* Adam D. Barratt:
On Tue, 2018-11-13 at 22:54 +0100, Hilko Bengen wrote:
A few weeks ago I reported that a security patch in
opensc/0.16.0-3+deb9u1 broke support for Yubkey NEO devices (#910786,
severity serious). Unfortunately, this did not prevent opensc from
being included in the recent stretch point release.
Indeed, because no-one reported it to us. (No, filing an RC bug doesn't
count as notifying SRM, I'm afraid.)
Thanks for the clarification. I must have somehow assumed that there
would be a similar process in place as we have for migtations from
unstable to testing.
Perhaps adding some sort of automatic notification might make sense --
for my taste there is a bit too much "tribal knowledge" going on here.
But back to the immediate issue:
What can we do to fix the package now?
Firstly, one needs to identify whether the same issue affects the
package in unstable.
A trivial backport of opensc/0.19.0-1 works for the simple test I
reported in #910786 -- and for my OpenVPN setup, albeit not without some
reconfiguration. (A NEWS.Debian entry might be in order here.)
All CVE-documented bugs that are mentioned in the 0.16.0-3+deb9u1
changelog have also been fixed in 0.19.0 -- according to the upstream
NEWS file.
Cheers,
-Hilko