Bug#913674: release.debian.org: Regression: Recent upgrade of opensc breaks Yubikey NEO support
* Adam D. Barratt:
> On Tue, 2018-11-13 at 22:54 +0100, Hilko Bengen wrote:
>>
>> A few weeks ago I reported that a security patch in
>> opensc/0.16.0-3+deb9u1 broke support for Yubkey NEO devices (#910786,
>> severity serious). Unfortunately, this did not prevent opensc from
>> being included in the recent stretch point release.
>
> Indeed, because no-one reported it to us. (No, filing an RC bug doesn't
> count as notifying SRM, I'm afraid.)
Thanks for the clarification. I must have somehow assumed that there
would be a similar process in place as we have for migtations from
unstable to testing.
Perhaps adding some sort of automatic notification might make sense --
for my taste there is a bit too much "tribal knowledge" going on here.
But back to the immediate issue:
>> What can we do to fix the package now?
>
> Firstly, one needs to identify whether the same issue affects the
> package in unstable.
A trivial backport of opensc/0.19.0-1 works for the simple test I
reported in #910786 -- and for my OpenVPN setup, albeit not without some
reconfiguration. (A NEWS.Debian entry might be in order here.)
All CVE-documented bugs that are mentioned in the 0.16.0-3+deb9u1
changelog have also been fixed in 0.19.0 -- according to the upstream
NEWS file.
Cheers,
-Hilko
Reply to: