Re: buster-pu: package openssl/1.1.1g-1
On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote:
> I'm fairly late, I know.
Just a little. :-( Particularly as OpenSSL builds udebs.
CCing KiBi and -boot so they're aware of the discussion, but this does
come quite late.
> The last update was addressed via DSA providing only a patch for the
> CVE with severity high. This pu updates Buster's OpenSSL version from
> `d' to current `g' fixing CVE-2019-1551 which was earlier skipped due
> to its low severity.
> The "EOF" bug-fix-regression introduced in `e' is reverted again in
> `g'.
> OpenSSL now checks certificates more strictly. There should be no
> problems with "officially" issued certificats but some certificates
> contain an invalid (combination of) attributes which are now. The `g'
> version is since 25th April in testing and received no bug reports
> but OpenSSL upstream received [0], [1] for custom issued OpenVPN
> certificates.
> Please find attached a compressed debdiff since last security update.
>
> [0] https://github.com/openssl/openssl/issues/11456
> [1] https://github.com/openssl/openssl/issues/11625
Do we have any feeling for how widespread such certificates might be?
The fact that there have been two different upstream reports isn't
particularly comforting.
Regards,
Adam
Reply to: