Hi, On Wed, 2018-02-28 at 06:45 +0100, Salvatore Bonaccorso wrote: > Hi > > On Fri, Feb 23, 2018 at 04:51:23PM +0000, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Fri, 2018-01-26 at 15:31 +0100, Ferenc Wágner wrote: > > > The Security Team advised that CVE-2018-0486 should be fixed by a > > > stable > > > update, because it isn't exploitable in the stretch version of > > > the > > > Shibboleth stack, but software outside Debian could still be > > > affected > > > by the issue. Stretch currently has version 1.6.0; upstream > > > fixed > > > this > > > security issue in 1.6.3 (already uploaded to unstable). Since > > > 1.6.2 > > > was > > > a revert of the most part of the changes in 1.6.1, 1.6.3 is > > > effectively > > > three code changes beyond 1.6.0: the security fix itself: > > > > [...] > > > Based on the above, a stable update straight to 1.6.3 does not > > > seem > > > unreasonable to me, but it's your call, certainly. Backporting > > > the > > > first hunk (the relevant security fix) is easy enough. On the > > > other > > > hand, having version numbers reflecting the reality can be > > > useful. > > > > Indeed, that doesn't seem entirely unreasonable. > > > > > So, what version number should I post the debdiff for? Please > > > include the Debian part as well, I haven't prepared stable > > > updates > > > yet. > > > > 1.6.3-1~deb9u1, in this case. > > > > > Also, if you can estimate: when can we expect the next stable > > > update, > > > that is, how much time have I got for this process? > > > > We can do better than that - the window for the next point release > > closes next weekend. Of course, if you don't make that, there'll > > always > > be the next time. > > FTR, there was a xmltooling DSA yesterday including the fix. But I > guess the basic question remains if xmltooling still can be updated > to > 1.6.3 (or now 1.6.4 based version?) for stretch.
I was under the impression from the above exchange that Ferenc was going to provide a debdiff so we could see exactly what that looked like. I guess that now wants to be relative to the security update. Regards, Adam