libxfont (1:1.5.1-1ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: non-privileged arbitrary file access
    - debian/patches/CVE-2017-16611.patch: open files with O_NOFOLLOW in
      src/fontfile/dirfile.c, src/fontfile/fileio.c.
    - CVE-2017-16611

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 28 Nov 2017 14:46:50 -0500

libxfont (1:1.5.1-1ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: invalid memory read in PatternMatch
    - debian/patches/CVE-2017-13720.patch: check for end of string in
      src/fontfile/fontdir.c.
    - CVE-2017-13720
  * SECURITY UPDATE: DoS or info leak via malformed PCF file
    - debian/patches/CVE-2017-13722.patch: check string boundaries in
      src/bitmap/pcfread.c.
    - CVE-2017-13722

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 06 Oct 2017 11:44:24 -0400

libxfont (1:1.5.1-1ubuntu0.16.04.2) xenial; urgency=medium

  * Install developer documentation under the correct path. (LP:
    #1709885)

 -- Timo Aaltonen <tjaalton@debian.org>  Fri, 11 Aug 2017 01:16:51 +0300

libxfont (1:1.5.1-1ubuntu0.16.04.1) xenial; urgency=medium

  * Rename libxfont-dev to libxfont1-dev. (LP: #1687981)

 -- Timo Aaltonen <tjaalton@debian.org>  Sat, 13 May 2017 08:01:15 +0300

libxfont (1:1.5.1-1) unstable; urgency=high

  * New upstream release
    + bdfReadProperties: property count needs range check [CVE-2015-1802]
    + bdfReadCharacters: bailout if a char's bitmap cannot be read
      [CVE-2015-1803]
    + bdfReadCharacters: ensure metrics fit into xCharInfo struct
      [CVE-2015-1804]

 -- Julien Cristau <jcristau@debian.org>  Tue, 17 Mar 2015 16:55:21 +0100

libxfont (1:1.4.99.901-1) unstable; urgency=medium

  * New upstream release candidate.
    + includes the CVE-2014-{0209,0210,0211} patches
  * Remove Cyril from Uploaders.
  * Allow uscan to verify tarball signature.

 -- Julien Cristau <jcristau@debian.org>  Sat, 12 Jul 2014 17:44:11 +0200

libxfont (1:1.4.7-2) unstable; urgency=high

  * Pull from upstream git to fix FTBFS with new fontsproto (closes: #746052)
  * CVE-2014-0209: integer overflow of allocations in font metadata
  * CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
  * CVE-2014-0211: integer overflows calculating memory needs for xfs replies
  * Add breaks on xfs because we broke it by disabling font protocol support
    in 1.4.7.

 -- Julien Cristau <jcristau@debian.org>  Tue, 13 May 2014 17:25:49 +0200

libxfont (1:1.4.7-1) unstable; urgency=high

  * New upstream release
    + CVE-2013-6462: unlimited sscanf overflows stack buffer in
      bdfReadCharacters()
  * Don't put dbg symbols from the udeb in the dbg package.
  * dev package is no longer Multi-Arch: same (closes: #720026).
  * Disable support for connecting to a font server.  That code is horrible and
    full of holes.

 -- Julien Cristau <jcristau@debian.org>  Tue, 07 Jan 2014 17:51:29 +0100

libxfont (1:1.4.6-1) unstable; urgency=low

  * New upstream release.
  * Build for multiarch (closes: #654252).  Patch by Riku Voipio, thanks!
  * Disable silent build rules.

 -- Julien Cristau <jcristau@debian.org>  Mon, 12 Aug 2013 18:28:57 +0200

libxfont (1:1.4.5-2) unstable; urgency=low

  * Ease sync for Ubuntu: strip -Bsymbolic-functions from LDFLAGS
    (LP: #992745).

 -- Cyril Brulebois <kibi@debian.org>  Thu, 03 May 2012 19:59:46 +0200

# For older changelog entries, run 'apt-get changelog libxfont1'