simplesamlphp (1.14.0-1ubuntu1) xenial; urgency=medium

  * Update to PHP7.0 dependencies (LP: #1544352).

 -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Thu, 24 Mar 2016 17:19:25 -0700

simplesamlphp (1.14.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 17 Feb 2016 10:18:12 +0000

simplesamlphp (1.13.2-1) unstable; urgency=medium

  * New upstream bugfix release.
    - Incorporates xmlc14n.patch.
  * Fix typo in package description (closes: #781020).

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 30 Apr 2015 13:51:36 +0000

simplesamlphp (1.13.1-2) unstable; urgency=medium

  * Add xmlc14n.patch fixing extreme resource consumption when processing
    large metadata files (closes: #772121).
    See: https://simplesamlphp.org/metaprocessing 

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 05 Dec 2014 10:13:00 +0000

simplesamlphp (1.13.1-1) unstable; urgency=medium

  * New upstream bugfix release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 27 Oct 2014 19:23:35 +0000

simplesamlphp (1.13.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 25 Sep 2014 18:26:11 +0000

simplesamlphp (1.12.0-1) unstable; urgency=medium

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 24 Mar 2014 17:53:33 +0100

simplesamlphp (1.12.0~rc2-1) unstable; urgency=medium

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 05 Mar 2014 14:18:31 +0100

simplesamlphp (1.12.0~rc1-1) unstable; urgency=medium

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 26 Feb 2014 16:15:51 +0100

simplesamlphp (1.11.0-1) unstable; urgency=low

  * New upstream release.
  * Add php5-json to Recommends.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 05 Jun 2013 14:25:32 +0200

simplesamlphp (1.11.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
    - Sanitycheck now works out of the box (closes: #695147).

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 May 2013 16:12:45 +0200

simplesamlphp (1.10.0-1) unstable; urgency=low

  * New upstream release.
  * Update packaging to debhelper 9, policy 3.9.4.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 04 Oct 2012 15:17:07 +0200

simplesamlphp (1.9.2-1) unstable; urgency=medium

  * New upstream security release:
    Fix possible issue in PKCS 1.5 encryption when a key is
    correctly decrypted but its length is not the one expected.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 29 Aug 2012 15:43:31 +0000

simplesamlphp (1.9.1-1) unstable; urgency=medium

  * New upstream security release:
    Fix for an attack against PKCS 1.5 in XML encryption.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 06 Aug 2012 12:57:02 +0000

simplesamlphp (1.9.0-1) unstable; urgency=low

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 13 Jun 2012 12:38:09 +0200

simplesamlphp (1.9.0~rc2-1) unstable; urgency=low

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 19 May 2012 16:00:48 +0200

simplesamlphp (1.9.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
    - Addresses PHP 5.4 compatibility (closes: #658875).
  * Update for Apache 2.4 (closes: #669795).
  * Checked for policy 3.9.3.

 -- Thijs Kinkhorst <thijs@debian.org>  Sat, 21 Apr 2012 17:13:15 +0200

simplesamlphp (1.8.2-1) unstable; urgency=high

  * New upstream release, fixes cross site scripting.
    [CVE-2012-0040 CVE-2012-0908]

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 11 Jan 2012 11:19:37 +0100

simplesamlphp (1.8.1-1) unstable; urgency=high

  * New upstream release. Fixes security issues:
    - It may be possible to use an SP as a oracle to decrypt
      encrypted messages sent to that SP. This is the attack
      described in the paper "How to break XML encryption":
      http://dx.doi.org/10.1145/2046707.2046756
    - It may be possible to use the SP as a key oracle which
      can be used to  forge messages from that SP by issuing
      300000-2000000 queries to the SP. This mainly affects
      SPs that use signed authentication requests. The attack
      is described in "Chosen Ciphertext Attacks Against
      Protocols Based on the RSA Encryption Standard PKCS #1.":
      http://www.iacr.org/cryptodb/data/paper.php?pubkey=1037

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 27 Oct 2011 14:19:20 +0200

simplesamlphp (1.8.0-1) unstable; urgency=low

  * New upstream release.

 -- Thijs Kinkhorst <thijs@debian.org>  Mon, 11 Apr 2011 14:14:34 +0200

simplesamlphp (1.7.0-2) unstable; urgency=low

  * Install all config files that simpleSAMLphp ships in config/ under
    our /etc/simplesamlphp/ (closes: #610973).

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 08 Feb 2011 20:39:44 +0100

simplesamlphp (1.7.0-1) experimental; urgency=low

  * New upstream release.
  * Move php5-cli from depends to recommends (closes: #609256).
  * Install example apache.conf.
  * Remove obsolete /usr/share/doc/simplesamlphp/source/*.
  * Set default baseurlpath to 'simplesamlphp/'.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 11 Jan 2011 16:16:59 +0100

simplesamlphp (1.7.0~rc1-1) UNRELEASED; urgency=low

  * New upstream release candidate.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 24 Dec 2010 16:52:56 +0100

simplesamlphp (1.6.3-1+uvt1) unstable; urgency=low

  * Apply disco_scope.patch: allow the scopedIDPlist to be passed in a
    POST request to avoid running into browser request length limitations.
    Needed for Confusa 0.7. Patch accepted upstream.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 17 Dec 2010 14:26:05 +0100

simplesamlphp (1.6.3-1) unstable; urgency=high

  * New upstream release fixing XSS security bug.

 -- Thijs Kinkhorst <thijs@debian.org>  Fri, 17 Dec 2010 14:16:25 +0100

simplesamlphp (1.6.2-1) unstable; urgency=high

  * New upstream release.
  * Includes security fixes: XSS possible in certain circumstances.
  * Checked for policy 3.9.1, no changes necessary.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 29 Jul 2010 14:47:21 +0200

simplesamlphp (1.6.1-1) unstable; urgency=low

  * New upstream release.
  * Remove version specifiers from dependencies where these are
    satisfied even in oldstable. Besides cleanup this solves an
    issue with php5-mhash, which is a virtual package in squeeze
    and up, and dependencies on virtual packages may not be
    versioned per Debian Policy.
  * Checked for policy 3.9.0, no changes necessary.
  * Install changelog in expected location.

 -- Thijs Kinkhorst <thijs@debian.org>  Wed, 30 Jun 2010 18:38:40 +0200

simplesamlphp (1.6.0-1) unstable; urgency=low

  * New upstream release.
  * Initial Debian upload (closes: #557514).
  * Depend on php-openid and do not ship code contained theirin.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 01 Jun 2010 23:32:02 +0200

simplesamlphp (1.6.0~rc1-1) unstable; urgency=low

  * New upstream release candidate.
  * Make packaging conform better to Debian policy.
  * Switch to dpkg-source 3.0 (quilt) format.

 -- Thijs Kinkhorst <thijs@debian.org>  Tue, 25 May 2010 16:54:59 +0200

simplesamlphp (1.5.1-1) unstable; urgency=low

  * Fix security vulnerability due to insecure temp file creation:
  - statistics: The logcleaner script outputs to a file in /tmp.
  -  InfoCard: Saves state directly in /tmp. Changed to the simpleSAMLphp
     temp directory.
  - openidProvider: Default configuration saves state information in /tmp.
    Changed to '/var/lib/simplesamlphp-openid-provider'.
  - SAML 1 artifact support: Saves certificates temporarily in
    '/tmp/simplesaml', but directory creation was insecure.
 
  * statistics: Handle new year wraparound.
  * Dictionary updates.
  * Fix bridged logout.
  * Some documentation updates.
  * Fix all metadata to use assignments to arrays.
  * Fix $session->getIdP().
  * Support AuthnContextClassRef in saml-module.
  * Do not attempt to send logout request to an IdP that does not support
    logout.
  * LDAP: Disallow bind with empty password.
  * LDAP: Assume that LDAP_NO_SUCH_OBJECT is an error due to invalid
    username/password.
  * statistics: Fix configuration template.
  * Handle missing authority in idp-hosted metadata better.

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Mon, 11 Jan 2010 13:51:28 +0100

simplesamlphp (1.5.1~rc1-1) unstable; urgency=low

  * Include possibility to the Identity provider using session->getIdP()

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Fri, 04 Dec 2009 15:00:00 +0100

simplesamlphp (1.5.0~rc1-1) unstable; urgency=low

  * Move to new modularized SAML provider for authN

 -- Thomas Zangerl <tzangerl@pdc.kth.se>  Fri, 30 Oct 2009 11:21:04 +0100

