How do I unsubscribe? On November 13, 2018 6:10:23 PM EST, Hilko Bengen <ben...@debian.org> wrote: >* Adam D. Barratt: > >> On Tue, 2018-11-13 at 22:54 +0100, Hilko Bengen wrote: >>> >>> A few weeks ago I reported that a security patch in >>> opensc/0.16.0-3+deb9u1 broke support for Yubkey NEO devices >(#910786, >>> severity serious). Unfortunately, this did not prevent opensc from >>> being included in the recent stretch point release. >> >> Indeed, because no-one reported it to us. (No, filing an RC bug >doesn't >> count as notifying SRM, I'm afraid.) > >Thanks for the clarification. I must have somehow assumed that there >would be a similar process in place as we have for migtations from >unstable to testing. > >Perhaps adding some sort of automatic notification might make sense >-- >for my taste there is a bit too much "tribal knowledge" going on here. > >But back to the immediate issue: > >>> What can we do to fix the package now? >> >> Firstly, one needs to identify whether the same issue affects the >> package in unstable. > >A trivial backport of opensc/0.19.0-1 works for the simple test I >reported in #910786 -- and for my OpenVPN setup, albeit not without >some >reconfiguration. (A NEWS.Debian entry might be in order here.) > >All CVE-documented bugs that are mentioned in the 0.16.0-3+deb9u1 >changelog have also been fixed in 0.19.0 -- according to the upstream >NEWS file. > >Cheers, >-Hilko
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
