Bug#881857: add CVE

Ferenc Wágner wferi at niif.hu
Sat Nov 18 10:12:01 UTC 2017

"Cantor, Scott" <cantor.2 at osu.edu> writes:

> On 11/17/17, 11:48 AM, "Pkg-shibboleth-devel on behalf of Ferenc Wágner" <pkg-shibboleth-devel-bounces+cantor.2=osu.edu at lists.alioth.debian.org on behalf of wferi at niif.hu> wrote:
>> Now, this is still ongoing:
>> https://release.debian.org/transitions/html/auto-xerces-c.html
>> The upstream fixes for this issue appeared as new patch level releases
>> for XMLTooling (1.6.2), OpenSAML (2.6.1) and the SP (2.6.1).  Shall I
>> wait for the transition to finish before uploading them?
> Sorry if I'm misinterpreting, but is this a source level issue or just
> a question of ABI/build decision? SP 2.6.0/etc. definitely should
> build against Xerces 3.2, and probably many older SP versions would
> also. But if you're just referring to what they were built with in
> Debian packaging cases to date, disregard.

There are no known source-level problems here, it's just that Xerces 3.2
recently replaced 3.1 in Debian unstable, and now all packages using
Xerces are being rebuilt for the new ABI.  Any errors you see there
should be gone once the necessary rebuilds are triggered in the proper
order.  I checked manually that XMLTooling 1.6 in unstable now already
builds with Xerces 3.2 without any changes.  But uploading new versions
can be disruptive during such periods, that's why I asked the security
team about the best course of action.

More information about the Pkg-shibboleth-devel mailing list