Bug#833909: RFS: xml-security-c/1.7.3-3~bpo7+1 [BPO]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my backport of package "xml-security-c"
to wheezy-backports-sloppy as a first step to backporting other
Shibboleth packages to wheezy and jessie (see
https://qa.debian.org/developer.php?email=pkg-shibboleth-devel%40lists.a
lioth.debian.org
for a list of Shib packages).
* Package name : xml-security-c
Version : 1.7.3-3~bpo7+1
Upstream Author : http://santuario.apache.org/team.html
* URL : http://santuario.apache.org/cindex.html
* License : Apache-2.0
Section : libs
It builds those binary packages:
libxml-security-c-dev - C++ library for XML Digital Signatures
(development)
libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime)
xml-security-c-utils - C++ library for XML Digital Signatures (utilities
)
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/xml-security-c
Alternatively, one can download the package with dget using this command
:
dget -x
https://mentors.debian.net/debian/pool/main/x/xml-security-c/xml-securit
y-c_1.7.3-3~bpo7+1.dsc
More information about xml-security-c can be obtained from
http://santuario.apache.org/cindex.html.
Changes since the last upload (wheezy 1.6.1-5+deb7u2):
xml-security-c (1.7.3-3~bpo7+1) wheezy-backports-sloppy; urgency=medium
.
[ Etienne Dysli Metref ]
* Rebuild for wheezy-backports-sloppy.
* [aba87f7] New patch
Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch
.
xml-security-c (1.7.3-3) unstable; urgency=medium
.
* [dee8abd] New patch Only-add-found-packages-to-the-pkg-config-
dependenci.patch
.
xml-security-c (1.7.3-2) unstable; urgency=medium
.
* [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos
(Closes: #811620)
* [eb1af76] Update Standards-Version to 3.9.8 (no changes needed)
* [e742472] Switch to secure VCS URIs
* [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and-
provid.patch
* [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Window
s-
onl.patch
* [a5a8a19] The build system now links with the needed libraries only
.
xml-security-c (1.7.3-1) unstable; urgency=medium
.
* [df661d6] Check signature in watch file
* [b78a045] Add debian/gbp.conf enabling pristine-tar
* [ca9476a] Imported Upstream version 1.7.3
* [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where
possible"
* [9d2337f] Switch watch file to check for bzip-compressed archives
* [f95b4ef] The default compressor is xz since jessie
* [ed19f44] Renaming of the binaries happends via a patch since
4771f62 and
017dc35
* [34dd591] Enable all hardening features
* [893eda7] Remove superfluous dh_clean override
* [2207b52] Fail package build if any installed file is left out in
the future
* [62c8d2f] Add myself to Uploaders
* [4afa12e] Update Standards-Version to 3.9.6 (no changes needed)
* [d338569] Since 2b8a713 we've got proper patch files
* [cd68dec] Enable commit ids in gbp dch
* [71cc459] Add version number to the manual pages
* [e544a7b] Run wrap-and-sort -ast on the package
* [cf73c2b] Get rid of patch numbers
* [0832cf9] New patch
Avoid-forward-incompatibility-warnings-from-Automake.patch
* [3099c82] Comment the --as-needed tricks
* [e26686c] Update debian/copyright
* [3fad239] Add NOTICE.txt to all binary packages
* [4eaef76] Incorporate the 1.7.2-3.1 NMU. Thanks to Julien Cristau.
.
xml-security-c (1.7.2-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Rename library packages for g++5 ABI transition (closes: 791323).
.
xml-security-c (1.7.2-3) unstable; urgency=medium
.
* Avoid use of PATH_MAX where possible by using getcwd to allocate th
e
appropriate size string. Fixes FTBFS on GNU/Hurd. Patch from Svan
te
Signell. (Closes: #735162)
* Convert all Debian patches to separate patch files managed via
gbp pq.
* Update standards version to 3.9.5 (no changes required).
.
xml-security-c (1.7.2-2) unstable; urgency=low
.
* Upload to unstable.
.
xml-security-c (1.7.2-1) experimental; urgency=high
.
* New upstream release.
- The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary cod
e
execution, in the processing of malformed XPointer expressions in
the XML Signature Reference processing code. Fix that heap
overflow. (Closes: #714241, CVE-2013-2210)
.
xml-security-c (1.7.1-1) experimental; urgency=high
.
* New upstream release.
- Fix a spoofing vulnerability that allows an attacker to reuse
existing signatures with arbitrary content. (CVE-2013-2153)
- Fix a stack overflow in the processing of malformed XPointer
expressions in the XML Signature Reference processing code.
(CVE-2013-2154)
- Fix processing of the output length of an HMAC-based XML Signatur
e
that could cause a denial of service when processing specially
chosen input. (CVE-2013-2155)
- Fix a heap overflow in the processing of the PrefixList attribute
optionally used in conjunction with Exclusive Canonicalization,
potentially allowing arbitrary code execution. (CVE-2013-2156)
- Reduce entity expansion limits when parsing.
- New --id option to the xenc-checksig utility.
* Rename the binaries in the xml-security-c-utils package to start wi
th
xsec-* instead of xmlsec-*. This reflects the common abbreviation
used by the package.
.
xml-security-c (1.7.0-1) experimental; urgency=low
.
* New upstream release.
- AES-GCM support.
- XML Encryption 1.1 OAEP enhancements.
* Increase versioned dependency on libssl-dev to ensure that we have
AES-GCM support. (This only matters for backports to squeeze.)
* Mark libxml-security-c-dev as Multi-Arch: same.
* Add new xml-security-c-utils package that contains the utility
programs included with the library. Rename the binaries to add
"xmlsec-" to the beginning of the names, since some of the programs
are otherwise rather generic. Add man pages for each of the
programs.
(Closes: #682830)
* Switch from autotools-dev to dh-autoreconf and regenerate the entir
e
build system during the build, not just the config.guess and
config.sub scripts, and add --as-needed.
* Add -fPIE to hardening flags since we're now installing binaries.
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages built fr
om
the canonical Git repository and NMUs get regular version-numbered
patches.
* Switch to xz compression for *.debian.tar and the *.deb packages.
* Use canonical URLs for Vcs-Browser and Vcs-Git.
* Update standards version to 3.9.4.
- Update debian/copyright to specify copyright-format 1.0.
Sincerely,
Etienne Dysli Metref
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXquNEAAoJEDtvu5hdVFPuP/IQAJK7U3qZO85nP+56dfA+Y1pV
COvMNUMccc8YaXXwEGknqGPaypwaCT8mFL3wa1VEdOUwuGHLffm6+ZBVoYgiFzv4
vp/6GocDjM7Ni0LCL2WkIdsoHdyhRkXUkOFSxJIW/S8OJ8d8I6DCQneDJD1jqohf
caNTzz3ddoZOQ80Ri2sdYZ/4WA0k98nRZkAb1fhlTWALQj36wxAhtoGqcgxn6406
1jb4aYLUpPNCwJve1kSnR/enEGSIMks53eVfFwvTZ8mvb14ngnT0YVlnNug7inNS
zlDYm6B/6SqXzb28tAiAKKBZ6ddmoZ0CD+2HLeIF7+WMYa+v0uok/PnKuIeixc7c
uf6RFBDSYlY1JBxk14QimmgfzAWwT2zq+c9o0RY8IsA1hdMzjUfra66lIuQezE7l
73WywPWY93+SB0N8tjpJj6A17rdb5Kk2CydCKpYkbfm9AK5y1EB7YcYyq3c3hVp0
cJAMdxhKGx0nh2xOAuIrCaU6/9gj2GXNvi7rAhFA+/Pr8WbTiE4ar9rWhquuSKza
b2mfTTUWvl1CdIyi2FbTVjbGCYDC6WMz53va9TaU96huwJfPTyX9osy+HGqjOHSj
Z37ce9gxQMOEzwh/Oe1ddx0PuMwCpnKwC1J9VeEyKZJIPCpk0aKr8Bvk+s18MwhI
84UexuPlVivVsjShwXzT
=anvr
-----END PGP SIGNATURE-----
Reply to: