Bug#888510: stretch-pu: package xmltooling/1.6.0-4
Hi
On Fri, Feb 23, 2018 at 04:51:23PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On Fri, 2018-01-26 at 15:31 +0100, Ferenc Wágner wrote:
> > The Security Team advised that CVE-2018-0486 should be fixed by a
> > stable
> > update, because it isn't exploitable in the stretch version of the
> > Shibboleth stack, but software outside Debian could still be affected
> > by the issue. Stretch currently has version 1.6.0; upstream fixed
> > this
> > security issue in 1.6.3 (already uploaded to unstable). Since 1.6.2
> > was
> > a revert of the most part of the changes in 1.6.1, 1.6.3 is
> > effectively
> > three code changes beyond 1.6.0: the security fix itself:
> [...]
> > Based on the above, a stable update straight to 1.6.3 does not seem
> > unreasonable to me, but it's your call, certainly. Backporting the
> > first hunk (the relevant security fix) is easy enough. On the other
> > hand, having version numbers reflecting the reality can be useful.
>
> Indeed, that doesn't seem entirely unreasonable.
>
> > So, what version number should I post the debdiff for? Please
> > include the Debian part as well, I haven't prepared stable updates
> > yet.
>
> 1.6.3-1~deb9u1, in this case.
>
> > Also, if you can estimate: when can we expect the next stable update,
> > that is, how much time have I got for this process?
>
> We can do better than that - the window for the next point release
> closes next weekend. Of course, if you don't make that, there'll always
> be the next time.
FTR, there was a xmltooling DSA yesterday including the fix. But I
guess the basic question remains if xmltooling still can be updated to
1.6.3 (or now 1.6.4 based version?) for stretch.
Regards,
Salvatore
Reply to: