simplesamlphp (1.14.11-1+deb9u2) stretch-security; urgency=high * Update by the security team for stretch. * Fix security issue CVE-2019-3465 (closes: #944107). -- Thijs Kinkhorst Tue, 05 Nov 2019 08:54:44 +0100 simplesamlphp (1.14.11-1+deb9u1) stretch-security; urgency=high * Update by the security team for stretch. CVE-2017-12867 CVE-2017-12869 CVE-2017-12874 CVE-2017-18121 CVE-2017-18122 CVE-2018-6519 CVE-2018-6521 SSPSA-201802-01 (closes: #889286). -- Thijs Kinkhorst Thu, 01 Mar 2018 20:16:49 +0100 simplesamlphp (1.14.11-1) unstable; urgency=medium * New upstream release. - Fixes security issues SSPSA 201612-02 & SSPSA 201612-03. -- Thijs Kinkhorst Tue, 13 Dec 2016 08:24:57 +0000 simplesamlphp (1.14.10-1) unstable; urgency=high * New upstream release. - Fixes security issue SSPSA 201612-01. -- Thijs Kinkhorst Sat, 03 Dec 2016 08:04:20 +0000 simplesamlphp (1.14.9-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Mon, 14 Nov 2016 09:05:41 +0000 simplesamlphp (1.14.8-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Tue, 23 Aug 2016 12:29:51 +0000 simplesamlphp (1.14.7-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Mon, 01 Aug 2016 14:09:15 +0000 simplesamlphp (1.14.6-1) unstable; urgency=medium * New upstream release. * Improve dependencies: do not depend on any specific PHP SAPI and clean up obsolete requirements. Thanks Wessel Dankers for reporting. -- Thijs Kinkhorst Wed, 20 Jul 2016 14:59:30 +0000 simplesamlphp (1.14.5-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Wed, 13 Jul 2016 12:19:08 +0000 simplesamlphp (1.14.4-1) unstable; urgency=medium * New upstream release. * Checked for policy 3.9.7, no changes. -- Thijs Kinkhorst Thu, 09 Jun 2016 07:42:06 +0000 simplesamlphp (1.14.3-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Tue, 19 Apr 2016 12:57:16 +0000 simplesamlphp (1.14.2-2) unstable; urgency=medium * Update dependencies: - php5 -> php; remove obsolete php5-mhash - remove php-openid, php-xml-parser as dependencies; only used for the niche OpenID module. (Closes: #818800) -- Thijs Kinkhorst Tue, 05 Apr 2016 13:25:40 +0000 simplesamlphp (1.14.2-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Mon, 14 Mar 2016 12:49:17 +0000 simplesamlphp (1.14.1-1) unstable; urgency=high * New upstream release. - Fixes PHP version number disclosure (closes: #817162). * Checked for policy 3.9.7, no changes. -- Thijs Kinkhorst Tue, 08 Mar 2016 16:41:16 +0000 simplesamlphp (1.14.0-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Wed, 17 Feb 2016 10:18:12 +0000 simplesamlphp (1.13.2-1) unstable; urgency=medium * New upstream bugfix release. - Incorporates xmlc14n.patch. * Fix typo in package description (closes: #781020). -- Thijs Kinkhorst Thu, 30 Apr 2015 13:51:36 +0000 simplesamlphp (1.13.1-2) unstable; urgency=medium * Add xmlc14n.patch fixing extreme resource consumption when processing large metadata files (closes: #772121). See: https://simplesamlphp.org/metaprocessing -- Thijs Kinkhorst Fri, 05 Dec 2014 10:13:00 +0000 simplesamlphp (1.13.1-1) unstable; urgency=medium * New upstream bugfix release. -- Thijs Kinkhorst Mon, 27 Oct 2014 19:23:35 +0000 simplesamlphp (1.13.0-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Thu, 25 Sep 2014 18:26:11 +0000 simplesamlphp (1.12.0-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Mon, 24 Mar 2014 17:53:33 +0100 simplesamlphp (1.12.0~rc2-1) unstable; urgency=medium * New upstream release candidate. -- Thijs Kinkhorst Wed, 05 Mar 2014 14:18:31 +0100 simplesamlphp (1.12.0~rc1-1) unstable; urgency=medium * New upstream release candidate. -- Thijs Kinkhorst Wed, 26 Feb 2014 16:15:51 +0100 simplesamlphp (1.11.0-1) unstable; urgency=low * New upstream release. * Add php5-json to Recommends. -- Thijs Kinkhorst Wed, 05 Jun 2013 14:25:32 +0200 simplesamlphp (1.11.0~rc1-1) unstable; urgency=low * New upstream release candidate. - Sanitycheck now works out of the box (closes: #695147). -- Thijs Kinkhorst Fri, 24 May 2013 16:12:45 +0200 simplesamlphp (1.10.0-1) unstable; urgency=low * New upstream release. * Update packaging to debhelper 9, policy 3.9.4. -- Thijs Kinkhorst Thu, 04 Oct 2012 15:17:07 +0200 simplesamlphp (1.9.2-1) unstable; urgency=medium * New upstream security release: Fix possible issue in PKCS 1.5 encryption when a key is correctly decrypted but its length is not the one expected. -- Thijs Kinkhorst Wed, 29 Aug 2012 15:43:31 +0000 simplesamlphp (1.9.1-1) unstable; urgency=medium * New upstream security release: Fix for an attack against PKCS 1.5 in XML encryption. -- Thijs Kinkhorst Mon, 06 Aug 2012 12:57:02 +0000 simplesamlphp (1.9.0-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst Wed, 13 Jun 2012 12:38:09 +0200 simplesamlphp (1.9.0~rc2-1) unstable; urgency=low * New upstream release candidate. -- Thijs Kinkhorst Sat, 19 May 2012 16:00:48 +0200 simplesamlphp (1.9.0~rc1-1) unstable; urgency=low * New upstream release candidate. - Addresses PHP 5.4 compatibility (closes: #658875). * Update for Apache 2.4 (closes: #669795). * Checked for policy 3.9.3. -- Thijs Kinkhorst Sat, 21 Apr 2012 17:13:15 +0200 simplesamlphp (1.8.2-1) unstable; urgency=high * New upstream release, fixes cross site scripting. [CVE-2012-0040 CVE-2012-0908] -- Thijs Kinkhorst Wed, 11 Jan 2012 11:19:37 +0100 simplesamlphp (1.8.1-1) unstable; urgency=high * New upstream release. Fixes security issues: - It may be possible to use an SP as a oracle to decrypt encrypted messages sent to that SP. This is the attack described in the paper "How to break XML encryption": http://dx.doi.org/10.1145/2046707.2046756 - It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP. This mainly affects SPs that use signed authentication requests. The attack is described in "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.": http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037 -- Thijs Kinkhorst Thu, 27 Oct 2011 14:19:20 +0200 simplesamlphp (1.8.0-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst Mon, 11 Apr 2011 14:14:34 +0200 simplesamlphp (1.7.0-2) unstable; urgency=low * Install all config files that simpleSAMLphp ships in config/ under our /etc/simplesamlphp/ (closes: #610973). -- Thijs Kinkhorst Tue, 08 Feb 2011 20:39:44 +0100 simplesamlphp (1.7.0-1) experimental; urgency=low * New upstream release. * Move php5-cli from depends to recommends (closes: #609256). * Install example apache.conf. * Remove obsolete /usr/share/doc/simplesamlphp/source/*. * Set default baseurlpath to 'simplesamlphp/'. -- Thijs Kinkhorst Tue, 11 Jan 2011 16:16:59 +0100 simplesamlphp (1.7.0~rc1-1) UNRELEASED; urgency=low * New upstream release candidate. -- Thijs Kinkhorst Fri, 24 Dec 2010 16:52:56 +0100 simplesamlphp (1.6.3-1+uvt1) unstable; urgency=low * Apply disco_scope.patch: allow the scopedIDPlist to be passed in a POST request to avoid running into browser request length limitations. Needed for Confusa 0.7. Patch accepted upstream. -- Thijs Kinkhorst Fri, 17 Dec 2010 14:26:05 +0100 simplesamlphp (1.6.3-1) unstable; urgency=high * New upstream release fixing XSS security bug. -- Thijs Kinkhorst Fri, 17 Dec 2010 14:16:25 +0100 simplesamlphp (1.6.2-1) unstable; urgency=high * New upstream release. * Includes security fixes: XSS possible in certain circumstances. * Checked for policy 3.9.1, no changes necessary. -- Thijs Kinkhorst Thu, 29 Jul 2010 14:47:21 +0200 simplesamlphp (1.6.1-1) unstable; urgency=low * New upstream release. * Remove version specifiers from dependencies where these are satisfied even in oldstable. Besides cleanup this solves an issue with php5-mhash, which is a virtual package in squeeze and up, and dependencies on virtual packages may not be versioned per Debian Policy. * Checked for policy 3.9.0, no changes necessary. * Install changelog in expected location. -- Thijs Kinkhorst Wed, 30 Jun 2010 18:38:40 +0200 simplesamlphp (1.6.0-1) unstable; urgency=low * New upstream release. * Initial Debian upload (closes: #557514). * Depend on php-openid and do not ship code contained theirin. -- Thijs Kinkhorst Tue, 01 Jun 2010 23:32:02 +0200 simplesamlphp (1.6.0~rc1-1) unstable; urgency=low * New upstream release candidate. * Make packaging conform better to Debian policy. * Switch to dpkg-source 3.0 (quilt) format. -- Thijs Kinkhorst Tue, 25 May 2010 16:54:59 +0200 simplesamlphp (1.5.1-1) unstable; urgency=low * Fix security vulnerability due to insecure temp file creation: - statistics: The logcleaner script outputs to a file in /tmp. - InfoCard: Saves state directly in /tmp. Changed to the simpleSAMLphp temp directory. - openidProvider: Default configuration saves state information in /tmp. Changed to '/var/lib/simplesamlphp-openid-provider'. - SAML 1 artifact support: Saves certificates temporarily in '/tmp/simplesaml', but directory creation was insecure. * statistics: Handle new year wraparound. * Dictionary updates. * Fix bridged logout. * Some documentation updates. * Fix all metadata to use assignments to arrays. * Fix $session->getIdP(). * Support AuthnContextClassRef in saml-module. * Do not attempt to send logout request to an IdP that does not support logout. * LDAP: Disallow bind with empty password. * LDAP: Assume that LDAP_NO_SUCH_OBJECT is an error due to invalid username/password. * statistics: Fix configuration template. * Handle missing authority in idp-hosted metadata better. -- Thomas Zangerl Mon, 11 Jan 2010 13:51:28 +0100 simplesamlphp (1.5.1~rc1-1) unstable; urgency=low * Include possibility to the Identity provider using session->getIdP() -- Thomas Zangerl Fri, 04 Dec 2009 15:00:00 +0100 simplesamlphp (1.5.0~rc1-1) unstable; urgency=low * Move to new modularized SAML provider for authN -- Thomas Zangerl Fri, 30 Oct 2009 11:21:04 +0100