Re: Bug#959469: buster-pu: package openssl/1.1.1g-1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 959469@bugs.debian.org, kibi@debian.org, debian-boot@lists.debian.org
Subject: Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
From: Kurt Roeckx <kurt@roeckx.be>
Date: Thu, 14 Jan 2021 19:03:37 +0100
Message-id: <[🔎] YACHeSzkmcYRI+Tg@roeckx.be>
In-reply-to: <[🔎] 184c876071b5f8a522e8d281cdcde9a3ee2eae0f.camel@adam-barratt.org.uk>
References: <18b53d524be7218a96068c96b47e6bf13ccda7cf.camel@adam-barratt.org.uk> <20200502163642.v4nhomgfa3oen7qp@flow> <20201115102907.65iqtifyznccckhv@flow> <540c858f4ff1b24f21d5851525d4c254b0a2d5f9.camel@adam-barratt.org.uk> <20200502163642.v4nhomgfa3oen7qp@flow> <20201120200428.2adriv75jdllokqp@flow> <b38181d6814ea2b0091a2b57c6b73ed1169a027a.camel@adam-barratt.org.uk> <20210108223913.ytckd5bfegyokpzu@flow> <X/jj0BnEWXFhrAHP@roeckx.be> <[🔎] 184c876071b5f8a522e8d281cdcde9a3ee2eae0f.camel@adam-barratt.org.uk>

On Thu, Jan 14, 2021 at 05:43:00PM +0000, Adam D. Barratt wrote:
> Hi,
> 
> On Fri, 2021-01-08 at 23:59 +0100, Kurt Roeckx wrote:
> > On Fri, Jan 08, 2021 at 11:39:13PM +0100, Sebastian Andrzej Siewior
> > wrote:
> [...]
> > > The i release in unstable managed to migrate to testing. It was
> > > blocked due to ci by m2crypto and swi-prolog. The swi-prolog issue
> > > got fixed in unstable (the testuite was updated) and is not an
> > > issue in stable (the package builds, the testsuite gets ignored).
> > > The m2crypto issue is a different story and is still open in BTS
> > > (#977655). I *think* someone added an override or the ci-system was
> > > kind to Kurt/me and looked the other way :)
> > > The m2crypto package in stable and bpo will FTBFS with the updated
> > > openssl package.
> > > 
> > > I'm not aware of other issues.
> > 
> > I think there are at least 2 upstream issues since the 1.1.1i
> > release we want to fix first. As far as I know, they haven't been
> > fixed upstream yet.
> 
> Just to confirm, these are issues that you'd want to have fixed before
> adding 1.1.1i to stable, presumably requiring further uploads to
> unstable first?

Yes.

> Do you have pointers to upstream issues?

They both got merged today:
commit 76ed0c0ad119569f6e6f6c96b27b76d3b110413b (origin/OpenSSL_1_1_1-stable)
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date:   Mon Dec 28 11:25:59 2020 +0100

    x509_vfy.c: Fix a regression in find_isser()

    ...in case the candidate issuer cert is identical to the target cert.

    Fixes #13739

    Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13749)

commit fb1e2411042f0367c2560e4ec5e4b1189ca9cd45
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date:   Wed Dec 30 09:57:49 2020 +0100

    X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

    This is the backport of #13755 to v1.1.1.
    Fixes #13698

    Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13756)


There are a whole bunch of other issues and pull requests related to
this. I hope this is the end of the regressions in the X509 code.


Kurt

Reply to:

Follow-Ups:
- Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
Next by Date: Re: os-prober | os-probes: probe microsoft OS on arm64 (!7)
Previous by thread: Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
Next by thread: Re: Bug#959469: buster-pu: package openssl/1.1.1g-1
Index(es):
- Date
- Thread