xml-security-c17 defect - patches in Ubuntu 14.04 and 18.04

Asked by Alejandro Claro on 2019-02-13

We found a bug in Apache Santuario C, related to ECDSA signature generation, few years ego. We provide the fix to the Apache team, and Scott Cantor kindly accepted the fix in the project. How ever the fix was introduced in series 2.x of the the library.

The fix we provide was for the version 1.7.x found in Ubuntu 14.04 and looks like Ubuntu 18.04 is still including a version from series 1.7.x. Our products goes trough certification processes where using source code without patches is something very well seen.

We are interesting in exploring the possibility to start a communication with Ubuntu maintainers team, in order to request including some patches or version upgrades in libraries we are contributing and we are using in products based in Ubuntu minimal 14.04 and 18.04.

I would like to ask for your advice in this matter.

Best Regards,
Alejandro Claro.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu xml-security-c Edit question
Assignee:
No assignee Edit question
Solved by:
Alejandro Claro
Solved:
2019-02-13
Last query:
2019-02-13
Last reply:
2019-02-13
Manfred Hampl (m-hampl) said : #1

For communication with the "Ubuntu maintainers team" you better use the bug tracker.
If you are sure that the bug is not applied in the Ubuntu-provided version for bionic (and earlier), then you are invited to create a bug report.

But: You have to be aware, that Ubuntu is taking over packages from Debian (to avoid double packaging work). And as far as the version numbers show, the current packages are all identical to the packages on Debian. So it might even be better to discuss this on Debian.

And a last comment: There are PPAs available with version 2.* for bionic. This also might provide a workaround for you.

Manfred Hampl (m-hampl) said : #2

oops, typo, … if you are sure that the patch is not applied …

Alejandro Claro (aclaro) said : #3

Thank you very much Manfred,

I will try to contact Debian team and post a bug using the bug tracker.