simplesamlphp (1.13.1-2) unstable; urgency=medium * Add xmlc14n.patch fixing extreme resource consumption when processing large metadata files (closes: #772121). See: https://simplesamlphp.org/metaprocessing -- Thijs Kinkhorst Fri, 05 Dec 2014 10:13:00 +0000 simplesamlphp (1.13.1-1) unstable; urgency=medium * New upstream bugfix release. -- Thijs Kinkhorst Mon, 27 Oct 2014 19:23:35 +0000 simplesamlphp (1.13.0-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Thu, 25 Sep 2014 18:26:11 +0000 simplesamlphp (1.12.0-1) unstable; urgency=medium * New upstream release. -- Thijs Kinkhorst Mon, 24 Mar 2014 17:53:33 +0100 simplesamlphp (1.12.0~rc2-1) unstable; urgency=medium * New upstream release candidate. -- Thijs Kinkhorst Wed, 05 Mar 2014 14:18:31 +0100 simplesamlphp (1.12.0~rc1-1) unstable; urgency=medium * New upstream release candidate. -- Thijs Kinkhorst Wed, 26 Feb 2014 16:15:51 +0100 simplesamlphp (1.11.0-1) unstable; urgency=low * New upstream release. * Add php5-json to Recommends. -- Thijs Kinkhorst Wed, 05 Jun 2013 14:25:32 +0200 simplesamlphp (1.11.0~rc1-1) unstable; urgency=low * New upstream release candidate. - Sanitycheck now works out of the box (closes: #695147). -- Thijs Kinkhorst Fri, 24 May 2013 16:12:45 +0200 simplesamlphp (1.10.0-1) unstable; urgency=low * New upstream release. * Update packaging to debhelper 9, policy 3.9.4. -- Thijs Kinkhorst Thu, 04 Oct 2012 15:17:07 +0200 simplesamlphp (1.9.2-1) unstable; urgency=medium * New upstream security release: Fix possible issue in PKCS 1.5 encryption when a key is correctly decrypted but its length is not the one expected. -- Thijs Kinkhorst Wed, 29 Aug 2012 15:43:31 +0000 simplesamlphp (1.9.1-1) unstable; urgency=medium * New upstream security release: Fix for an attack against PKCS 1.5 in XML encryption. -- Thijs Kinkhorst Mon, 06 Aug 2012 12:57:02 +0000 simplesamlphp (1.9.0-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst Wed, 13 Jun 2012 12:38:09 +0200 simplesamlphp (1.9.0~rc2-1) unstable; urgency=low * New upstream release candidate. -- Thijs Kinkhorst Sat, 19 May 2012 16:00:48 +0200 simplesamlphp (1.9.0~rc1-1) unstable; urgency=low * New upstream release candidate. - Addresses PHP 5.4 compatibility (closes: #658875). * Update for Apache 2.4 (closes: #669795). * Checked for policy 3.9.3. -- Thijs Kinkhorst Sat, 21 Apr 2012 17:13:15 +0200 simplesamlphp (1.8.2-1) unstable; urgency=high * New upstream release, fixes cross site scripting. [CVE-2012-0040 CVE-2012-0908] -- Thijs Kinkhorst Wed, 11 Jan 2012 11:19:37 +0100 simplesamlphp (1.8.1-1) unstable; urgency=high * New upstream release. Fixes security issues: - It may be possible to use an SP as a oracle to decrypt encrypted messages sent to that SP. This is the attack described in the paper "How to break XML encryption": http://dx.doi.org/10.1145/2046707.2046756 - It may be possible to use the SP as a key oracle which can be used to forge messages from that SP by issuing 300000-2000000 queries to the SP. This mainly affects SPs that use signed authentication requests. The attack is described in "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1.": http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037 -- Thijs Kinkhorst Thu, 27 Oct 2011 14:19:20 +0200 simplesamlphp (1.8.0-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst Mon, 11 Apr 2011 14:14:34 +0200 simplesamlphp (1.7.0-2) unstable; urgency=low * Install all config files that simpleSAMLphp ships in config/ under our /etc/simplesamlphp/ (closes: #610973). -- Thijs Kinkhorst Tue, 08 Feb 2011 20:39:44 +0100 simplesamlphp (1.7.0-1) experimental; urgency=low * New upstream release. * Move php5-cli from depends to recommends (closes: #609256). * Install example apache.conf. * Remove obsolete /usr/share/doc/simplesamlphp/source/*. * Set default baseurlpath to 'simplesamlphp/'. -- Thijs Kinkhorst Tue, 11 Jan 2011 16:16:59 +0100 simplesamlphp (1.7.0~rc1-1) UNRELEASED; urgency=low * New upstream release candidate. -- Thijs Kinkhorst Fri, 24 Dec 2010 16:52:56 +0100 simplesamlphp (1.6.3-1+uvt1) unstable; urgency=low * Apply disco_scope.patch: allow the scopedIDPlist to be passed in a POST request to avoid running into browser request length limitations. Needed for Confusa 0.7. Patch accepted upstream. -- Thijs Kinkhorst Fri, 17 Dec 2010 14:26:05 +0100 simplesamlphp (1.6.3-1) unstable; urgency=high * New upstream release fixing XSS security bug. -- Thijs Kinkhorst Fri, 17 Dec 2010 14:16:25 +0100 simplesamlphp (1.6.2-1) unstable; urgency=high * New upstream release. * Includes security fixes: XSS possible in certain circumstances. * Checked for policy 3.9.1, no changes necessary. -- Thijs Kinkhorst Thu, 29 Jul 2010 14:47:21 +0200 simplesamlphp (1.6.1-1) unstable; urgency=low * New upstream release. * Remove version specifiers from dependencies where these are satisfied even in oldstable. Besides cleanup this solves an issue with php5-mhash, which is a virtual package in squeeze and up, and dependencies on virtual packages may not be versioned per Debian Policy. * Checked for policy 3.9.0, no changes necessary. * Install changelog in expected location. -- Thijs Kinkhorst Wed, 30 Jun 2010 18:38:40 +0200 simplesamlphp (1.6.0-1) unstable; urgency=low * New upstream release. * Initial Debian upload (closes: #557514). * Depend on php-openid and do not ship code contained theirin. -- Thijs Kinkhorst Tue, 01 Jun 2010 23:32:02 +0200 simplesamlphp (1.6.0~rc1-1) unstable; urgency=low * New upstream release candidate. * Make packaging conform better to Debian policy. * Switch to dpkg-source 3.0 (quilt) format. -- Thijs Kinkhorst Tue, 25 May 2010 16:54:59 +0200 simplesamlphp (1.5.1-1) unstable; urgency=low * Fix security vulnerability due to insecure temp file creation: - statistics: The logcleaner script outputs to a file in /tmp. - InfoCard: Saves state directly in /tmp. Changed to the simpleSAMLphp temp directory. - openidProvider: Default configuration saves state information in /tmp. Changed to '/var/lib/simplesamlphp-openid-provider'. - SAML 1 artifact support: Saves certificates temporarily in '/tmp/simplesaml', but directory creation was insecure. * statistics: Handle new year wraparound. * Dictionary updates. * Fix bridged logout. * Some documentation updates. * Fix all metadata to use assignments to arrays. * Fix $session->getIdP(). * Support AuthnContextClassRef in saml-module. * Do not attempt to send logout request to an IdP that does not support logout. * LDAP: Disallow bind with empty password. * LDAP: Assume that LDAP_NO_SUCH_OBJECT is an error due to invalid username/password. * statistics: Fix configuration template. * Handle missing authority in idp-hosted metadata better. -- Thomas Zangerl Mon, 11 Jan 2010 13:51:28 +0100 simplesamlphp (1.5.1~rc1-1) unstable; urgency=low * Include possibility to the Identity provider using session->getIdP() -- Thomas Zangerl Fri, 04 Dec 2009 15:00:00 +0100 simplesamlphp (1.5.0~rc1-1) unstable; urgency=low * Move to new modularized SAML provider for authN -- Thomas Zangerl Fri, 30 Oct 2009 11:21:04 +0100