libonig (5.9.5-3.2+deb8u4) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * CVE-2019-19012: an integer overflow in the search_in_range
    function in regexec.c leads to an out-of-bounds read, in which the
    offset of this read is under the control of an attacker. (This
    only affects the 32-bit compiled version). Remote attackers can
    cause a denial-of-service or information disclosure, or possibly
    have unspecified other impact, via a crafted regular expression.
  * CVE-2019-19204: in the function fetch_range_quantifier in
    regparse.c, PFETCH is called without checking PEND. This leads to
    a heap-based buffer over-read
  * CVE-2019-19246: heap-based buffer over-read in
    str_lower_case_match in regexec.c.

 -- Sylvain Beucler <beuc@debian.org>  Tue, 03 Dec 2019 18:38:09 +0100

libonig (5.9.5-3.2+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Backport recursion monitoring (with a fixed limit to avoid
    changing the API; higher limit exhausts the default stack size)
  * Fix CVE-2019-16163: Oniguruma before 6.9.3 allows Stack Exhaustion
    in regcomp.c because of recursion in regparse.c.

 -- Sylvain Beucler <beuc@debian.org>  Wed, 11 Sep 2019 15:30:09 +0200

libonig (5.9.5-3.2+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-13224:
    A use-after-free in onig_new_deluxe() in regext.c allows
    attackers to potentially cause information disclosure, denial of service,
    or possibly code execution by providing a crafted regular expression. The
    attacker provides a pair of a regex pattern and a string, with a multi-byte
    encoding that gets handled by onig_new_deluxe().

 -- Markus Koschany <apo@debian.org>  Wed, 17 Jul 2019 14:56:48 +0200

libonig (5.9.5-3.2+deb8u1) jessie; urgency=medium

  * New debian/patches/0500-CVE-2017-922[4-9].patch:
    - Cherrypicked from upstream to correct:
      + CVE-2017-9224 (Closes: #863312)
      + CVE-2017-9226 (Closes: #863314)
      + CVE-2017-9227 (Closes: #863315)
      + CVE-2017-9228 (Closes: #863316)
      + CVE-2017-9229 (Closes: #863318)

 -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Sun, 02 Jul 2017 14:28:34 +0200

libonig (5.9.5-3.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix version for calls to dpkg-maintscript-helper symlink_to_dir.
    (closes: #769556).

 -- Ivo De Decker <ivodd@debian.org>  Sun, 28 Dec 2014 12:11:12 +0100

libonig (5.9.5-3.1) unstable; urgency=high

  * Non-maintainer upload.
  * Add missing pre-dependency on dpkg for dpkg-maintscript-helper
    symlink_to_dir (closes: #769556).

 -- Julien Cristau <jcristau@debian.org>  Sat, 15 Nov 2014 11:53:45 +0100

libonig (5.9.5-3) unstable; urgency=medium

  * Add debian/libonig2-dbg.(preinst|postinst|postrm) to prevent
    error on upgrade wheezy to jessie. (Closes: #768267)

 -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Thu, 06 Nov 2014 21:32:20 +0100

libonig (5.9.5-2) unstable; urgency=medium

  * rename debian/*.doc-base
  * add html files to doc
  * change debian/rules for hardening
  * remove Multi-Arch from libonig-dev (Closes: #747897)

 -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Tue, 13 May 2014 10:25:38 +0200

libonig (5.9.5-1) unstable; urgency=medium

  * remove *.so.* files from libonig2-dbg
    (same files as in libonig2)
  * add debian/libonig-dev.doc-base
  * add debian/symbols
  * rewrite debian/copyright
  * rewrite debian/rules (Closes: #645940)
  * patch buildsystem (Closes: #734683)
  * change lib version to 2.1.0
  * Bump compat to 9
  * Update to upstream version 5.9.5 (Closes: #661616)
  * Bump Standarts to 3.9.5
  * New Maintainer (Closes: #747187)

 -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Wed, 07 May 2014 16:39:54 +0200

libonig (5.9.1-1) unstable; urgency=low

  [ Max Kellermann ]
  * new upstream release
  * acknowledge NMU, thanks Laurent (closes: #426355)
  * run test suite after build
  * added watch file
  * bumped Standards-Version to 3.7.3
  * added homepage header to debian/control
  * priority "extra"

 -- Alexander Wirt <formorer@debian.org>  Mon, 07 Jan 2008 11:46:27 +0100

libonig (5.9.0-0.1) unstable; urgency=low

  * Non-maintainer upload.
  * New upstream release (Closes: #426355)
  * debian/control:
    - Use binary:Version instead of Source-Version
  * debian/rules:
    - Don't hide make distclean error
    - Fix copy of config.{sub,guess}
    - Remove deprecated DH_COMPAT and use compat file instead

 -- Laurent Bigonville <bigon@bigon.be>  Sat, 04 Aug 2007 15:07:34 +0200

libonig (5.5.2-1) unstable; urgency=low

  * new upstream release

 -- Max Kellermann <max@duempel.org>  Wed, 14 Feb 2007 23:12:29 +0100

libonig (5.5.0-1) unstable; urgency=low

  [ Max Kellermann ]
  * new upstream release
  * update config.{sub,guess} in debian/rules
  * removed libonig.la

 -- Alexander Wirt <formorer@debian.org>  Wed,  6 Dec 2006 20:51:10 +0100

libonig (5.2.0-1) unstable; urgency=low

  * new upstream release
  * updated copyright file since license has been changed to BSD

 -- Max Kellermann <max@duempel.org>  Wed, 15 Nov 2006 09:32:24 +0100

libonig (4.4.4-1) unstable; urgency=low

  * initial debian release (Closes: #388412)

 -- Max Kellermann <max@duempel.org>  Wed, 20 Sep 2006 12:17:40 +0200
