Bug#888510: stretch-pu: package xmltooling/1.6.0-4

To: Salvatore Bonaccorso <carnil@debian.org>, 888510@bugs.debian.org
Cc: Ferenc Wágner <wferi@debian.org>
Subject: Bug#888510: stretch-pu: package xmltooling/1.6.0-4
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 28 Feb 2018 06:15:24 +0000
Message-id: <[🔎] 1519798524.15218.2.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 888510@bugs.debian.org
In-reply-to: <[🔎] 20180228054547.jaokjeykkeuzcekx@lorien.valinor.li>
References: <151697711296.5692.6203106986546261913.reportbug@lant.ki.iif.hu> <151697711296.5692.6203106986546261913.reportbug@lant.ki.iif.hu> <[🔎] 1519404683.20519.11.camel@adam-barratt.org.uk> <[🔎] 20180228054547.jaokjeykkeuzcekx@lorien.valinor.li> <151697711296.5692.6203106986546261913.reportbug@lant.ki.iif.hu>

Hi,

On Wed, 2018-02-28 at 06:45 +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Fri, Feb 23, 2018 at 04:51:23PM +0000, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> > 
> > On Fri, 2018-01-26 at 15:31 +0100, Ferenc Wágner wrote:
> > > The Security Team advised that CVE-2018-0486 should be fixed by a
> > > stable
> > > update, because it isn't exploitable in the stretch version of
> > > the
> > > Shibboleth stack, but software outside Debian could still be
> > > affected
> > > by the issue.  Stretch currently has version 1.6.0; upstream
> > > fixed
> > > this
> > > security issue in 1.6.3 (already uploaded to unstable).  Since
> > > 1.6.2
> > > was
> > > a revert of the most part of the changes in 1.6.1, 1.6.3 is
> > > effectively
> > > three code changes beyond 1.6.0: the security fix itself:
> > 
> > [...]
> > > Based on the above, a stable update straight to 1.6.3 does not
> > > seem
> > > unreasonable to me, but it's your call, certainly.  Backporting
> > > the
> > > first hunk (the relevant security fix) is easy enough.  On the
> > > other
> > > hand, having version numbers reflecting the reality can be
> > > useful.
> > 
> > Indeed, that doesn't seem entirely unreasonable.
> > 
> > > So, what version number should I post the debdiff for?  Please
> > > include the Debian part as well, I haven't prepared stable
> > > updates
> > > yet.
> > 
> > 1.6.3-1~deb9u1, in this case.
> > 
> > > Also, if you can estimate: when can we expect the next stable
> > > update,
> > > that is, how much time have I got for this process?
> > 
> > We can do better than that - the window for the next point release
> > closes next weekend. Of course, if you don't make that, there'll
> > always
> > be the next time.
> 
> FTR, there was a xmltooling DSA yesterday including the fix. But I
> guess the basic question remains if xmltooling still can be updated
> to
> 1.6.3 (or now 1.6.4 based version?) for stretch.

I was under the impression from the above exchange that Ferenc was
going to provide a debdiff so we could see exactly what that looked
like. I guess that now wants to be relative to the security update.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#888510: stretch-pu: package xmltooling/1.6.0-4
  - From: wferi@niif.hu (Ferenc Wágner)

References:
- Bug#888510: stretch-pu: package xmltooling/1.6.0-4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#888510: stretch-pu: package xmltooling/1.6.0-4
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#888510: stretch-pu: package xmltooling/1.6.0-4
Next by Date: Bug#888006: stretch-pu: package salt/2016.11.2+ds-1
Previous by thread: Bug#888510: stretch-pu: package xmltooling/1.6.0-4
Next by thread: Bug#888510: stretch-pu: package xmltooling/1.6.0-4
Index(es):
- Date
- Thread