-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: sponsorship-requests Severity: normal
Dear mentors, I am looking for a sponsor for my backport of package "xml-security-c" to wheezy-backports-sloppy as a first step to backporting other Shibboleth packages to wheezy and jessie (see https://qa.debian.org/developer.php?email=pkg-shibboleth-devel%40lists.a lioth.debian.org for a list of Shib packages). * Package name : xml-security-c Version : 1.7.3-3~bpo7+1 Upstream Author : http://santuario.apache.org/team.html * URL : http://santuario.apache.org/cindex.html * License : Apache-2.0 Section : libs It builds those binary packages: libxml-security-c-dev - C++ library for XML Digital Signatures (development) libxml-security-c17v5 - C++ library for XML Digital Signatures (runtime) xml-security-c-utils - C++ library for XML Digital Signatures (utilities ) To access further information about this package, please visit the following URL: https://mentors.debian.net/package/xml-security-c Alternatively, one can download the package with dget using this command : dget -x https://mentors.debian.net/debian/pool/main/x/xml-security-c/xml-securit y-c_1.7.3-3~bpo7+1.dsc More information about xml-security-c can be obtained from http://santuario.apache.org/cindex.html. Changes since the last upload (wheezy 1.6.1-5+deb7u2): xml-security-c (1.7.3-3~bpo7+1) wheezy-backports-sloppy; urgency=medium . [ Etienne Dysli Metref ] * Rebuild for wheezy-backports-sloppy. * [aba87f7] New patch Remove-PKG_INSTALLDIR-to-build-with-older-pkg-config.patch . xml-security-c (1.7.3-3) unstable; urgency=medium . * [dee8abd] New patch Only-add-found-packages-to-the-pkg-config- dependenci.patch . xml-security-c (1.7.3-2) unstable; urgency=medium . * [9af4b2f] New patches fixing GCC-6 FTBFS, warnings and typos (Closes: #811620) * [eb1af76] Update Standards-Version to 3.9.8 (no changes needed) * [e742472] Switch to secure VCS URIs * [894b638] New patch Use-pkg-config-for-Xerces-OpenSSL-and-NSS-and- provid.patch * [64c49b7] New patch We-do-not-use-pthreads-threadtest.cpp-is-Window s- onl.patch * [a5a8a19] The build system now links with the needed libraries only . xml-security-c (1.7.3-1) unstable; urgency=medium . * [df661d6] Check signature in watch file * [b78a045] Add debian/gbp.conf enabling pristine-tar * [ca9476a] Imported Upstream version 1.7.3 * [f8b635d] Delete upstreamed patch "Avoid use of PATH_MAX where possible" * [9d2337f] Switch watch file to check for bzip-compressed archives * [f95b4ef] The default compressor is xz since jessie * [ed19f44] Renaming of the binaries happends via a patch since 4771f62 and 017dc35 * [34dd591] Enable all hardening features * [893eda7] Remove superfluous dh_clean override * [2207b52] Fail package build if any installed file is left out in the future * [62c8d2f] Add myself to Uploaders * [4afa12e] Update Standards-Version to 3.9.6 (no changes needed) * [d338569] Since 2b8a713 we've got proper patch files * [cd68dec] Enable commit ids in gbp dch * [71cc459] Add version number to the manual pages * [e544a7b] Run wrap-and-sort -ast on the package * [cf73c2b] Get rid of patch numbers * [0832cf9] New patch Avoid-forward-incompatibility-warnings-from-Automake.patch * [3099c82] Comment the --as-needed tricks * [e26686c] Update debian/copyright * [3fad239] Add NOTICE.txt to all binary packages * [4eaef76] Incorporate the 1.7.2-3.1 NMU. Thanks to Julien Cristau. . xml-security-c (1.7.2-3.1) unstable; urgency=medium . * Non-maintainer upload. * Rename library packages for g++5 ABI transition (closes: 791323). . xml-security-c (1.7.2-3) unstable; urgency=medium . * Avoid use of PATH_MAX where possible by using getcwd to allocate th e appropriate size string. Fixes FTBFS on GNU/Hurd. Patch from Svan te Signell. (Closes: #735162) * Convert all Debian patches to separate patch files managed via gbp pq. * Update standards version to 3.9.5 (no changes required). . xml-security-c (1.7.2-2) unstable; urgency=low . * Upload to unstable. . xml-security-c (1.7.2-1) experimental; urgency=high . * New upstream release. - The attempted fix to address CVE-2013-2154 introduced the possibility of a heap overflow, possibly leading to arbitrary cod e execution, in the processing of malformed XPointer expressions in the XML Signature Reference processing code. Fix that heap overflow. (Closes: #714241, CVE-2013-2210) . xml-security-c (1.7.1-1) experimental; urgency=high . * New upstream release. - Fix a spoofing vulnerability that allows an attacker to reuse existing signatures with arbitrary content. (CVE-2013-2153) - Fix a stack overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code. (CVE-2013-2154) - Fix processing of the output length of an HMAC-based XML Signatur e that could cause a denial of service when processing specially chosen input. (CVE-2013-2155) - Fix a heap overflow in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitrary code execution. (CVE-2013-2156) - Reduce entity expansion limits when parsing. - New --id option to the xenc-checksig utility. * Rename the binaries in the xml-security-c-utils package to start wi th xsec-* instead of xmlsec-*. This reflects the common abbreviation used by the package. . xml-security-c (1.7.0-1) experimental; urgency=low . * New upstream release. - AES-GCM support. - XML Encryption 1.1 OAEP enhancements. * Increase versioned dependency on libssl-dev to ensure that we have AES-GCM support. (This only matters for backports to squeeze.) * Mark libxml-security-c-dev as Multi-Arch: same. * Add new xml-security-c-utils package that contains the utility programs included with the library. Rename the binaries to add "xmlsec-" to the beginning of the names, since some of the programs are otherwise rather generic. Add man pages for each of the programs. (Closes: #682830) * Switch from autotools-dev to dh-autoreconf and regenerate the entir e build system during the build, not just the config.guess and config.sub scripts, and add --as-needed. * Add -fPIE to hardening flags since we're now installing binaries. * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages built fr om the canonical Git repository and NMUs get regular version-numbered patches. * Switch to xz compression for *.debian.tar and the *.deb packages. * Use canonical URLs for Vcs-Browser and Vcs-Git. * Update standards version to 3.9.4. - Update debian/copyright to specify copyright-format 1.0. Sincerely, Etienne Dysli Metref -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXquNEAAoJEDtvu5hdVFPuP/IQAJK7U3qZO85nP+56dfA+Y1pV COvMNUMccc8YaXXwEGknqGPaypwaCT8mFL3wa1VEdOUwuGHLffm6+ZBVoYgiFzv4 vp/6GocDjM7Ni0LCL2WkIdsoHdyhRkXUkOFSxJIW/S8OJ8d8I6DCQneDJD1jqohf caNTzz3ddoZOQ80Ri2sdYZ/4WA0k98nRZkAb1fhlTWALQj36wxAhtoGqcgxn6406 1jb4aYLUpPNCwJve1kSnR/enEGSIMks53eVfFwvTZ8mvb14ngnT0YVlnNug7inNS zlDYm6B/6SqXzb28tAiAKKBZ6ddmoZ0CD+2HLeIF7+WMYa+v0uok/PnKuIeixc7c uf6RFBDSYlY1JBxk14QimmgfzAWwT2zq+c9o0RY8IsA1hdMzjUfra66lIuQezE7l 73WywPWY93+SB0N8tjpJj6A17rdb5Kk2CydCKpYkbfm9AK5y1EB7YcYyq3c3hVp0 cJAMdxhKGx0nh2xOAuIrCaU6/9gj2GXNvi7rAhFA+/Pr8WbTiE4ar9rWhquuSKza b2mfTTUWvl1CdIyi2FbTVjbGCYDC6WMz53va9TaU96huwJfPTyX9osy+HGqjOHSj Z37ce9gxQMOEzwh/Oe1ddx0PuMwCpnKwC1J9VeEyKZJIPCpk0aKr8Bvk+s18MwhI 84UexuPlVivVsjShwXzT =anvr -----END PGP SIGNATURE-----
