[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my backport of package "xml-security-c"
to wheezy-backports-sloppy as a first step to backporting other
Shibboleth packages to wheezy and jessie (see
https://qa.debian.org/developer.php?email=pkg-shibboleth-devel%40lists.a
lioth.debian.org
for a list of Shib packages).

* Package name    : xml-security-c
  Version         : 1.7.3-3~bpo7+1
  Upstream Author : http://santuario.apache.org/team.html
* URL             : http://santuario.apache.org/cindex.html
* License         : Apache-2.0
  Section         : libs

It builds those binary packages:

libxml-security-c-dev - C++ library for XML Digital Signatures
(development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities
)

To access further information about this package, please visit the
following URL:

  https://mentors.debian.net/package/xml-security-c

Alternatively, one can download the package with dget using this command
:

  dget -x
https://mentors.debian.net/debian/pool/main/x/xml-security-c/xml-securit
y-c_1.7.3-3~bpo7+1.dsc

More information about xml-security-c can be obtained from
http://santuario.apache.org/cindex.html.

Changes since the last upload (wheezy 1.6.1-5+deb7u2):

 xml-security-c (1.7.3-3~bpo7+1) wheezy-backports-sloppy; urgency=medium
 .
   [ Etienne Dysli Metref ]
   * Rebuild for wheezy-backports-sloppy.
   * [aba87f7] New patch
Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch
 .
 xml-security-c (1.7.3-3) unstable; urgency=medium
 .
   * [dee8abd] New patch Only-add-found-packages-to-the-pkg-config-
     dependenci.patch
 .
 xml-security-c (1.7.3-2) unstable; urgency=medium
 .
   * [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos
     (Closes: #811620)
   * [eb1af76] Update Standards-Version to 3.9.8 (no changes needed)
   * [e742472] Switch to secure VCS URIs
   * [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and-
     provid.patch
   * [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Window
s-
     onl.patch
   * [a5a8a19] The build system now links with the needed libraries only
 .
 xml-security-c (1.7.3-1) unstable; urgency=medium
 .
   * [df661d6] Check signature in watch file
   * [b78a045] Add debian/gbp.conf enabling pristine-tar
   * [ca9476a] Imported Upstream version 1.7.3
   * [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where
possible"
   * [9d2337f] Switch watch file to check for bzip-compressed archives
   * [f95b4ef] The default compressor is xz since jessie
   * [ed19f44] Renaming of the binaries happends via a patch since
4771f62 and
     017dc35
   * [34dd591] Enable all hardening features
   * [893eda7] Remove superfluous dh_clean override
   * [2207b52] Fail package build if any installed file is left out in
the future
   * [62c8d2f] Add myself to Uploaders
   * [4afa12e] Update Standards-Version to 3.9.6 (no changes needed)
   * [d338569] Since 2b8a713 we've got proper patch files
   * [cd68dec] Enable commit ids in gbp dch
   * [71cc459] Add version number to the manual pages
   * [e544a7b] Run wrap-and-sort -ast on the package
   * [cf73c2b] Get rid of patch numbers
   * [0832cf9] New patch
     Avoid-forward-incompatibility-warnings-from-Automake.patch
   * [3099c82] Comment the --as-needed tricks
   * [e26686c] Update debian/copyright
   * [3fad239] Add NOTICE.txt to all binary packages
   * [4eaef76] Incorporate the 1.7.2-3.1 NMU.  Thanks to Julien Cristau.
 .
 xml-security-c (1.7.2-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Rename library packages for g++5 ABI transition (closes: 791323).
 .
 xml-security-c (1.7.2-3) unstable; urgency=medium
 .
   * Avoid use of PATH_MAX where possible by using getcwd to allocate th
e
     appropriate size string.  Fixes FTBFS on GNU/Hurd.  Patch from Svan
te
     Signell.  (Closes: #735162)
   * Convert all Debian patches to separate patch files managed via
gbp pq.
   * Update standards version to 3.9.5 (no changes required).
 .
 xml-security-c (1.7.2-2) unstable; urgency=low
 .
   * Upload to unstable.
 .
 xml-security-c (1.7.2-1) experimental; urgency=high
 .
   * New upstream release.
     - The attempted fix to address CVE-2013-2154 introduced the
       possibility of a heap overflow, possibly leading to arbitrary cod
e
       execution, in the processing of malformed XPointer expressions in
       the XML Signature Reference processing code.  Fix that heap
       overflow.  (Closes: #714241, CVE-2013-2210)
 .
 xml-security-c (1.7.1-1) experimental; urgency=high
 .
   * New upstream release.
     - Fix a spoofing vulnerability that allows an attacker to reuse
       existing signatures with arbitrary content.  (CVE-2013-2153)
     - Fix a stack overflow in the processing of malformed XPointer
       expressions in the XML Signature Reference processing code.
       (CVE-2013-2154)
     - Fix processing of the output length of an HMAC-based XML Signatur
e
       that could cause a denial of service when processing specially
       chosen input.  (CVE-2013-2155)
     - Fix a heap overflow in the processing of the PrefixList attribute
       optionally used in conjunction with Exclusive Canonicalization,
       potentially allowing arbitrary code execution. (CVE-2013-2156)
     - Reduce entity expansion limits when parsing.
     - New --id option to the xenc-checksig utility.
   * Rename the binaries in the xml-security-c-utils package to start wi
th
     xsec-* instead of xmlsec-*.  This reflects the common abbreviation
     used by the package.
 .
xml-security-c (1.7.0-1) experimental; urgency=low
 .
   * New upstream release.
     - AES-GCM support.
     - XML Encryption 1.1 OAEP enhancements.
   * Increase versioned dependency on libssl-dev to ensure that we have
     AES-GCM support.  (This only matters for backports to squeeze.)
   * Mark libxml-security-c-dev as Multi-Arch: same.
   * Add new xml-security-c-utils package that contains the utility
     programs included with the library.  Rename the binaries to add
     "xmlsec-" to the beginning of the names, since some of the programs
     are otherwise rather generic.  Add man pages for each of the
programs.
     (Closes: #682830)
   * Switch from autotools-dev to dh-autoreconf and regenerate the entir
e
     build system during the build, not just the config.guess and
     config.sub scripts, and add --as-needed.
   * Add -fPIE to hardening flags since we're now installing binaries.
   * Move single-debian-patch to local-options and patch-header to
     local-patch-header so that they only apply to the packages built fr
om
     the canonical Git repository and NMUs get regular version-numbered
     patches.
   * Switch to xz compression for *.debian.tar and the *.deb packages.
   * Use canonical URLs for Vcs-Browser and Vcs-Git.
   * Update standards version to 3.9.4.
     - Update debian/copyright to specify copyright-format 1.0.


Sincerely,
   Etienne Dysli Metref
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXquNEAAoJEDtvu5hdVFPuP/IQAJK7U3qZO85nP+56dfA+Y1pV
COvMNUMccc8YaXXwEGknqGPaypwaCT8mFL3wa1VEdOUwuGHLffm6+ZBVoYgiFzv4
vp/6GocDjM7Ni0LCL2WkIdsoHdyhRkXUkOFSxJIW/S8OJ8d8I6DCQneDJD1jqohf
caNTzz3ddoZOQ80Ri2sdYZ/4WA0k98nRZkAb1fhlTWALQj36wxAhtoGqcgxn6406
1jb4aYLUpPNCwJve1kSnR/enEGSIMks53eVfFwvTZ8mvb14ngnT0YVlnNug7inNS
zlDYm6B/6SqXzb28tAiAKKBZ6ddmoZ0CD+2HLeIF7+WMYa+v0uok/PnKuIeixc7c
uf6RFBDSYlY1JBxk14QimmgfzAWwT2zq+c9o0RY8IsA1hdMzjUfra66lIuQezE7l
73WywPWY93+SB0N8tjpJj6A17rdb5Kk2CydCKpYkbfm9AK5y1EB7YcYyq3c3hVp0
cJAMdxhKGx0nh2xOAuIrCaU6/9gj2GXNvi7rAhFA+/Pr8WbTiE4ar9rWhquuSKza
b2mfTTUWvl1CdIyi2FbTVjbGCYDC6WMz53va9TaU96huwJfPTyX9osy+HGqjOHSj
Z37ce9gxQMOEzwh/Oe1ddx0PuMwCpnKwC1J9VeEyKZJIPCpk0aKr8Bvk+s18MwhI
84UexuPlVivVsjShwXzT
=anvr
-----END PGP SIGNATURE-----
Reply to: