Hi Adam, > That's rather large for a regression fix.
Agreed. I had previously tried fixing the patch that broke Yubikey NEO support, but I was unsuccessful. This is documented in #910786. I can understand concerns about updating the upstream version; the only other option I see would involve removing one if not all patches that were added in opensc/0.16.0-3+deb9u1 -- and re-introducing CVE-worthy bugs. I had the impression that updating to a new upstream version was a done deal. Quoting yourself (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913674#10): ,---- | Firstly, one needs to identify whether the same issue affects the | package in unstable. | | Once it's been confirmed that unstable is no{t, longer} affected, | someone should produce a fixed package and open a p-u bug to document | uploading that to proposed-updates. `---- Part 1 is done: I can attest that the version in unstable (0.19.0-1) is NOT affected by the Yubikey NEO issue. Part 2 is also basically done, I was just asking for advice on what to include in the changelog. Cheers, -Hilko
