Bug#833909: marked as done (RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO])
Your message dated Thu, 11 Aug 2016 09:10:21 +0200
with message-id <f8334ad7-8bbf-37cf-ca41-897841455b65@switch.ch>
and subject line Re: Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
has caused the Debian Bug report #833909,
regarding RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
833909: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833909
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my backport of package "xml-security-c"
to wheezy-backports-sloppy as a first step to backporting other
Shibboleth packages to wheezy and jessie (see
https://qa.debian.org/developer.php?email=pkg-shibboleth-devel%40lists.a
lioth.debian.org
for a list of Shib packages).
* Package name : xml-security-c
Version : 1.7.3-3~bpo7+1
Upstream Author : http://santuario.apache.org/team.html
* URL : http://santuario.apache.org/cindex.html
* License : Apache-2.0
Section : libs
It builds those binary packages:
libxml-security-c-dev - C++ library for XML Digital Signatures
(development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities
)
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/xml-security-c
Alternatively, one can download the package with dget using this command
:
dget -x
https://mentors.debian.net/debian/pool/main/x/xml-security-c/xml-securit
y-c_1.7.3-3~bpo7+1.dsc
More information about xml-security-c can be obtained from
http://santuario.apache.org/cindex.html.
Changes since the last upload (wheezy 1.6.1-5+deb7u2):
xml-security-c (1.7.3-3~bpo7+1) wheezy-backports-sloppy; urgency=medium
.
[ Etienne Dysli Metref ]
* Rebuild for wheezy-backports-sloppy.
* [aba87f7] New patch
Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch
.
xml-security-c (1.7.3-3) unstable; urgency=medium
.
* [dee8abd] New patch Only-add-found-packages-to-the-pkg-config-
dependenci.patch
.
xml-security-c (1.7.3-2) unstable; urgency=medium
.
* [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos
(Closes: #811620)
* [eb1af76] Update Standards-Version to 3.9.8 (no changes needed)
* [e742472] Switch to secure VCS URIs
* [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and-
provid.patch
* [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Window
s-
onl.patch
* [a5a8a19] The build system now links with the needed libraries only
.
xml-security-c (1.7.3-1) unstable; urgency=medium
.
* [df661d6] Check signature in watch file
* [b78a045] Add debian/gbp.conf enabling pristine-tar
* [ca9476a] Imported Upstream version 1.7.3
* [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where
possible"
* [9d2337f] Switch watch file to check for bzip-compressed archives
* [f95b4ef] The default compressor is xz since jessie
* [ed19f44] Renaming of the binaries happends via a patch since
4771f62 and
017dc35
* [34dd591] Enable all hardening features
* [893eda7] Remove superfluous dh_clean override
* [2207b52] Fail package build if any installed file is left out in
the future
* [62c8d2f] Add myself to Uploaders
* [4afa12e] Update Standards-Version to 3.9.6 (no changes needed)
* [d338569] Since 2b8a713 we've got proper patch files
* [cd68dec] Enable commit ids in gbp dch
* [71cc459] Add version number to the manual pages
* [e544a7b] Run wrap-and-sort -ast on the package
* [cf73c2b] Get rid of patch numbers
* [0832cf9] New patch
Avoid-forward-incompatibility-warnings-from-Automake.patch
* [3099c82] Comment the --as-needed tricks
* [e26686c] Update debian/copyright
* [3fad239] Add NOTICE.txt to all binary packages
* [4eaef76] Incorporate the 1.7.2-3.1 NMU. Thanks to Julien Cristau.
.
xml-security-c (1.7.2-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Rename library packages for g++5 ABI transition (closes: 791323).
.
xml-security-c (1.7.2-3) unstable; urgency=medium
.
* Avoid use of PATH_MAX where possible by using getcwd to allocate th
e
appropriate size string. Fixes FTBFS on GNU/Hurd. Patch from Svan
te
Signell. (Closes: #735162)
* Convert all Debian patches to separate patch files managed via
gbp pq.
* Update standards version to 3.9.5 (no changes required).
.
xml-security-c (1.7.2-2) unstable; urgency=low
.
* Upload to unstable.
.
xml-security-c (1.7.2-1) experimental; urgency=high
.
* New upstream release.
- The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary cod
e
execution, in the processing of malformed XPointer expressions in
the XML Signature Reference processing code. Fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
.
xml-security-c (1.7.1-1) experimental; urgency=high
.
* New upstream release.
- Fix a spoofing vulnerability that allows an attacker to reuse
existing signatures with arbitrary content. (CVE-2013-2153)
- Fix a stack overflow in the processing of malformed XPointer
expressions in the XML Signature Reference processing code.
(CVE-2013-2154)
- Fix processing of the output length of an HMAC-based XML Signatur
e
that could cause a denial of service when processing specially
chosen input. (CVE-2013-2155)
- Fix a heap overflow in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization,
potentially allowing arbitrary code execution. (CVE-2013-2156)
- Reduce entity expansion limits when parsing.
- New --id option to the xenc-checksig utility.
* Rename the binaries in the xml-security-c-utils package to start wi
th
xsec-* instead of xmlsec-*. This reflects the common abbreviation
used by the package.
.
xml-security-c (1.7.0-1) experimental; urgency=low
.
* New upstream release.
- AES-GCM support.
- XML Encryption 1.1 OAEP enhancements.
* Increase versioned dependency on libssl-dev to ensure that we have
AES-GCM support. (This only matters for backports to squeeze.)
* Mark libxml-security-c-dev as Multi-Arch: same.
* Add new xml-security-c-utils package that contains the utility
programs included with the library. Rename the binaries to add
"xmlsec-" to the beginning of the names, since some of the programs
are otherwise rather generic. Add man pages for each of the
programs.
(Closes: #682830)
* Switch from autotools-dev to dh-autoreconf and regenerate the entir
e
build system during the build, not just the config.guess and
config.sub scripts, and add --as-needed.
* Add -fPIE to hardening flags since we're now installing binaries.
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages built fr
om
the canonical Git repository and NMUs get regular version-numbered
patches.
* Switch to xz compression for *.debian.tar and the *.deb packages.
* Use canonical URLs for Vcs-Browser and Vcs-Git.
* Update standards version to 3.9.4.
- Update debian/copyright to specify copyright-format 1.0.
Sincerely,
Etienne Dysli Metref
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXquNEAAoJEDtvu5hdVFPuP/IQAJK7U3qZO85nP+56dfA+Y1pV
COvMNUMccc8YaXXwEGknqGPaypwaCT8mFL3wa1VEdOUwuGHLffm6+ZBVoYgiFzv4
vp/6GocDjM7Ni0LCL2WkIdsoHdyhRkXUkOFSxJIW/S8OJ8d8I6DCQneDJD1jqohf
caNTzz3ddoZOQ80Ri2sdYZ/4WA0k98nRZkAb1fhlTWALQj36wxAhtoGqcgxn6406
1jb4aYLUpPNCwJve1kSnR/enEGSIMks53eVfFwvTZ8mvb14ngnT0YVlnNug7inNS
zlDYm6B/6SqXzb28tAiAKKBZ6ddmoZ0CD+2HLeIF7+WMYa+v0uok/PnKuIeixc7c
uf6RFBDSYlY1JBxk14QimmgfzAWwT2zq+c9o0RY8IsA1hdMzjUfra66lIuQezE7l
73WywPWY93+SB0N8tjpJj6A17rdb5Kk2CydCKpYkbfm9AK5y1EB7YcYyq3c3hVp0
cJAMdxhKGx0nh2xOAuIrCaU6/9gj2GXNvi7rAhFA+/Pr8WbTiE4ar9rWhquuSKza
b2mfTTUWvl1CdIyi2FbTVjbGCYDC6WMz53va9TaU96huwJfPTyX9osy+HGqjOHSj
Z37ce9gxQMOEzwh/Oe1ddx0PuMwCpnKwC1J9VeEyKZJIPCpk0aKr8Bvk+s18MwhI
84UexuPlVivVsjShwXzT
=anvr
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 10/08/16 13:25, Ferenc Wágner wrote:
> It'd probably make sense to start with a jessie backport, where
> this change is necessary, then branch off the wheezy backport from
> that, and do the PKG_INSTALLDIR change only.
Thank you Gianfranco and Ferenc for your inputs. I'll redo this as a
jessie backport first.
Cheers,
Etienne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXrCTWAAoJEDtvu5hdVFPuTUcQAIFRlbYzD1Ti00lYVI46U7Ih
0lJHBY6p9Aud+R9h0k2VJtBuNjcXjQZKvOwYBQwQx3LIZG5AfLqg9PL/uDb+N5pl
b7WUZxHV3DtWoeOY3xYtFQ6ZTGbMn/C3JFAJNnB6vdQmOW3cQgvepioPma3y0y+w
RfZW8GZs5y2Oj2tJILth8cwqKnvplZE0Uu8mGwGEOn7qeyu0kUYVOt1nCX4Mah3m
SFQOWflmzxyI8QQvOE2ofHnLg7pUvCl5cG42GPXORWCuGt9KOek7jQTe2OCX/kQc
AVGbOt6EHeqCL1oz1BYqjuVv6n8UtBP/8eubkiygdZNmJJVQQVDCxwEy4njMcq2T
21kwRr6fJr1tISiiYfYoTMU/8bZDrrWKJ71T6Aia0dr9Nhk9C2UbcyNUZnkSe2XP
+YM+/HLgxqCaXI8EbZuA4y+R+SKrDhhm7ZmWgkWBOh87FrxOkcvvxccqwzwr9YuR
MsE8fTSvMceSqVJErmvhYfO0noNviHrXczlj7e+4BSgiSjksN0oLAsQEIc15GHZ0
3GQFYZkCLAtS7AB74Xy8FvxcQ6ReneBzo4EAYuvy7V9EF9FqdZjRKhpPNCYmI5Sn
Gw9iItep5NO8GooTByefpai+3uQCSGWPodhC5r3XXChx0ZhUkrGCl95vld1JjJZT
/JP53pC6JFNef9PYquS7
=Jyxw
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: