debian/opensc.NEWS: Add a note about old data objects not being safe.

marschap · Mar 2, 2009 · 63c55d8 · 63c55d8
1 parent ec26f58
commit 63c55d8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/debian/changelog b/debian/changelog
@@ -1,4 +1,4 @@
-opensc (0.11.4-5lenny1) stable-security; urgency=critical
+opensc (0.11.4-5+lenny1) stable-security; urgency=critical
 
   * src/pkcs15init/asepcos.profile, src/pkcs15init/cardos.profile,
     src/pkcs15init/cyberflex.profile, src/pkcs15init/flex.profile,
@@ -11,8 +11,9 @@ opensc (0.11.4-5lenny1) stable-security; urgency=critical
     lock_login and soft_keygen_allowed to prevent untrusted applications
     from using the smartcard and preventing unexpected client side key
     generation.
+  * debian/opensc.NEWS: Add a note about old data objects not being safe.
 
- --
+ -- Eric Dorland <eric@debian.org>  Sat, 28 Feb 2009 18:33:41 -0500
 
 opensc (0.11.4-5) unstable; urgency=high
 

diff --git a/debian/opensc.NEWS b/debian/opensc.NEWS
@@ -1,3 +1,15 @@
+opensc (0.11.4-5lenny1) stable-security; urgency=critical
+
+  As documented in CVE-2009-0368, versions of OpenSC before this one
+  did not create private data objects (using the --private flag)
+  correctly. This version will create new private data objects
+  correctly, but will not correct existing private data objects
+  correctly. The safest way to work around this is to erase your card
+  and start from scratch, but see the advisory for further options.
+
+ -- Eric Dorland <eric@debian.org>  Sat, 28 Feb 2009 18:33:41 -0500
+
+
 opensc (0.10.1-1) unstable; urgency=high
 
     As of version of 0.10.0, the libopensc-openssl and libpam-opensc are