backported gnutls28 3.3.30 packages availabled for jessie LTS
Hi,
After the lengthy discussion[1] regarding the pending security issues in
GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have
determined it might be simpler to just upgrade to the latest upstream
3.3.x version for which upstream is still providing updates. Upstream
agrees with the approach. This removes 35 Debian-specific, backported
patches and fixes other unrelated bugs. The API/ABI *changes*, but it
only adds *new* symbols so the soname versions do not change.
[1]: CABY6=0nu1qG9Beb5qc-mbZfubmQGxp9dbgnicFuPPpiwz+oJnw@mail.gmail.com
I have uploaded the test package in the usual location here:
https://people.debian.org/~anarcat/debian/jessie-lts/
Direct link to the .changes file:
https://people.debian.org/~anarcat/debian/jessie-lts/gnutls28_3.3.30-1+deb8u_amd64.changes
The debdiff is obviously quite large so I haven't audited the whole
diff, which would have basically meant reviewing all the releases
between upstream 3.3.8 and 3.3.0:
2151 files changed, 65784 insertions(+), 60661 deletions(-)
Note that about 3000 lines of those are from debian/patches removals
that were now unnecessary.
The upstream changelog details all the changes:
https://gitlab.com/gnutls/gnutls/blob/gnutls_3_3_x/NEWS
Our branch point was 3.3.8, over four years ago. The latest 3.3.30
release was last july.
It should be possible to backport the upstream patches for those issues
as well. But considering the amount of work that represented and how
sensitive the issue is, I felt more confident going with upstream's
recommendation.
Extensive testing is recommended. The test suite obviously passes here
(otherwise the package does not build) but there might be other problems
that I haven't foreseen.
Thanks for any feedback.
A.
--
Information is not knowledge. Knowledge is not wisdom.
Wisdom is not truth. Truth is not beauty.
Beauty is not love. Love is not music.
Music is the best. - Frank Zappa
Reply to: