Control: tags -1 + moreinfo

On Fri, 2018-01-26 at 15:31 +0100, Ferenc Wágner wrote:
> The Security Team advised that CVE-2018-0486 should be fixed by a
> stable
> update, because it isn't exploitable in the stretch version of the
> Shibboleth stack, but software outside Debian could still be affected
> by the issue.  Stretch currently has version 1.6.0; upstream fixed
> this
> security issue in 1.6.3 (already uploaded to unstable).  Since 1.6.2
> was
> a revert of the most part of the changes in 1.6.1, 1.6.3 is
> effectively
> three code changes beyond 1.6.0: the security fix itself:
> Based on the above, a stable update straight to 1.6.3 does not seem
> unreasonable to me, but it's your call, certainly.  Backporting the
> first hunk (the relevant security fix) is easy enough.  On the other
> hand, having version numbers reflecting the reality can be useful.

Indeed, that doesn't seem entirely unreasonable.

> So, what version number should I post the debdiff for?  Please
> include the Debian part as well, I haven't prepared stable updates
> yet.

1.6.3-1~deb9u1, in this case.

> Also, if you can estimate: when can we expect the next stable update,
> that is, how much time have I got for this process?

We can do better than that - the window for the next point release
closes next weekend. Of course, if you don't make that, there'll always
be the next time.



Reply via email to