Bug#881857: add CVE

Salvatore Bonaccorso carnil at debian.org
Sat Nov 18 13:10:31 UTC 2017


On Fri, Nov 17, 2017 at 05:43:54PM +0100, Ferenc Wágner wrote:
> Salvatore Bonaccorso <carnil at debian.org> writes:
> > Thanks, need to check why my mail for 881857 did not went trough
> > (since I retitled both with the CVE assignments).
> I think you used the same bug number in both.

Oh wow, that's sort of higly embarassing. Apologies about that :(

> Now, this is still ongoing:
> https://release.debian.org/transitions/html/auto-xerces-c.html
> The upstream fixes for this issue appeared as new patch level releases
> for XMLTooling (1.6.2), OpenSAML (2.6.1) and the SP (2.6.1).  Shall I
> wait for the transition to finish before uploading them?

It's honestly not something I can advise with the security team hat
on. But since the transition is ongoing it's probably best to wait
until the transition has happened. But alternatively ask the release
team if it's fine to upload a targetted fix with urgency=high and do a
new upstream import possibly just later to avoid blocking the
tranisition in case some problems arise with the new upstream imported

Please do not take above with care, best is to have import from
release team to not block their work on transition.


More information about the Pkg-shibboleth-devel mailing list