Hi Joey, On Sat, Feb 11, 2006 at 09:02:37PM +0100, Martin Schulze wrote: > We could use some advice and help with the GnuTLS / libasn1 update > that would fix the vulnerabilities reported recently. > The fix for libasn1 adds arguments to exported function. However, > these functions are named _asn_* and should not be used outside of > this library. > Unfortunately GnuTLS is doing exactly this, using these functions. > Other packages "should" not be affected. > GnuTLS is also problematic as it seems to use both its internal copy > of libasn and is linked about the libasn package. > The officially supported ABI+API hasn't been changed by the security > update. > We'll have to update libasn and GnuTLS at the same time anyway. > However, does the security update need to bump the soname as well? If > so, is somebody willing to dig into its packaging and bump it? > What about GnuTLS? Does GNUTLS get the prototypes for these "internal" functions from public headers in libtasn1-2-dev? If so, it sounds like a complete audit of all reverse-deps would be needed. :( If not, and upstream says that gnutls is the only package that should be using them, I think it should be ok to rebuild without changing the package name -- just adding a conflicts w/ old versions of libgnutls11. <rummage, rummage> Yes, the _asn1_* functions aren't exported in the libtasn1.h header, so I would say it's ok to make this change without renaming the package. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature