libxslt (1.1.28-2.1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds heap memory access
    - debian/patches/0010-CVE-2016-1683.patch: special case namespace
      nodes in xsltNumberFormatGetMultipleLevel
    - CVE-2016-1683
  * SECURITY UPDATE: integer overflow
    - debian/patches/0011-CVE-2016-1684-1.patch,
      debian/patches/0012-CVE-2016-1684-2.patch: add lower and upper
      bounds for 'i' and 'a' format tokens
    - CVE-2016-1684
  * SECURITY UPDATE: use-after-free in xsltDocumentFunctionLoadDocument
    - debian/patches/0013-CVE-2016-1841.patch: adjust xmlFree() call
    - CVE-2016-1841
  * SECURITY UPDATE: heap information leak
    - debian/patches/0014-CVE-2016-4738.patch: check for empty
      decimal separator.
    - CVE-2016-4738
  * SECURITY UPDATE: integer overflow in libxslt.
    - debian/patches/0015-CVE-2017-5029.patch: limit buffer size in
      xsltAddTextString to INT_MAX.
    - CVE-2017-5029
  * SECURITY UPDATE: double free in hash functions
    - 0016-Fix-double-free-in-libexslt-hash-functions-d8862309f0.patch:
      remove duplicate free calls
  * SECURITY UPDATE: NULL pointer dereference in Saxon
    - 0017-Fix-error-handling-in-Saxon-extension-functions-ef7429bb4.patch:
      fix error handling in Saxon extension functions
  * SECURITY UPDATE: out-of-bounds heap memory access
    - 0018-Fix-dyn-map-with-namespace-nodes-93bb3147.patch: use
      correct type for namespace nodes in exsltDynMapFunction
  * SECURITY UPDATE: out-of-bounds heap read memory access
    - 0019-Fix-saxon-line-number-with-namespace-nodes-8b90c9a6.patch:
      do not pass namespace "nodes" to xmlGetLineNo
  * SECURITY UPDATE: stack-based buffer overflow in exsltDateFormat
    - 0020-Fix-buffer-overflow-in-exsltDateFormat-5d0c6565b.patch:
      make stack buffer larger
  * SECURITY UPDATE: out-of-bounds head read in xsltExtModuleRegisterDynamic
    - 0021-Fix-OOB-heap-read-in-xsltExtModuleRegisterDynamic-87c3d9ea.patch:
      correct stripping of unwanted characters

 -- Steve Beattie <sbeattie@ubuntu.com>  Tue, 25 Apr 2017 23:38:39 -0700

libxslt (1.1.28-2.1) unstable; urgency=high

  * Non-maintainer upload.
  * Add 0009-Fix-for-type-confusion-in-preprocessing-attributes.patch patch.
    CVE-2015-7995: Type confusion in preprocessing attributes leading to
    denial of service. (Closes: #802971)

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 30 Oct 2015 08:46:43 +0100

libxslt (1.1.28-2) unstable; urgency=low

  * debian/patches/000[4-8].patch:
    Upstream post release patches.

 -- Aron Xu <aron@debian.org>  Thu, 01 Aug 2013 13:55:48 +0800

libxslt (1.1.28-1) experimental; urgency=low

  [ YunQiang Su ]
  * Imported Upstream version 1.1.28
  * Workaround xsltMaxVars version number (Closes: #698955)
  * Refresh patches
  * Correct email address of YunQiang Su
  * Mark libxslt1-dev as Multi-Arch: same (Closes: #689091)

  [ Aron Xu ]
  * Use canonical VCS-* fields.
  * Remove unused override: python-libxslt1-dbg: hardening-no-relro

 -- Aron Xu <happyaron.xu@gmail.com>  Thu, 01 Aug 2013 13:45:01 +0800

libxslt (1.1.27-1) experimental; urgency=low

  * New upstream release (Closes: #448205, #683353)
  * debian/rules:
    + Add hardening flags for dbg package in LDFLAGS (Closes: #681163)
  * debian/control:
    - std-ver: 3.9.3 -> 3.9.4, no change required.

 -- Aron Xu <aron@debian.org>  Wed, 03 Oct 2012 00:22:53 +0800

libxslt (1.1.26-13) unstable; urgency=low

  * Patch to fix CVE-2012-2825 (Closes: #679283).

 -- Aron Xu <aron@debian.org>  Thu, 05 Jul 2012 11:09:19 +0800

libxslt (1.1.26-12) unstable; urgency=low

  [ Aron Xu ]
  * New maintainer (Closes: #654177)
  * debian/rules: small improvements, stop shipping .la files.
  * debian/control: mark libxslt1-dev as not M-A (Closes: #671902).
  
  [ YunQiang Su ]
  * Convert to 3.0 source format. 
  * Byte-compile Python modules again (Closes: #671901).

 -- Aron Xu <aron@debian.org>  Tue, 29 May 2012 00:31:36 +0800

libxslt (1.1.26-11) unstable; urgency=low

  * QA upload.
  * Bump standards version to 3.9.3. 
  * Apply Steve Langasek's patch to enable multiarch (closes: #643034).
  * Fix cve-2011-3970: out-of-bounds array access issue (closes: #660650). 
  * Bump debian/compat to 9 and enable hardened build flags (closes: #655601).
  * Eliminate system config.sub and config.guess from the debian diff
    (closes: #670799).

 -- Michael Gilbert <mgilbert@debian.org>  Sun, 06 May 2012 20:35:38 -0400

libxslt (1.1.26-10) unstable; urgency=low

  * QA upload.
  * Fix building for real: (Closes: #666333)
    - make(1) targets accumulate, they do not replace
    - You absolutely must not have a build-% (wildcard) target!
    - Never have a directory (or file) with the same name as a
      (phony) target, as it *will* prevent the target from being
      run while that file/directory exists, with varying messages
    => rename ./build/ to builddir and build-% to dobuild-%
    Discovered while trying to hand-fix an m68k build.
  * Throw in some lintian fixes (manpage, spelling) for good measure.

 -- Thorsten Glaser <tg@mirbsd.de>  Sun, 06 May 2012 16:02:55 +0000

libxslt (1.1.26-9) unstable; urgency=low

  * QA upload.
  * Set maintainer to Debian QA Group <packages@qa.debian.org>
  * Clear uploaders
  * Fix building with build-arch. Closes: 666333.

 -- Peter Michael Green <plugwash@p10link.net>  Tue, 24 Apr 2012 23:23:50 +0000

# For older changelog entries, run 'apt-get changelog libxslt1.1'