Control: tags -1 confirmed On 14/03/2019 15:47, Ferenc Wágner wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package xmltooling > > Dear Release Team, > > The #924346 security issue was fixed in stretch a couple of days ago by > backporting the fix from the new upstream security release: 3.0.4. > Beyond the unauthenticated remote DoS patch, this new upstream release > consists of two other bugfixes: an interoperability issue with the > Expect header (https://issues.shibboleth.net/jira/browse/CPPXT-144) and > an incorrect C++ code usage pattern invoking undefined behavior via > boost::bind (https://issues.shibboleth.net/jira/browse/SSPCPP-847). > I think buster would be better with these included, so I ask for your > permission to to upload 3.0.4-1 to unstable with a future unblock. > Urgency is set to high below because of the security issue, but I'm not > sure about that, please advise. If this isn't acceptable at all, I'll > cherry pick the security fix, upload 3.0.3-2 and open an unblock request > for that.
The diff looks fine, please go ahead with 3.0.4-1. The urgency set to high sounds good for documentation purposes, but doesn't really matter because britney is currently set to ignore the urgency. Cheers, Emilio
