xerces-c2-2.8.0-3+lenny1: permission to upload to stable

[Jay Berkenbilt <qjb@debian.org>]

The current xerces-c2 package, 2.8.0+deb1-2, contains a patch supplied
by upstream to address CVE-2009-1885.  The security team has deemed that
this is not important enough for a DSA, and I agree.  From Giuseppe
Iuculano:

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for xerces-c2 and xerces27 some time ago.
>
> CVE-2009-1885[0]:
> | Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in
> | Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers
> | to cause a denial of service (application crash) via vectors involving
> | nested parentheses and invalid byte values in "simply nested DTD
> | structures," as demonstrated by the Codenomicon XML fuzzing framework.
>
> Unfortunately the vulnerability described above is not important
> enough to get it fixed via regular security update in Debian stable
> and oldstable. It does not warrant a DSA.
>
> However it would be nice if this could get fixed via a regular point
> update[1].  Please contact the release team for this.

As it happens, the patch from 2.8.0+deb1-2 applies perfectly to the
version in stable, so preparing an update to stable is trivial.  With
the permission of the release team, I will prepare the upload.  I'm not
sure what the best way to do this is.  I can either prepare an upload to
stable or I can supply a patch that can be applied to the version of the
package in stable.  I don't presently have a stable chroot to build in,
though I can obviously make one to prepare the package if it would help.
My changelog starts with this:

xerces-c2 (2.8.0-3+lenny1) stable; urgency=low

I also added the patch to the debian/patches directory after
regenerating it (just to be sure) and changing its name based on the
different packaging of the older version.

[note to self: ~/tmp/xerces-c2-2.8.0-3+lenny1.patch]

-- 
Jay Berkenbilt <qjb@debian.org>