[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291


On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote:
> Hi,
> On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> > On Jan/31, Guido Günther wrote:
> > > Uploaded now. Thanks!
> > 
> > Hi Guido,
> > 
> > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> > not, I'll need to look into it later this week, so that a DSA for
> > CVE-2015-5291 fixes both wheezy and jessie.
> Debdiff attached. It's far more intrusive since we also have to deal
> with CVE-2015-8036.
> James you alread discussed the best way forward at
>     https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
> with upstream so I'm very interesed in your opinion on this as well.

Upstream would obviously like Debian to use the point releases of
polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we
can't use them directly. I had a go at reverting the ABI breaking
changes and I posted my attempt earlier to this bug report, but the
changes I had to make were very intrusive and they'll probably have to
fixed up again every time there is a new release.

I'm beginning to feel like cherry picking the CVE related fixes (like
you've done) is probably the best solution, especially since this has
already taken some time to fix.

A few things on the debdiff you just posted:
- The attachment came though in ISO-8859-1 instead of UTF-8 and
  lintian didn't like it. Hopefully the file is ok on your machine
- I think the ssl-server-test needs an 'isolation-container'
  restriction since it opens TCP ports.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: