Control: tags -1 - moreinfo "Adam D. Barratt" <a...@adam-barratt.org.uk> writes:
> On Wed, 2018-02-28 at 06:45 +0100, Salvatore Bonaccorso wrote: > >> FTR, there was a xmltooling DSA yesterday including the fix. But I >> guess the basic question remains if xmltooling still can be updated >> to 1.6.3 (or now 1.6.4 based version?) for stretch. > > I was under the impression from the above exchange that Ferenc was > going to provide a debdiff so we could see exactly what that looked > like. I guess that now wants to be relative to the security update. Hi, I was waiting for the DSA with the followup on this. I think this issue is moot now, because 1.6.0-4+deb9u1 actually contains the fix for CVE-2018-0486 as well, partly because the CVE-2018-0489 fix (which was the reason for DSA-4126-1) was easier to apply on that. So the original basis of this request for a stable update is no more. In practice the above means that the diff between current stable- security (1.6.0-4+deb9u1) and current unstable (1.6.4-1) just got smaller: it's only the version numbers and the Visual C compilation fix. But I don't think these alone warrant a stable update, however elegant that would be. If you agree, I think we can close this issue without further action. -- Regards, Feri