libonig (5.9.1-1+deb7u4) wheezy-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * CVE-2019-19012: an integer overflow in the search_in_range
    function in regexec.c leads to an out-of-bounds read, in which the
    offset of this read is under the control of an attacker. (This
    only affects the 32-bit compiled version). Remote attackers can
    cause a denial-of-service or information disclosure, or possibly
    have unspecified other impact, via a crafted regular expression.
  * CVE-2019-19204: in the function fetch_range_quantifier in
    regparse.c, PFETCH is called without checking PEND. This leads to
    a heap-based buffer over-read
  * CVE-2019-19246: heap-based buffer over-read in
    str_lower_case_match in regexec.c.

 -- Sylvain Beucler <beuc@debian.org>  Tue, 03 Dec 2019 17:42:09 +0100

libonig (5.9.1-1+deb7u3) wheezy-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Backport recursion monitoring (with a fixed limit to avoid
    changing the API; higher limit exhausts the default stack size)
  * Fix CVE-2019-16163: Oniguruma before 6.9.3 allows Stack Exhaustion
    in regcomp.c because of recursion in regparse.c.

 -- Sylvain Beucler <beuc@debian.org>  Wed, 11 Sep 2019 15:28:09 +0200

libonig (5.9.1-1+deb7u2) wheezy-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2019-13224:
    A use-after-free in onig_new_deluxe() in regext.c allows
    attackers to potentially cause information disclosure, denial of service,
    or possibly code execution by providing a crafted regular expression. The
    attacker provides a pair of a regex pattern and a string, with a multi-byte
    encoding that gets handled by onig_new_deluxe().

 -- Markus Koschany <apo@debian.org>  Wed, 17 Jul 2019 01:02:55 +0200

libonig (5.9.1-1+deb7u1) wheezy-security; urgency=high

  * New debian/patches/0500-CVE-2017-922[4-9].patch:
    - Cherrypicked from upstream to correct:
      + CVE-2017-9224 (Closes: #863312)
      + CVE-2017-9226 (Closes: #863314)
      + CVE-2017-9227 (Closes: #863315)
      + CVE-2017-9228 (Closes: #863316)
      + CVE-2017-9229 (Closes: #863318)
  * debian/control:
    - Add myself as maintainer.
  * Add missing debian/source/format.

 -- Jörg Frings-Fürst <debian@jff-webhosting.net>  Fri, 26 May 2017 08:27:02 +0200

libonig (5.9.1-1) unstable; urgency=low

  [ Max Kellermann ]
  * new upstream release
  * acknowledge NMU, thanks Laurent (closes: #426355)
  * run test suite after build
  * added watch file
  * bumped Standards-Version to 3.7.3
  * added homepage header to debian/control
  * priority "extra"

 -- Alexander Wirt <formorer@debian.org>  Mon, 07 Jan 2008 11:46:27 +0100

libonig (5.9.0-0.1) unstable; urgency=low

  * Non-maintainer upload.
  * New upstream release (Closes: #426355)
  * debian/control:
    - Use binary:Version instead of Source-Version
  * debian/rules:
    - Don't hide make distclean error
    - Fix copy of config.{sub,guess}
    - Remove deprecated DH_COMPAT and use compat file instead

 -- Laurent Bigonville <bigon@bigon.be>  Sat, 04 Aug 2007 15:07:34 +0200

libonig (5.5.2-1) unstable; urgency=low

  * new upstream release

 -- Max Kellermann <max@duempel.org>  Wed, 14 Feb 2007 23:12:29 +0100

libonig (5.5.0-1) unstable; urgency=low

  [ Max Kellermann ]
  * new upstream release
  * update config.{sub,guess} in debian/rules
  * removed libonig.la

 -- Alexander Wirt <formorer@debian.org>  Wed,  6 Dec 2006 20:51:10 +0100

libonig (5.2.0-1) unstable; urgency=low

  * new upstream release
  * updated copyright file since license has been changed to BSD

 -- Max Kellermann <max@duempel.org>  Wed, 15 Nov 2006 09:32:24 +0100

libonig (4.4.4-1) unstable; urgency=low

  * initial debian release (Closes: #388412)

 -- Max Kellermann <max@duempel.org>  Wed, 20 Sep 2006 12:17:40 +0200
