jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2.2) oneiric-security; urgency=low

  * SECURITY UPDATE: Hash DoS vulnerability in parameter 
    handling (LP: #914628):
    - debian/patches/hash-dos-fix.patch: Cherry picked fix from upstream
      to prevent this vulnerability.
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb

 -- James Page <james.page@ubuntu.com>  Fri, 27 Jan 2012 16:01:06 +0000

jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: XSS vulnerability in default error pages.
    - debian/patches/fix_xss.patch: escape error messages which are supposed 
      be plain text and not markup in
      src/java/winstone/ErrorServlet.java,
      src/java/winstone/URIUtil.java,
      src/java/winstone/WinstoneResponse.java
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2011-11-08.cb
  * d/maven.{properties,ignoreRules}: Disabled testing as htmlunit is 
    currently broken in 11.10.

 -- James Page <james.page@ubuntu.com>  Tue, 22 Nov 2011 12:21:24 +0000

jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2) oneiric; urgency=low

  * Support offline validation of XML configuration files (LP: #827651):
    - debian/patches/specification-resources.patch: CDDL/GPL-2 licensed
      xsd+DTD resources for all servlet, jsp and j2ee specifications.
    - debian/copyright: documented copyright + license for 
      specification-resources.patch.
    - debian/control: Removed dependency on libservlet2.5-java, no longer
      required.
    - debian/patches/series,debian/patches/use_system_servletapi.patch: 
      Dropped patch as no longer required.
    - debian/libjenkins-winstone-java.classpath: Dropped as all required
      resources are now included in winstone.

 -- James Page <james.page@ubuntu.com>  Thu, 18 Aug 2011 09:55:33 +0100

jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu1) oneiric; urgency=low

  * Initial release 

 -- James Page <james.page@ubuntu.com>  Wed, 29 Jun 2011 12:16:17 +0100
