xmltooling (1.4.2-5+deb7u3) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Kelby Ludwig and Scott Cantor discovered that the Shibboleth service
    provider is vulnerable to impersonation attacks and information disclosure
    due to incorrect XML parsing. For additional details please refer to the
    upstream advisory at
    https://shibboleth.net/community/advisories/secadv_20180227.txt

 -- Markus Koschany <apo@debian.org>  Wed, 28 Feb 2018 22:59:23 +0100

xmltooling (1.4.2-5+deb7u2) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2018-0486:
    Philip Huppert discovered the Shibboleth service provider is vulnerable to
    impersonation attacks and information disclosure due to mishandling of DTDs
    in the XMLTooling XML parsing library. For additional details please refer
    to the upstream advisory at
    https://shibboleth.net/community/advisories/secadv_20180112.txt

 -- Markus Koschany <apo@debian.org>  Sun, 14 Jan 2018 20:41:01 +0100

xmltooling (1.4.2-5+deb7u1) wheezy-security; urgency=high

  * Apply security fix from 1.5.5 for CVE-2015-0851 DoS (Closes: #793855):
    Shibboleth SP software crashes on well-formed but invalid XML

 -- Ferenc Wagner <wferi@niif.hu>  Mon, 27 Jul 2015 11:39:26 +0200

xmltooling (1.4.2-5) unstable; urgency=low

  * Revert changes to add symbols file.  Due to churn in weak symbols for
    inlined functions, it doesn't appear maintainanable with existing
    tools, and for this library the shlibs behavior seems sufficient.
  * Update Autotools build files via dh_autoreconf.
  * Force linking with -lpthread, working around a bug in libtool that
    drops the linkage because it uses -nostdlib.  See #468555.

 -- Russ Allbery <rra@debian.org>  Tue, 31 Jan 2012 16:35:46 -0800

xmltooling (1.4.2-4) unstable; urgency=low

  * Update symbols files for all non-i386 architectures currently built by
    the buildds except mipsel (which will hopefully be the same as mips),
    armel (modeled after armhf), nad kfreebsd-i386 (hopefully the same as
    i386).
  * Build-Depend on pkg-kde-tools and use its symbolhelper plugin so that
    the package can use the output of pkgkde-symbolshelper.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Jan 2012 21:59:27 -0800

xmltooling (1.4.2-3) unstable; urgency=low

  * Also enable bindnow hardening build flags and use the correct syntax
    to add additional hardening flags.
  * Add symbols file constructed with pkgkde-symbolshelper.  Add a
    README.source file with a pointer to the documentation.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Jan 2012 14:06:42 -0800

xmltooling (1.4.2-2) unstable; urgency=low

  * Update to debhelper compatibility level V9.
    - Enable hardening build flags.  (Closes: #656656)
    - Enable multiarch support.
  * Use the latest directory in debian/watch instead of the versioned
    directories.
  * Update the upstream homepage.
  * Update the upstream download location in debian/copyright.
  * Minor format updates to debian/copyright for the new DEP-5.

 -- Russ Allbery <rra@debian.org>  Thu, 26 Jan 2012 12:58:17 -0800

xmltooling (1.4.2-1) unstable; urgency=low

  * New upstream release.
    - Fix use attribute in shorthand file CredentialResolver
    - Fix handling of SOAP 1.1 fault package
    - Make library init routines idempotent
  * Make removal of the Doxygen-installed jquery.js file conditional on
    its existence, since some versions of Doxygen don't install it.
  * Update debian/watch for the new upstream distribution location.

 -- Russ Allbery <rra@debian.org>  Mon, 25 Jul 2011 15:44:12 -0700

xmltooling (1.4.1-3) unstable; urgency=low

  * Add explicit build dependency on libssl-dev, which is used directly by
    this package, and force build dependency on libssl-dev 1.0 or later
    for consistent build results.  If some Shibboleth-related libraries
    are built against earlier versions of libssl, it produces linking
    failures when building the Shibboleth SP package.
  * Update standards version to 3.9.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 07 Apr 2011 14:41:37 -0700

xmltooling (1.4.1-2) unstable; urgency=low

  * Fix FTBFS with arch-only builds, such as those on the buildds.
    Thanks, Aaron M. Ucko.  (Closes: #618615)

 -- Russ Allbery <rra@debian.org>  Wed, 16 Mar 2011 23:45:11 -0700

xmltooling (1.4.1-1) unstable; urgency=low

  * New upstream release.
    - gzip/deflate encoding support to HTTP transfers
    - Support for top-level signature verification to reloadable XML files
    - Support fetching CRLs based on the CRL distribution point extension
    - Fix adding trust engines manually to chaining engine
    - Fix root element handling in unmarshalling around a cloned DOM
    - Fix config loader detection of no access to file
    - Fix User-Agent string handling for AttributeQuery
    - Ensure chained TrustEngine is not affected by ordering
    - Support ETag caching in reloadable config files
    - Support HTTP caching when accessing remote CRLs
    - Switch to background thread for reloading files
    - Option to re-enable TLS renegotiation when running on 0.9.8m+
    - Improve handling of simple content when comments are present
    - Fix configure probing with ld --as-needed (Closes: #606486)
  * Force build dependency on xml-security-c 1.6 or later for consistent
    build results.
  * Add build dependency on pkg-config, which upstream now uses to find
    the SSL libraries.
  * Add build dependency on graphviz for better API documentation.
  * Replace the version of jQuery installed by Doxygen in the
    documentation package with a symlink to the version supplied by the
    Debian package and add a dependency.
  * Update to debhelper compatibility level V8.
    - Use the autotools-dev debhelper module for config.{sub,guess}.
    - Use debhelper rule minimization.
  * Clean some additional files not removed by upstream make distclean.
  * Update debian/copyright to the current DEP-5 specification.
  * Change to Debian source format 3.0 (quilt).  Force a single Debian
    patch for simplicity since the packaging is maintained in Git using
    branches, and include a patch header explaining why.
  * Update standards version to 3.9.1 (no changes required).

 -- Russ Allbery <rra@debian.org>  Sun, 13 Mar 2011 20:45:25 -0700

xmltooling (1.3.3-2) unstable; urgency=low

  * Force source format 1.0 for now since it makes backporting easier.
  * Add ${misc:Depends} to all package dependencies.
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 13 May 2010 10:03:36 -0700

xmltooling (1.3.3-1) unstable; urgency=low

  * New upstream release.
    - Allow the empty string in assignment to DateTime members.
    - Allow configuration to not extract local credential names for
      matching purposes.

 -- Russ Allbery <rra@debian.org>  Thu, 17 Dec 2009 18:29:08 -0800

xmltooling (1.3.1-1) unstable; urgency=high

  * Urgency set to high for security fix.
  * New upstream release.
    - SECURITY: Partial fix for improper handling of URLs that could be
      abused for script injection and other cross-site scripting attacks.
      The complete fix also requires newer opensaml2 and shibboleth-sp2
      packages.  (CVE-2009-3300)
    - Add setter for KeyInfoResolver object.
    - Fix extraction of cert info for UTF-8 handling changes.
    - Fix passing of TransportOption configuration to cURL.
    - Fix instability in reusing a DOM after signing it.
    - Remove xmlns:xml namespace declaration when marshalling and
      unmarshalling to avoid canonicalization bugs.
  * Rename library package for upstream SONAME bump.
  * Build-depend on libxml-security-c-dev 1.5 or later and make
    libxmltooling-dev depend on libxml-security-c-dev 1.5 or later to
    ensure that all builds are consistent.  Although this package will
    build with 1.4, the other packages built on xmltooling require 1.5.

 -- Russ Allbery <rra@debian.org>  Fri, 06 Nov 2009 11:30:41 -0800

xmltooling (1.2.2-1) unstable; urgency=high

  * Urgency set to high for security fix.
  * New upstream release.
    - SECURITY: Fix potential buffer overflows and reuses of freed objects
      in error handling code paths with invalid XML or with malformed
      URLs.  See the upstream security advisory at
      http://shibboleth.internet2.edu/secadv/secadv_20090826.txt
    - Fix other validation issues with malformed objects.
    - Fix for accessing the resolution context, which affects the ability
      of callers to restrict keys based on use attributes.
    - Fix encoding of backup metadata.
  * Update debhelper compatibility level to V7.
    - Use dh_prep instead of dh_clean -k.
  * Update standards version to 3.8.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 27 Aug 2009 11:31:37 -0700

xmltooling (1.2-1) unstable; urgency=low

  * New upstream release.
    - Stop dropping the namespace of qualified attributes that aren't
      extensions.
    - Expose multiple certificate revocation lists via the credential
      API, allowing separate revocation lists for intermediate certs.
    - Provide the hostname in artifact resolution errors.
    - Sanity-check provided credentials for consistency.
  * Rename library package for upstream SONAME bump.
  * Build against Xerces-C 3.0.
  * Update standards version to 3.8.2 (no changes required).
  * Remove duplicate section setting for the library package.

 -- Russ Allbery <rra@debian.org>  Wed, 05 Aug 2009 15:45:06 -0700

xmltooling (1.1-1) unstable; urgency=low

  [ Russ Allbery ]
  * New upstream bug-fix release.
  * Bump SONAME of libxmltooling following upstream's versioning.
  * Include <cstdio> in base.h since some of its macros use sprintf.
    Fixes FTBFS for packages using xmltooling with GCC 4.4 that don't
    already include cstdio.  Thanks, Martin Michlmayr.  (Closes: #505072)

  [ Ferenc Wagner ]
  * Fix watch file for upstream directory structure.

 -- Russ Allbery <rra@debian.org>  Tue, 17 Feb 2009 17:23:00 -0800

xmltooling (1.0-2) unstable; urgency=low

  [ Ferenc Wagner ]
  * Add dependencies to libxmltooling-dev for the packages whose header
    files are included by XMLTooling headers.
  * Include NOTICE.txt in all packages.

  [ Russ Allbery ]
  * Explicitly link with -lpthread to work around Bug#468555 in libtool.
  * Change package priorities to extra.  Xerces-C is extra, so all of the
    Shibboleth stack needs to be extra, and realistically it's somewhat of
    an edge package in Debian.
  * Add in copyright and license information for all of the other random
    files in the tree, including all the Autoconf support files.
  * Fix copyright file formatting to use the right syntax for Files.

 -- Russ Allbery <rra@debian.org>  Wed, 18 Jun 2008 20:18:21 -0700

xmltooling (1.0-1) unstable; urgency=low

  [ Ferenc Wagner ]
  * Initial release (Closes: #480287)

 -- Russ Allbery <rra@debian.org>  Sat, 07 Jun 2008 13:00:13 -0700

