webauth (4.0.1-1build1) precise; urgency=low

  * Rebuild for Perl 5.14.

 -- Colin Watson <cjwatson@ubuntu.com>  Thu, 17 Nov 2011 07:47:18 +0000

webauth (4.0.1-1) unstable; urgency=low

  * New upstream release.
    - Change user information service and WebKDC to WebLogin protocols for
      conveying suspicious login information to use the IP address as the
      CDATA and put the hostname in an attribute.
    - Display suspicious logins in WebLogin, forcing a confirmation page.
    - Log the return URL of authentication requests to the WebKDC.
    - Reduce mod_webauth log level when retrieving credentials.

 -- Russ Allbery <rra@debian.org>  Fri, 23 Sep 2011 13:42:17 -0700

webauth (4.0.0-2) unstable; urgency=low

  * Fix a variety of uninitialized variables and memory leaks in the
    libwebauth library and the test suite.  Thanks, Christoph Egger and
    Aaron M. Ucko.  (Closes: #640259)
  * Don't attempt to chown files in libwebkdc-perl when doing a
    binary-only build.  Thanks, Aaron M. Ucko.  (Closes: #640268)

 -- Russ Allbery <rra@debian.org>  Sat, 03 Sep 2011 13:07:04 -0700

webauth (4.0.0-1) unstable; urgency=low

  * New upstream release.
    - Added support for multifactor, including new WebAuth directives
      WebAuthRequireInitialFactor, WebAuthRequireSessionFactor, and
      WebAuthRequireLOA and new WebKDC directives WebKdcUserInfoURL and
      WebKdcUserInfoPrincipal.  Currently requires a metadata service for
      which there isn't a packaged implementation.
    - mod_webauth now exposes the user's initial and session
      authentication details and level of assurance (if known) in
      environment variables WEBAUTH_FACTORS_INITIAL,
      WEBAUTH_FACTORS_SESSION, and WEBAUTH_LOA.
    - WebLogin now uses Template Toolkit for all templating.  All
      templates will have to be revised to use the new syntax.
    - WebLogin can tell an external middleware service to send the user an
      OTP code via some means, such as SMS.  There are new configuration
      variables for /etc/webkdc/webkdc.conf that control this.
    - WebLogin now supports a site-specific callback to determine the
      initial and session factors and level of assurance for a user who
      has been authenticated via Apache authentication.
    - The keyring functions of the WebAuth Perl module have been rewritten
      to use an object-oriented style and new WebAuth::Keyring and
      WebAuth::KeyringEntry objects.  Perl code that used the keyring API
      will need to be modified.  Methods to remove a key from a keyring,
      get the timestamps and keys associated with keyring entries, and
      choose the best key have been added.
    - The libwebauth API has been changed substantially and will be
      changed further in subsequent releases.
    - The proxy data attribute of webkdc-proxy tokens is now optional.
  * Install /var/cache/weblogin, writable by www-data, as a directory to
    use for Template Toolkit to cache compiled templates.  Mention the new
    $TEMPLATE_COMPILE_PATH directive in the libwebkdc-perl NEWS.Debian.
  * Update the webauth-weblogin README.Debian to mention the Apache
    FastCGI module now included in Debian and the alternative in
    non-free.

 -- Russ Allbery <rra@debian.org>  Fri, 02 Sep 2011 15:57:56 -0700

webauth (3.7.4-1) unstable; urgency=low

  * New upstream release.
    - New Apache directive WebAuthOptional, which does not force the user
      to authenticate if they're not already authenticated but adds the
      authentication information to the environment if they are.  Intended
      for use with dynamic content that can manage optional authentication
      through an explicit login link.
    - Work around an MIT Kerberos library bug in error reporting from
      password change and remove the previous cruder workaround that
      mapped Kerberos errors to password strength warnings.
    - Suppress certificate validation for the WebKDC in WebLogin if the
      WebKDC URL is localhost, required by libwww-perl 5.837 or later.
    - More robust generation of the pkg-config configuration file.
    - Clearer warning from WebLogin when paired with an old WebKDC.
    - Document the pt and sa key/value pairs in WebKDC logging.
  * Drop the transitional libwebauth1-dev package, required to smooth
    upgrades from lenny.  squeeze released with libwebauth-dev.
  * Update to debhelper compatibility level V8.
    - Use debhelper rule minimization with overrides.
    - Do more work in *.install files and less work in debian/rules.
  * Switch to 3.0 (quilt) source format.  Force a single Debian patch and
    include a custom patch header explaining that it is a rollup of any
    fixes cherry-picked from upstream and breaking those patches out
    separately would be work for no gain.
  * Update standards version to 3.9.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Wed, 11 May 2011 15:26:32 -0700

webauth (3.7.3-2) unstable; urgency=low

  * Upload to unstable.

 -- Russ Allbery <rra@debian.org>  Wed, 02 Mar 2011 16:48:17 -0800

webauth (3.7.3-1) experimental; urgency=low

  * New upstream release.
    - Fix LDAP attribute retrieval for WebAuth 2.x compatibility.
    - libwebauth now provides a pkg-config configuration file.

 -- Russ Allbery <rra@debian.org>  Mon, 20 Sep 2010 17:07:48 -0700

webauth (3.7.2-1) experimental; urgency=low

  * New upstream release.
    - Fix wa_keyring option parsing problems introduced in 3.7.0.
    - Fix uninitalized variable causing wa_keyring to randomly default to
      verbose mode.
    - mod_webkdc now returns user rejected instead of a generic Kerberos
      error for attempted authentications to expired or disabled
      accounts, improving the error message displayed by WebLogin.
  * Add build dependencies on libipc-run-perl and libtimedate-perl to
    enable wa_keyring tests.
  * Update standards version to 3.9.1 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 12 Aug 2010 15:31:18 -0700

webauth (3.7.1-1) unstable; urgency=low

  * New upstream release.
    - Password change in WebLogin now forces re-entry of the old password
      on the same screen as the new password even if the user had just
      authenticated, with a configuration option to disable this.
    - The default proxy token lifetime is now the lifetime of the
      underlying Kerberos credential, matching the documentation, instead
      of ten hours.
    - Improve error reporting in WebLogin for password change failures.

 -- Russ Allbery <rra@debian.org>  Fri, 23 Jul 2010 12:51:43 -0700

webauth (3.7.0-1) unstable; urgency=low

  * New upstream release.
    - WebAuthLdapAuthRule in mod_webauthldap now sets environment
      variables to the value "privgroup <privgroup>" rather than the
      previous behavior of just "<privgroup>".
    - New WebAuthLdapPrivgroup directive for mod_webauthldap which probes
      user's membership in multiple privgroups and sets an environment
      variable to the list of those they're in.
    - WebAuthLdapAttribute can now take multiple attributes on one line.
    - WebLogin includes a password change script and template.
    - WebLogin now supports password expiration handling.
    - WebLogin may be configured to warn users of expiring passwords.
    - WebLogin catches SIGTERM in login.fcgi and finishes the current
      request, fixing some problems with unclean shutdown when FastCGI
      restarts the running scripts.
    - WebLogin correctly encodes RT and ST in the URL when redirecting to
      an alternate URL when attempting REMOTE_USER authentication.
    - wa_keyring now uses ISO format for timestamps.
    - Various changes and cleanup to the WebAuth library API.
    - Link wa_keyring with libcrypto properly.  (Closes: #556674)
    - Avoid importing isa from UNIVERSAL.  (Closes: #578632)
    - Lower the log level of some mod_webauth diagnostics.
  * The default help.html file is now installed into
    /usr/share/weblogin/generic/templates instead of one level higher.
  * Upstream now no longer uses apxs to install modules, so upstream
    supports DESTDIR and debian/rules can use make install instead of
    rewriting all the installation rules.
  * Drop the SONAME version from libwebauth-dev.  We'll never need to
    maintain development packages for more than one version of the ABI in
    Debian at the same time.  Add a transitional package to assist with
    upgrades.
  * Move Perl module dependencies from webauth-weblogin to libwebkdc-perl
    since the supporting modules now load the other required Perl modules.
  * Bump the versioned dependencies from webauth-weblogin and
    libwebkc-perl on libwebauth-perl and in webauth-weblogin on
    libwebkdc-perl.
  * Add an explicit dependency on liburi-perl to libwebkdc-perl.
  * Fix Perl dependencies in webauth-weblogin and webauth-tests.
  * Add a Suggests of libapache2-mod-php5 to webauth-tests.
  * Add Suggests of libtimedate-perl, libtime-duration-perl, and
    libnet-remctl-perl to libwebkdc-perl, required for now for expiring
    password warning support.
  * Downgrade the libwebauth-dev dependency on libkrb5-dev to Suggests
    since it's only required for static linking.
  * Update build dependency to libcurl4-openssl-dev.
  * Add additional build dependencies so that the Perl module test suite
    can run.
  * Force source format 1.0 for right now to make backporting easier.
  * Update to debhelper compatibility level V7.
    - Add ${misc:Depends} to all dependencies.
    - Use dh_prep instead of dh_clean -k.
  * Update standards version to 3.9.0 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 08 Jul 2010 15:52:26 -0700

webauth (3.6.2-2) unstable; urgency=low

  * Set DESTDIR instead of PREFIX when installing the Perl modules.  Perl
    5.10.1 doesn't allow changing PREFIX at install time.  Thanks, Niko
    Tyni.

 -- Russ Allbery <rra@debian.org>  Tue, 15 Sep 2009 20:33:12 -0700

webauth (3.6.2-1) unstable; urgency=high

  * New upstream release.
    - CVE-2009-2945: When generating a redirect to test for cookie
      support, be sure not to include a password in the URL.  Reject
      username/password logins via methods other than POST.
    - If the user submits the login form via POST without the test cookie,
      assume the browser supports cookies and don't probe.
    - New script (in /usr/share/doc/webauth-weblogin/weblogin-passcheck)
      to find passwords exposed by CVE-2009-2945.

 -- Russ Allbery <rra@debian.org>  Tue, 08 Sep 2009 15:30:20 -0700

webauth (3.6.1-2) unstable; urgency=low

  * Do not install the libwebauth.la file.  Libtool *.la files force other
    packages using Libtool to declare excessive library dependencies.
  * Update standards version to 3.8.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Mon, 24 Aug 2009 16:24:26 -0700

webauth (3.6.1-1) unstable; urgency=low

  * New upstream release.
    - $BYPASS_CONFIRM now suppresses the confirm page after POST for
      browsers that support this.
    - $BYPASS_CONFIRM can be set to "id" to only bypass the confirmation
      page if the WAS is not requesting a proxy token (and hence may
      request delegated credentials).
    - New variables for the WebLogin confirmation page containing
      delegated credential details.
    - Better WebLogin cookie handling with confirmation bypass.
  * Remove -L and -l flags to dh_shlibdeps, which are no longer needed.
  * Remove full paths to a2dismod in the package prerm scripts.
  * Update standards version to 3.8.2.
    - Change sections of Apache modules.
    - Run test suite iff nocheck is not set in DEB_BUILD_OPTIONS.
  * Add Vcs-Git and Vcs-Browser source control fields.
  * Improve short description for libwebkdc-perl.
  * Update debian/copyright to include a copy of the more thorough new
    upstream LICENSE file.

 -- Russ Allbery <rra@debian.org>  Tue, 14 Jul 2009 19:32:01 -0700

webauth (3.6.0-1) unstable; urgency=low

  * New upstream release.
    - Fix prematurely freed internal data in mod_webauth.
    - Work around a CGI Perl module bug in WebLogin that caused crashes
      for WebLogin URLs containing two slashes and two plus signs.
    - Add WebLogin support for delegated credentials.  Based on work by
      Joachim Keltsch.  (Closes: #466792)
    - New WebKdcLocalRealms and WebKdcPermittedRealms mod_webkdc options.
    - New WebKDC protocol error for a login rejected by policy.
    - New err_rejected variable in the weblogin login.tmpl template.
    - Several new WebLogin configuration options and hooks.
    - WebLogin REMOTE_USER variables have been renamed for consistency,
      but the old variables will continue to work.
  * Add symbols support for libwebauth1.
  * Bump shlibs for libwebauth1 for the introduction of a new interface.
  * Minor debian/rules tweaking:
    - Use the right configure arguments for cross-compiles.
    - Use touch $@ to create stamp files.
    - Use install rather than cp and mkdir.
  * Update the doc-base section for the WebAuth protocol specification.

 -- Russ Allbery <rra@debian.org>  Fri, 21 Mar 2008 22:10:09 -0700

webauth (3.5.5-1) unstable; urgency=low

  * New upstream release.
    - Check browser cookie support on first WebLogin visit for better
      cookie checks with Apache authentication.  (Closes: #430486)
    - New err_cookies_disabled error template variable.
    - Fix memory allocation for environment variables in mod_webauthldap.
    - Improve display of Shibboleth destination URLs.
  * Incorporate NEWS.Debian into webauth-weblogin.NEWS, since it is the
    only affected package for the old news item.
  * Call dh_fixperms before dh_strip so that the WebAuth Perl module will
    be stripped properly.
  * Recommend httpd-cgi and suggest libapache2-mod-auth-kerb for
    webauth-weblogin.
  * Use ${binary:Version} instead of ${Source-Version} in debian/control.
  * Move the Homepage pseudo-header from Description to a real header.
  * Wrap all Depends lines in debian/control.
  * Drop the version on the Perl build-depends.  That version is older
    than oldstable.
  * libwebkdc-perl is arch-independent, so no need for ${shilbs:Depends}.
  * Use a configure-stamp file rather than config.status.
  * Capitalize WebLogin consistently in package descriptions.
  * Update standards version to 3.7.3 (no changes required).
  * Update debhelper compatibility level to V5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 08 Jan 2008 22:00:03 -0800

webauth (3.5.4-1) unstable; urgency=low

  * New upstream release.
    - WebLogin supports displaying destination Shibboleth URLs.
    - Be more aggressive about telling browsers not to cache.
    - Properly merge directory configurations in mod_webauthldap.
    - Refresh REMOTE_USER cookies in WebLogin.
    - Improved WebLogin documentation of cookies used.
  * Put the Apache modules in the net section to match overrides.

 -- Russ Allbery <rra@debian.org>  Tue, 24 Apr 2007 14:35:35 -0700

webauth (3.5.3-2) unstable; urgency=low

  * Rebuild for Apache 2.2.
    - Add versioned build dependency.
    - Change module dependencies from apache2 to apache2.2-common.
    - Document the need to enable authz_user.
  * Depend on apache2-threaded-dev rather than on the virtual apache2-dev
    package.

 -- Russ Allbery <rra@debian.org>  Mon,  9 Oct 2006 16:07:54 -0700

webauth (3.5.3-1) unstable; urgency=low

  * New usptream release.
    - Upstream source now supports Apache 2.2 builds.
    - Improve and document mod_webkdc logging.
    - Disable debug logging in the weblogin scripts.

 -- Russ Allbery <rra@debian.org>  Mon, 11 Sep 2006 20:34:07 -0700

webauth (3.5.2-1) unstable; urgency=medium

  * New upstream release.
    - SECURITY: Fix the default weblogin templates to always escape form
      variables.  Sites using customized templates should check their
      templates for the same issue; see NEWS.gz for more information.
    - When Apache authentication for weblogin fails, don't retry for that
      user session even on empty form submissions.
    - Mark weblogin login and logout pages and not cachable by browsers.
  * Include NEWS, README, and TODO in the webauth-weblogin doc directory.

 -- Russ Allbery <rra@debian.org>  Thu, 13 Jul 2006 17:56:23 -0700

webauth (3.5.1-1) unstable; urgency=low

  * New upstream release.
    - Multiple changes to the Weblogin scripts and templates that will
      require updates to existing templates.  See the upstream NEWS file
      for more details.
    - Fix decoding of keyring times on 64-bit platforms.
  * Update standards version to 3.7.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 20 Jun 2006 09:20:44 -0700

webauth (3.5.0-1) unstable; urgency=low

  * New upstream release.
    - WebAuthExtraRedirect on is now the default.
    - Clean up of weblogin template variables.  Existing templates will
      have to be updated.
    - Support for optional Apache authentication in weblogin.
    - Clean up and better documentation of the weblogin code.
    - New weblogin configuration documentation.
    - http://webauth.stanford.edu/ is now the canonical upstream URL.

 -- Russ Allbery <rra@debian.org>  Mon, 20 Mar 2006 17:29:57 -0800

webauth (3.4.2-1) unstable; urgency=low

  * New upstream release.

 -- Russ Allbery <rra@debian.org>  Fri, 17 Feb 2006 20:18:49 -0800

webauth (3.4.1-1) unstable; urgency=low

  * New upstream release.
    - Reverted the change to not strip WebAuth data from unprotected URLs
      since it interacted poorly with .htaccess files.
    - The config option WebAuthStripURL is now documented and supported.
    - Avoid deprecated OpenLDAP APIs.

 -- Russ Allbery <rra@debian.org>  Mon,  6 Feb 2006 17:38:30 -0800

webauth (3.4.0-1) unstable; urgency=low

  * New upstream release.
    - webauth-weblogin can now optionally try SPNEGO authentication before
      prompting for a username and password.
    - mod_webauth doesn't strip WebAuth information from the internal URL
      for requests not protected by WebAuth.
    - Much improved protocol specification.
    - Use --enable-reduced-depends to reduce library dependencies.
    - No compiler warnings with -Wall.
  * Only install the protocol documentation in libapache2-mod-webauth, not
    in libapache2-mod-webkdc.  If you're using WebAuth at all you'll
    install the former somewhere, and there's no need to duplicate it.
  * Register the protocol documentation with doc-base.
  * Don't install HACKING; it's not useful without the source.
  * Use DH_OPTIONS to reduce clutter in debian/rules.
  * Add build-arch and build-indep targets.
  * Don't ignore the return status of make distclean.
  * Use stamp files in a cleaner way.
  * Update copyright dates.

 -- Russ Allbery <rra@debian.org>  Mon, 23 Jan 2006 22:09:35 -0800

webauth (3.3.0-2) unstable; urgency=low

  * Build-depend on libcurl3-openssl-dev, not libcurl3-dev.
  * Update maintainer address.

 -- Russ Allbery <rra@debian.org>  Wed, 16 Nov 2005 16:39:21 -0800

webauth (3.3.0-1) unstable; urgency=low

  * New upstream release.
    - S/Ident support removed.
    - New WebAuthLdapSeparator configuration setting for multi-valued
      attribute handling.
    - libwebauth now uses symbol versioning.
  * Update copyright to my current format and add an explicit packaging
    copyright and license statement.
  * Minor cleanup of debian/rules.
  * Indent the homepage in package descriptions to avoid wrapping.
  * Update standards version to 3.6.2 (no changes required).

 -- Russ Allbery <rra@stanford.edu>  Tue,  4 Oct 2005 21:40:28 -0700

webauth (3.2.8-1) unstable; urgency=low

  * New upstream release.
    - mod_webauth now handles empty keyring files appropriately.
    - Significant improvements to the mod_webkdc manual.

 -- Russ Allbery <rra@stanford.edu>  Thu,  2 Jun 2005 23:21:02 -0700

webauth (3.2.7-1) unstable; urgency=low

  * New upstream release.
    - Update libtool to 1.5.6 for better shared library support on MIPS.
      Thanks, Ryan Murray.  (Closes: #306027)
    - Better diagnose a missing service token on a weblogin request.

 -- Russ Allbery <rra@stanford.edu>  Sat, 23 Apr 2005 14:33:20 -0700

webauth (3.2.6-1) unstable; urgency=low

  * Uploaded to Debian.  (Closes: #304728)
  * New upstream release.
    - Renamed the WebAuth3 Perl bindings to WebAuth.
    - Renamed the libwebauth3-perl package to libwebauth-perl accordingly.
  * Add dependency on libwebauth-perl to webauth-weblogin.  libwebkdc-perl
    will also pull it in, but this is more completely correct.
  * Add watch file.

 -- Russ Allbery <rra@stanford.edu>  Mon, 18 Apr 2005 23:06:23 -0700

webauth (3.2.5-1) unstable; urgency=low

  * New upstream release.
    - Removed debian directory from upstream tarball.
    - Report information from mod_webauthldap at saner message levels.
  * Fix package sections and formatting of the homepage link.
  * Use CFLAGS for the Perl module builds rather than hard-coding flags.
  * Change the README.Debian files to follow the Apache 2.x package
    recommendations for where to put local configuration.
  * Add upstream TODO to libapache2-webauth and libapache2-webkdc.

 -- Russ Allbery <rra@stanford.edu>  Thu, 14 Apr 2005 21:51:28 -0700

webauth (3.2.4-2) unstable; urgency=low

  * No source changes.
  * Rebuild for libcurl migration.

 -- Russ Allbery <rra@stanford.edu>  Mon,  7 Mar 2005 14:47:24 -0800

webauth (3.2.4-1) unstable; urgency=low

  * New upstream release.
    - Fix bug in S/Ident handling in weblogin script.
  * Add prerm scripts for libapache2-webauth and libapache2-webkdc to call
    a2dismod if the module is enabled.

 -- Russ Allbery <rra@stanford.edu>  Wed, 25 Aug 2004 17:36:56 -0700

webauth (3.2.3-1) unstable; urgency=low

  * Initial release.

 -- Russ Allbery <rra@stanford.edu>  Wed, 23 Jun 2004 16:11:02 -0700
