simplesamlphp (1.19.7-1+deb12u1) bookworm-security; urgency=high

  * Upload to the security archive.
  * Fix CVE-2024-52596

 -- Thijs Kinkhorst <thijs@debian.org>  Sun, 01 Dec 2024 16:41:33 +0100

simplesamlphp (1.19.7-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 04 Jan 2023 13:43:34 +0000

simplesamlphp (1.19.6-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 06 Dec 2022 09:51:15 +0000

simplesamlphp (1.19.1-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * source only upload to enable migration (Closes: #993116)

 -- Paul Gevers <elbrus@debian.org>  Fri, 27 Aug 2021 15:52:05 +0200

simplesamlphp (1.19.1-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 10 May 2021 08:06:04 +0000

simplesamlphp (1.19.0-1) unstable; urgency=medium

  * New upstream release.
  * Bump policy version to 4.5.1, no changes.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 22 Jan 2021 09:09:05 +0000

simplesamlphp (1.18.8-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 04 Sep 2020 10:14:32 +0000

simplesamlphp (1.18.7-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 15 May 2020 08:02:39 +0000

simplesamlphp (1.18.6-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 20 Apr 2020 07:33:20 +0000

simplesamlphp (1.18.5-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 20 Mar 2020 09:38:32 +0000

simplesamlphp (1.18.4-1) unstable; urgency=medium

  * New upstream release.
  * Upgrade standards version to 4.5.0, no changes required.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 Jan 2020 12:32:24 +0000

simplesamlphp (1.18.1-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 26 Nov 2019 15:02:47 +0000

simplesamlphp (1.17.6-2) unstable; urgency=critical

  * Fix security issue CVE-2019-3465.

 -- Thijs Kinkhorst <thijs@debian.org>  Sun, 03 Nov 2019 05:32:21 +0000

simplesamlphp (1.17.6-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 30 Aug 2019 10:13:42 +0000

simplesamlphp (1.17.5-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 20 Aug 2019 09:36:09 +0000

simplesamlphp (1.17.4-1) unstable; urgency=medium

  * New upstream release.
  * Switch to dh.
  * Update to policy 4.4.0.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 11 Jul 2019 11:45:51 +0000

simplesamlphp (1.17.3-1) unstable; urgency=medium

  * New upstream release.
    - Fixes SSPSA 201907-01.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 10 Jul 2019 11:42:59 +0000

simplesamlphp (1.17.2-2) unstable; urgency=medium

  * Fix duplicate definition of metadatadir in Debian version
    of initial configuration file.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 18 Apr 2019 13:33:26 +0000

simplesamlphp (1.17.2-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 03 Apr 2019 17:51:12 +0000

simplesamlphp (1.17.1-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 07 Mar 2019 14:45:50 +0000

simplesamlphp (1.17.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 07 Mar 2019 13:24:26 +0000

simplesamlphp (1.17.0~rc3-1) unstable; urgency=medium

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 30 Jan 2019 15:30:05 +0000

simplesamlphp (1.16.3-1) unstable; urgency=medium

  [ Thijs Kinkhorst ]
  * New upstream release.
    - Fixes low impact security issue SSPSA 201812-01.

  [ Ondřej Nový ]
  * d/changelog: Remove trailing whitespaces
  * d/control: Remove trailing whitespaces
  * d/rules: Remove trailing whitespaces

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 21 Dec 2018 13:46:17 +0000

simplesamlphp (1.16.2-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 29 Sep 2018 09:33:14 +0000

simplesamlphp (1.16.1-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 07 Sep 2018 15:00:04 +0000

simplesamlphp (1.16.0-1) unstable; urgency=medium

  * New upstream release.
  * Checked for policy 4.2.1, no changes.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 06 Sep 2018 10:19:52 +0000

simplesamlphp (1.15.4-1) unstable; urgency=high

  * New upstream release.
    - Fixes medium security issue SSPSA 201803-01.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 03 Mar 2018 09:36:50 +0000

simplesamlphp (1.15.3-1) unstable; urgency=high

  * New upstream release.
    - Fixes security issue SSPSA 201802-01 / CVE-2018-7644

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 27 Feb 2018 11:58:17 +0000

simplesamlphp (1.15.2-1) unstable; urgency=medium

  * New upstream release.
    - Fixes security issue SSPSA 201801-03 CVE-2018-6521
    - Fixes security issue SSPSA 201801-02 CVE-2018-6520
    - Fixes security issue SSPSA 201801-01 CVE-2018-6519

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 31 Jan 2018 13:39:37 +0000

simplesamlphp (1.15.1-1) unstable; urgency=medium

  * New upstream release.
  * Remove symlink, copyright info related to removed modules.
    (Closes: #857820)
  * Upgraded to debhelper 11 and policy 4.1.3.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 12 Jan 2018 13:24:45 +0000

simplesamlphp (1.15.0-1) unstable; urgency=medium

  * New upstream release.
    - Obsoletes php-mcrypt dependency.
  * Checked for policy 4.1.1.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 20 Nov 2017 19:41:02 +0000

simplesamlphp (1.14.15-1) unstable; urgency=medium

  * New upstream release.
    - Fixes security issues SSPSA 201703-01, SSPSA 201703-02,
      SSPSA 201704-01, SSPSA 201704-02, SSPSA 201705-01 and
      SSPSA 201708-01.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 14 Aug 2017 14:41:15 +0000

simplesamlphp (1.14.11-1) unstable; urgency=medium

  * New upstream release.
    - Fixes security issues SSPSA 201612-02 & SSPSA 201612-03.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 13 Dec 2016 08:24:57 +0000

simplesamlphp (1.14.10-1) unstable; urgency=high

  * New upstream release.
    - Fixes security issue SSPSA 201612-01.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 03 Dec 2016 08:04:20 +0000

simplesamlphp (1.14.9-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 14 Nov 2016 09:05:41 +0000

simplesamlphp (1.14.8-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 23 Aug 2016 12:29:51 +0000

simplesamlphp (1.14.7-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 01 Aug 2016 14:09:15 +0000

simplesamlphp (1.14.6-1) unstable; urgency=medium

  * New upstream release.
  * Improve dependencies: do not depend on any specific PHP SAPI and
    clean up obsolete requirements. Thanks Wessel Dankers for reporting.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 20 Jul 2016 14:59:30 +0000

simplesamlphp (1.14.5-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 13 Jul 2016 12:19:08 +0000

simplesamlphp (1.14.4-1) unstable; urgency=medium

  * New upstream release.
  * Checked for policy 3.9.7, no changes.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 09 Jun 2016 07:42:06 +0000

simplesamlphp (1.14.3-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 19 Apr 2016 12:57:16 +0000

simplesamlphp (1.14.2-2) unstable; urgency=medium

  * Update dependencies:
    - php5 -> php; remove obsolete php5-mhash
    - remove php-openid, php-xml-parser as dependencies;
      only used for the niche OpenID module. (Closes: #818800)

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 05 Apr 2016 13:25:40 +0000

simplesamlphp (1.14.2-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 14 Mar 2016 12:49:17 +0000

simplesamlphp (1.14.1-1) unstable; urgency=high

  * New upstream release.
    - Fixes PHP version number disclosure (closes: #817162).
  * Checked for policy 3.9.7, no changes.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 08 Mar 2016 16:41:16 +0000

simplesamlphp (1.14.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 17 Feb 2016 10:18:12 +0000

simplesamlphp (1.13.2-1) unstable; urgency=medium

  * New upstream bugfix release.
    - Incorporates xmlc14n.patch.
  * Fix typo in package description (closes: #781020).

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 30 Apr 2015 13:51:36 +0000

simplesamlphp (1.13.1-2) unstable; urgency=medium

  * Add xmlc14n.patch fixing extreme resource consumption when processing
    large metadata files (closes: #772121).
    See: https://simplesamlphp.org/metaprocessing

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 05 Dec 2014 10:13:00 +0000

simplesamlphp (1.13.1-1) unstable; urgency=medium

  * New upstream bugfix release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 27 Oct 2014 19:23:35 +0000

simplesamlphp (1.13.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 25 Sep 2014 18:26:11 +0000

simplesamlphp (1.12.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 24 Mar 2014 17:53:33 +0100

simplesamlphp (1.12.0~rc2-1) unstable; urgency=medium

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 05 Mar 2014 14:18:31 +0100

simplesamlphp (1.12.0~rc1-1) unstable; urgency=medium

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 26 Feb 2014 16:15:51 +0100

simplesamlphp (1.11.0-1) unstable; urgency=low

  * New upstream release.
  * Add php5-json to Recommends.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 05 Jun 2013 14:25:32 +0200

simplesamlphp (1.11.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
    - Sanitycheck now works out of the box (closes: #695147).

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 May 2013 16:12:45 +0200

simplesamlphp (1.10.0-1) unstable; urgency=low

  * New upstream release.
  * Update packaging to debhelper 9, policy 3.9.4.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 04 Oct 2012 15:17:07 +0200

simplesamlphp (1.9.2-1) unstable; urgency=medium

  * New upstream security release:
    Fix possible issue in PKCS 1.5 encryption when a key is
    correctly decrypted but its length is not the one expected.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 29 Aug 2012 15:43:31 +0000

simplesamlphp (1.9.1-1) unstable; urgency=medium

  * New upstream security release:
    Fix for an attack against PKCS 1.5 in XML encryption.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 06 Aug 2012 12:57:02 +0000

simplesamlphp (1.9.0-1) unstable; urgency=low

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 13 Jun 2012 12:38:09 +0200

simplesamlphp (1.9.0~rc2-1) unstable; urgency=low

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 19 May 2012 16:00:48 +0200

simplesamlphp (1.9.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
    - Addresses PHP 5.4 compatibility (closes: #658875).
  * Update for Apache 2.4 (closes: #669795).
  * Checked for policy 3.9.3.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 21 Apr 2012 17:13:15 +0200

simplesamlphp (1.8.2-1) unstable; urgency=high

  * New upstream release, fixes cross site scripting.
    [CVE-2012-0040 CVE-2012-0908]

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 11 Jan 2012 11:19:37 +0100

simplesamlphp (1.8.1-1) unstable; urgency=high

  * New upstream release. Fixes security issues:
    - It may be possible to use an SP as a oracle to decrypt
      encrypted messages sent to that SP. This is the attack
      described in the paper "How to break XML encryption":
      http://dx.doi.org/10.1145/2046707.2046756
    - It may be possible to use the SP as a key oracle which
      can be used to  forge messages from that SP by issuing
      300000-2000000 queries to the SP. This mainly affects
      SPs that use signed authentication requests. The attack
      is described in "Chosen Ciphertext Attacks Against
      Protocols Based on the RSA Encryption Standard PKCS #1.":
      http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 27 Oct 2011 14:19:20 +0200

simplesamlphp (1.8.0-1) unstable; urgency=low

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 11 Apr 2011 14:14:34 +0200

simplesamlphp (1.7.0-2) unstable; urgency=low

  * Install all config files that simpleSAMLphp ships in config/ under
    our /etc/simplesamlphp/ (closes: #610973).

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 08 Feb 2011 20:39:44 +0100

simplesamlphp (1.7.0-1) experimental; urgency=low

  * New upstream release.
  * Move php5-cli from depends to recommends (closes: #609256).
  * Install example apache.conf.
  * Remove obsolete /usr/share/doc/simplesamlphp/source/*.
  * Set default baseurlpath to 'simplesamlphp/'.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 11 Jan 2011 16:16:59 +0100

simplesamlphp (1.7.0~rc1-1) UNRELEASED; urgency=low

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 Dec 2010 16:52:56 +0100

simplesamlphp (1.6.3-1+uvt1) unstable; urgency=low

  * Apply disco_scope.patch: allow the scopedIDPlist to be passed in a
    POST request to avoid running into browser request length limitations.
    Needed for Confusa 0.7. Patch accepted upstream.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 17 Dec 2010 14:26:05 +0100

simplesamlphp (1.6.3-1) unstable; urgency=high

  * New upstream release fixing XSS security bug.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 17 Dec 2010 14:16:25 +0100

simplesamlphp (1.6.2-1) unstable; urgency=high

  * New upstream release.
  * Includes security fixes: XSS possible in certain circumstances.
  * Checked for policy 3.9.1, no changes necessary.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 29 Jul 2010 14:47:21 +0200

simplesamlphp (1.6.1-1) unstable; urgency=low

  * New upstream release.
  * Remove version specifiers from dependencies where these are
    satisfied even in oldstable. Besides cleanup this solves an
    issue with php5-mhash, which is a virtual package in squeeze
    and up, and dependencies on virtual packages may not be
    versioned per Debian Policy.
  * Checked for policy 3.9.0, no changes necessary.
  * Install changelog in expected location.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 30 Jun 2010 18:38:40 +0200

simplesamlphp (1.6.0-1) unstable; urgency=low

  * New upstream release.
  * Initial Debian upload (closes: #557514).
  * Depend on php-openid and do not ship code contained theirin.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 01 Jun 2010 23:32:02 +0200

simplesamlphp (1.6.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
  * Make packaging conform better to Debian policy.
  * Switch to dpkg-source 3.0 (quilt) format.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 25 May 2010 16:54:59 +0200

simplesamlphp (1.5.1-1) unstable; urgency=low

  * Fix security vulnerability due to insecure temp file creation:
  - statistics: The logcleaner script outputs to a file in /tmp.
  -  InfoCard: Saves state directly in /tmp. Changed to the simpleSAMLphp
     temp directory.
  - openidProvider: Default configuration saves state information in /tmp.
    Changed to '/var/lib/simplesamlphp-openid-provider'.
  - SAML 1 artifact support: Saves certificates temporarily in
    '/tmp/simplesaml', but directory creation was insecure.

  * statistics: Handle new year wraparound.
  * Dictionary updates.
  * Fix bridged logout.
  * Some documentation updates.
  * Fix all metadata to use assignments to arrays.
  * Fix $session->getIdP().
  * Support AuthnContextClassRef in saml-module.
  * Do not attempt to send logout request to an IdP that does not support
    logout.
  * LDAP: Disallow bind with empty password.
  * LDAP: Assume that LDAP_NO_SUCH_OBJECT is an error due to invalid
    username/password.
  * statistics: Fix configuration template.
  * Handle missing authority in idp-hosted metadata better.

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Mon, 11 Jan 2010 13:51:28 +0100

simplesamlphp (1.5.1~rc1-1) unstable; urgency=low

  * Include possibility to the Identity provider using session->getIdP()

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Fri, 04 Dec 2009 15:00:00 +0100

simplesamlphp (1.5.0~rc1-1) unstable; urgency=low

  * Move to new modularized SAML provider for authN

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Fri, 30 Oct 2009 11:21:04 +0100