Hi, Russ Allbery wrote: > The Shibboleth suite of software and libraries, which includes xmltooling, > opensmal2, and shibboleth-sp2, has had several vulnerabilities announced > over the past month and a half. Most of those are in xmltooling and are > being handled in conjunction with the Debian Security Team. However, part > of one of the more minor fixes is in opensaml2, and at the recommendation > of the security team, I'm proposing that change through the stable update > process. SRMs, please hold this request.
It became apparent from #549936 that the changes to xmltooling and opensaml2/shibboleth-sp2 needed to go in together; the current situtation in which xmltooling has been updated (via security) but opensaml2 hasn't, resulted in breakage under certain, very likely conditions. AIUI, the opensaml2 update will have to go in via security as well, isn't that correct? > Please note that this fix is in a header file in a function that's > inlined, so after this update is accepted (assuming it's accepted), > shibboleth-sp2 in stable will need to be rebuilt against the new version > of opensaml2. I understand that this can be done via the proposed-updates > mechanism with a binary NMU. This problem still stands but it will have to be updated in security instead of proposed-updates. I guess a sourceful upload will be needed instead of a binNMU in this case? (Russ Allbery is currently unable to work on this right now and has asked for someone else to takeover, since things are quite broken right now. I'm not the maintainer for any of these, so extra care should be taken) Thanks, Faidon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
