-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 11 Nov 2009 14:39:44 -0800 Source: shibboleth-sp2 Binary: libapache2-mod-shib2 libshibsp4 libshibsp-dev libshibsp-doc shibboleth-sp2-schemas Architecture: source i386 all Version: 2.3+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Shib Team <pkg-shibboleth-devel@lists.alioth.debian.org> Changed-By: Russ Allbery <rra@debian.org> Description: libapache2-mod-shib2 - Federated web single sign-on system (Apache module) libshibsp-dev - Federated web single sign-on system (development) libshibsp-doc - Federated web single sign-on system (API docs) libshibsp4 - Federated web single sign-on system (runtime) shibboleth-sp2-schemas - Federated web single sign-on system (schemas) Closes: 555608 Changes: shibboleth-sp2 (2.3+dfsg-1) unstable; urgency=high . [ Russ Allbery ] * Urgency set to high for security fix. * New upstream release. - SECURITY: Partial fix for improper handling of URLs that could be abused for script injection and other cross-site scripting attacks. The complete fix also requires newer xmltooling and opensaml2 packages. (Closes: #555608, CVE-2009-3300) - Avoid shibd crash on dead memcache server. - Pass the affiliation name to the session initiator. - Correctly handle a bogus ACS. - Allow overriding the URL that's passed to the DS. - Add schema types for new attribute decoders introduced in 2.2. - Handle success with partial logout in the logout UI code. - Fix POST data preservation with empty parameters and empty forms. - Fix SAML 1 specification of attributes in the query plugin. - Shorten ePTId-type persistent identifiers. - Use an ID rather than a whole doc reference for generated metadata. - Fix spelling of scopeDelimiter in the configuration parser, making the code and documentation match the schema. * Rename library package for upstream SONAME bump. * Tighten build and package dependencies on xmltooling and opensaml2 to require the versions with the security fix. * Fix watch file for the new version mangling. * Improve documentation of DAEMON_OPTS in /etc/default/shibd. * Remove unnecessary patches to upstream files regenerated during the build from the source package diff. . [ Faidon Liambotis ] * Run make install with NOKEYGEN=1 and stop rm-ing generated certificates. Fixes FTBFS. . [ Ferenc Wagner ] * Run shibd as non-root. Checksums-Sha1: 759a0af4d3362c84ba5fe61039d57032b8b83ec6 1636 shibboleth-sp2_2.3+dfsg-1.dsc a15ac5bf6c65a26e44a8b5be2fc194edc6574067 807364 shibboleth-sp2_2.3+dfsg.orig.tar.gz dcf8a12d5245ab3c35c2a0a7881e27f5c94c6b11 17637 shibboleth-sp2_2.3+dfsg-1.diff.gz cd104c7ad311946f36133666c42dae4c9d9089f9 225598 libapache2-mod-shib2_2.3+dfsg-1_i386.deb 0700e3080a2f566ef7860e78c2cea34e1839cf14 951818 libshibsp4_2.3+dfsg-1_i386.deb eda10a972f35975408e0027d9bab40b852883f88 42964 libshibsp-dev_2.3+dfsg-1_i386.deb 0409cb229a24ab3629bb34d4a7e28c0bed424032 331962 libshibsp-doc_2.3+dfsg-1_all.deb 34777ccd22bfcaa068c6e686bc14141a3b256890 18268 shibboleth-sp2-schemas_2.3+dfsg-1_all.deb Checksums-Sha256: 72e530cd880560a27c1d6f1ed57eacae54693ac0064fae6674e61133e411cfd7 1636 shibboleth-sp2_2.3+dfsg-1.dsc 5a19c7078dd67d42a97630ea82096bdeb0f09d3a070e67cf7cea9281487e1e88 807364 shibboleth-sp2_2.3+dfsg.orig.tar.gz 865c4fdfa67219225efccf3a907c98778e33f4e55fa27ea52e9f944c569fd47e 17637 shibboleth-sp2_2.3+dfsg-1.diff.gz e35dc4e7d48d849dd91e102b9971a894d3d08ec401b147abe1ce63cceef11e0e 225598 libapache2-mod-shib2_2.3+dfsg-1_i386.deb 6225d432dfbb5ecd28a92952619896fd5a9a8249253fd00ad0bab209d94369d2 951818 libshibsp4_2.3+dfsg-1_i386.deb af00b4f99e8edc763b63eab82f5b2c25830d6b908f9d2b1215b5917aca463a07 42964 libshibsp-dev_2.3+dfsg-1_i386.deb 58ad0b6f6df170f3b3602ad9d7cc296e2b962f03cde2be447b57e6ca9b7612fa 331962 libshibsp-doc_2.3+dfsg-1_all.deb cfb3c93b85e3d930cd8682748765c15e12212afe69d875762a6f6edd4ed5b9ce 18268 shibboleth-sp2-schemas_2.3+dfsg-1_all.deb Files: 2f88c18d3f409d31ec7483ef3eaca5a7 1636 web extra shibboleth-sp2_2.3+dfsg-1.dsc 6d674cfe5862654ab05831a4a5fc2d2b 807364 web extra shibboleth-sp2_2.3+dfsg.orig.tar.gz bbf138cb1fb1604452b3ebcbde5ad110 17637 web extra shibboleth-sp2_2.3+dfsg-1.diff.gz 09c2a32811c93e7b97fcaec16f6166d5 225598 httpd extra libapache2-mod-shib2_2.3+dfsg-1_i386.deb c7315ddf839d59cd17071ce911baef3a 951818 libs extra libshibsp4_2.3+dfsg-1_i386.deb 53869c333d823ff96883f646a2b06e21 42964 libdevel extra libshibsp-dev_2.3+dfsg-1_i386.deb d6d2b1fbc88bcb026d4d17ba2885c5cd 331962 doc extra libshibsp-doc_2.3+dfsg-1_all.deb b70882e72d1c158c7a661db696855249 18268 text extra shibboleth-sp2-schemas_2.3+dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkr7Vs0ACgkQ+YXjQAr8dHaxrACeJ+6wMT/7bQqGfsRIG2gRzZrw 2dgAnRZJ4loHHKJ8zhallh+Lw/98uWp4 =duds -----END PGP SIGNATURE----- Accepted: libapache2-mod-shib2_2.3+dfsg-1_i386.deb to main/s/shibboleth-sp2/libapache2-mod-shib2_2.3+dfsg-1_i386.deb libshibsp-dev_2.3+dfsg-1_i386.deb to main/s/shibboleth-sp2/libshibsp-dev_2.3+dfsg-1_i386.deb libshibsp-doc_2.3+dfsg-1_all.deb to main/s/shibboleth-sp2/libshibsp-doc_2.3+dfsg-1_all.deb libshibsp4_2.3+dfsg-1_i386.deb to main/s/shibboleth-sp2/libshibsp4_2.3+dfsg-1_i386.deb shibboleth-sp2-schemas_2.3+dfsg-1_all.deb to main/s/shibboleth-sp2/shibboleth-sp2-schemas_2.3+dfsg-1_all.deb shibboleth-sp2_2.3+dfsg-1.diff.gz to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.diff.gz shibboleth-sp2_2.3+dfsg-1.dsc to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg-1.dsc shibboleth-sp2_2.3+dfsg.orig.tar.gz to main/s/shibboleth-sp2/shibboleth-sp2_2.3+dfsg.orig.tar.gz
