
    TestShib web pages.
  * Use the automatically-extracted package version as the version number
    for the man pages.
  * Update standards version to 3.8.3.
    - Create /var/run/shibboleth in the init script if it doesn't exist.
    - Don't ship /var/run/shibboleth in the package.
    - Remove /var/run/shibboleth in postrm if it exists.

 -- Russ Allbery <rra@debian.org>  Mon, 07 Sep 2009 16:14:29 -0700

shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low

  * Redo the variable quoting in doxygen.m4 so that configure can be
    rebuilt with Autoconf 2.63.  (Closes: #518039)

 -- Russ Allbery <rra@debian.org>  Tue, 03 Mar 2009 15:03:10 -0800

shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low

  [ Russ Allbery ]
  * New upstream version.
    - New memory cache storage backend.
    - Schema validation is now optional.
    - Many bug fixes.
  * Bump SONAME of libshibsp following upstream's versioning.
  * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file
    and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1).
  * Fix the name of the tarball created by get-orig-source.
  * Logcheck rules.
  * Tighten the dependency versioning; the 2.1 SP library requires the
    2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas
    from XMLTooling.
  * Remove duplicate Section field for libapache2-mod-shib2.

  [ Ferenc Wagner ]
  * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation.
  * Remove the Shibboleth minor version number from README.Debian.
  * Comment out the reference to WS-Trust.xsd from the catalog.xml file in
    shibboleth-sp2-schemas and document how to enable it again.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Feb 2009 20:54:51 -0800

shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low

  [ Ferenc Wagner ]
  * Rename debian/shib.load to debian/shib2.load to avoid clashing with the
    libapache2-mod-shib package.  Otherwise its Apache config file breaks our
    module.
  * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter
    Schober for noticing)

  [ Russ Allbery ]
  * Add a postinst to disable the old configuration on upgrade and enable
    the module if it had been enabled under the old configuration name.
  * Wait for shibd to exit on stop or restart.  This fixes a bug in
    restart that could lead to no new shibd being started because the old
    one had not yet exited.
  * Fix a syntax error in the shibd man page.

 -- Russ Allbery <rra@debian.org>  Tue, 14 Oct 2008 21:47:36 -0700

shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low

  [ Ferenc Wagner ]
  * Avoid brace expansion in debian/rules, dash does not like it.
    (Closes: #493408)

  [ Russ Allbery ]
  * Add logcheck rules to ignore some of the routine messages from the
    Apache module.  This only covers startup and teardown; more will
    need to be added.
  * Fix watch file for new upstream tarball naming.

 -- Russ Allbery <rra@debian.org>  Tue, 19 Aug 2008 19:04:35 -0700

shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low

  * Apply upstream fix for variable sizes in the ODBC code.  Fixes a
    FTBFS on 64-bit platforms.  (Closes: #492101)

 -- Russ Allbery <rra@debian.org>  Thu, 24 Jul 2008 08:44:50 -0700

shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low

  [ Ferenc Wágner ]
  * Initial release (Closes: #480290)

 -- Russ Allbery <rra@debian.org>  Wed, 25 Jun 2008 20:06:10 -0700