* Adam D. Barratt: > On Tue, 2018-11-13 at 22:54 +0100, Hilko Bengen wrote: >> >> A few weeks ago I reported that a security patch in >> opensc/0.16.0-3+deb9u1 broke support for Yubkey NEO devices (#910786, >> severity serious). Unfortunately, this did not prevent opensc from >> being included in the recent stretch point release. > > Indeed, because no-one reported it to us. (No, filing an RC bug doesn't > count as notifying SRM, I'm afraid.)
Thanks for the clarification. I must have somehow assumed that there would be a similar process in place as we have for migtations from unstable to testing. Perhaps adding some sort of automatic notification might make sense -- for my taste there is a bit too much "tribal knowledge" going on here. But back to the immediate issue: >> What can we do to fix the package now? > > Firstly, one needs to identify whether the same issue affects the > package in unstable. A trivial backport of opensc/0.19.0-1 works for the simple test I reported in #910786 -- and for my OpenVPN setup, albeit not without some reconfiguration. (A NEWS.Debian entry might be in order here.) All CVE-documented bugs that are mentioned in the 0.16.0-3+deb9u1 changelog have also been fixed in 0.19.0 -- according to the upstream NEWS file. Cheers, -Hilko
