lp:debian/wheezy/webauth

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

18. By Russ Allbery on 2012-04-25

* New upstream release (no Apache 2.4 support yet; that's next).
  - Fix webauth_user_info bug in interpreting login history timestamps.
  - Fix login history timestamp handling in sample confirm template.
  - Suppress history and token rights in sample confirm template when
    those data elements are empty. (Closes: #664735)
  - Add explicit HTML filters to all sample template variable
    interpolations as an additional security measure.
  - Update the mod_webkdc manual for changes in 4.1.0.
* If Apache is running and has the module loaded, restart Apache on
  configure of libapache2-webauth or libapache2-webkdc.
* Remove the conditional around the postinst actions for
  libapache2-webauth and libapache2-webkdc and just always configure the
  package. This is at least arguably more correct for the various abort
  cases, is simpler, and shouldn't hurt.

17. By Russ Allbery on 2012-03-15

* New upstream release.
  - New mod_webkdc WebKdcUserInfoTimeout option to set a network timeout
    for user information service queries. The new default is 30
    seconds.
  - New mod_webkdc WebKdcUserInfoIgnoreFail error to allow users to
    authenticate with password and use pre-existing single sign-on
    cookies even if the user information service is down. Be aware that
    this can allow bypassing a centrally-mandated multifactor
    requirement.
  - Use remctl_set_ccache instead of setting KRB5CCNAME when available
    to avoid memory leaks on calling the user information service and to
    not leak settings across threads.
  - Fix WebLogin error handling when the password field is left blank.
  - Fix WebLogin error handling of empty usernames.
  - Drop library support for base64-encoded token attributes (which was
    never used by WebAuth).
  - Drop webauth_info_{build,version} library APIs.
  - Document Apache/Tomcat security interaction around URL parsing in
    the mod_webauth manual. This affects any Apache security mechanism
    used in conjunction with Tomcat.
* Bump libremctl-dev build dependency to >= 3.1 for consistent builds.
* Add Build-Depends-Package to the symbols file for better dependency
  handling.
* Update standards version to 3.9.3 (no changes required).

16. By Russ Allbery on 2011-12-02

* New upstream release.
  - Fix setting of the REMOTE_USER preference cookie in WebLogin.
  - Ignore undefined cookies in WebLogin to reduce error logs.
  - Document factor codes in the mod_webauth manual.
* Remove ${shlibs:Depends} from libwebauth-dev dependencies to remove a
  warning. This package won't contain compiled binaries.

15. By Russ Allbery on 2011-09-23

* New upstream release.
  - Change user information service and WebKDC to WebLogin protocols for
    conveying suspicious login information to use the IP address as the
    CDATA and put the hostname in an attribute.
  - Display suspicious logins in WebLogin, forcing a confirmation page.
  - Log the return URL of authentication requests to the WebKDC.
  - Reduce mod_webauth log level when retrieving credentials.

14. By Russ Allbery on 2011-09-03

* Fix a variety of uninitialized variables and memory leaks in the
  libwebauth library and the test suite. Thanks, Christoph Egger and
  Aaron M. Ucko. (Closes: #640259)
* Don't attempt to chown files in libwebkdc-perl when doing a
  binary-only build. Thanks, Aaron M. Ucko. (Closes: #640268)

13. By Russ Allbery on 2011-05-11

* New upstream release.
  - New Apache directive WebAuthOptional, which does not force the user
    to authenticate if they're not already authenticated but adds the
    authentication information to the environment if they are. Intended
    for use with dynamic content that can manage optional authentication
    through an explicit login link.
  - Work around an MIT Kerberos library bug in error reporting from
    password change and remove the previous cruder workaround that
    mapped Kerberos errors to password strength warnings.
  - Suppress certificate validation for the WebKDC in WebLogin if the
    WebKDC URL is localhost, required by libwww-perl 5.837 or later.
  - More robust generation of the pkg-config configuration file.
  - Clearer warning from WebLogin when paired with an old WebKDC.
  - Document the pt and sa key/value pairs in WebKDC logging.
* Drop the transitional libwebauth1-dev package, required to smooth
  upgrades from lenny. squeeze released with libwebauth-dev.
* Update to debhelper compatibility level V8.
  - Use debhelper rule minimization with overrides.
  - Do more work in *.install files and less work in debian/rules.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
  include a custom patch header explaining that it is a rollup of any
  fixes cherry-picked from upstream and breaking those patches out
  separately would be work for no gain.
* Update standards version to 3.9.2 (no changes required).

12. By Russ Allbery on 2011-03-02

Upload to unstable.

11. By Russ Allbery on 2010-08-12

* Apply upstream deltas:
  - [49ad22d2] Fix wa_keyring option parsing and verbose mode bugs
* Update standards version to 3.9.1 (no changes required).

10. By Russ Allbery on 2010-07-23

* New upstream release.
  - Password change in WebLogin now forces re-entry of the old password
    on the same screen as the new password even if the user had just
    authenticated, with a configuration option to disable this.
  - The default proxy token lifetime is now the lifetime of the
    underlying Kerberos credential, matching the documentation, instead
    of ten hours.
  - Improve error reporting in WebLogin for password change failures.

9. By Russ Allbery on 2010-07-08

* New upstream release.
  - WebAuthLdapAuthRule in mod_webauthldap now sets environment
    variables to the value "privgroup <privgroup>" rather than the
    previous behavior of just "<privgroup>".
  - New WebAuthLdapPrivgroup directive for mod_webauthldap which probes
    user's membership in multiple privgroups and sets an environment
    variable to the list of those they're in.
  - WebAuthLdapAttribute can now take multiple attributes on one line.
  - WebLogin includes a password change script and template.
  - WebLogin now supports password expiration handling.
  - WebLogin may be configured to warn users of expiring passwords.
  - WebLogin catches SIGTERM in login.fcgi and finishes the current
    request, fixing some problems with unclean shutdown when FastCGI
    restarts the running scripts.
  - WebLogin correctly encodes RT and ST in the URL when redirecting to
    an alternate URL when attempting REMOTE_USER authentication.
  - wa_keyring now uses ISO format for timestamps.
  - Various changes and cleanup to the WebAuth library API.
  - Link wa_keyring with libcrypto properly. (Closes: #556674)
  - Avoid importing isa from UNIVERSAL. (Closes: #578632)
  - Lower the log level of some mod_webauth diagnostics.
* The default help.html file is now installed into
  /usr/share/weblogin/generic/templates instead of one level higher.
* Upstream now no longer uses apxs to install modules, so upstream
  supports DESTDIR and debian/rules can use make install instead of
  rewriting all the installation rules.
* Drop the SONAME version from libwebauth-dev. We'll never need to
  maintain development packages for more than one version of the ABI in
  Debian at the same time. Add a transitional package to assist with
  upgrades.
* Move Perl module dependencies from webauth-weblogin to libwebkdc-perl
  since the supporting modules now load the other required Perl modules.
* Bump the versioned dependencies from webauth-weblogin and
  libwebkc-perl on libwebauth-perl and in webauth-weblogin on
  libwebkdc-perl.
* Add an explicit dependency on liburi-perl to libwebkdc-perl.
* Fix Perl dependencies in webauth-weblogin and webauth-tests.
* Add a Suggests of libapache2-mod-php5 to webauth-tests.
* Add Suggests of libtimedate-perl, libtime-duration-perl, and
  libnet-remctl-perl to libwebkdc-perl, required for now for expiring
  password warning support.
* Downgrade the libwebauth-dev dependency on libkrb5-dev to Suggests
  since it's only required for static linking.
* Update build dependency to libcurl4-openssl-dev.
* Add additional build dependencies so that the Perl module test suite
  can run.
* Force source format 1.0 for right now to make backporting easier.
* Update to debhelper compatibility level V7.
  - Add ${misc:Depends} to all dependencies.
  - Use dh_prep instead of dh_clean -k.
* Update standards version to 3.9.0 (no changes required).