Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291

To: James Cowgill <james410@cowgill.org.uk>
Cc: team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org, Sébastien Delafond <seb@debian.org>
Subject: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 6 Feb 2016 11:40:45 +0100
Message-id: <[🔎] 20160206104045.GA9038@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, James Cowgill <james410@cowgill.org.uk>, team@security.debian.org, debian-lts@lists.debian.org, 801413@bugs.debian.org, Sébastien Delafond <seb@debian.org>
In-reply-to: <[🔎] 1454705077.23761.13.camel@cowgill.org.uk>
References: <20160123160022.GA17607@bogon.m.sigxcpu.org> <20160129175536.GB12494@centurion.befour.org> <20160131081238.GM14224@frisco.mine.nu> <20160131183925.GA32386@bogon.m.sigxcpu.org> <[🔎] 20160201085154.GZ14224@frisco.mine.nu> <[🔎] 20160205132444.GA14134@bogon.m.sigxcpu.org> <[🔎] 1454705077.23761.13.camel@cowgill.org.uk>

Hi,
On Fri, Feb 05, 2016 at 08:44:37PM +0000, James Cowgill wrote:
> Hi!
> 
> On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote:
> > Hi,
> > On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> > > On Jan/31, Guido Günther wrote:
> > > > Uploaded now. Thanks!
> > > 
> > > Hi Guido,
> > > 
> > > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> > > not, I'll need to look into it later this week, so that a DSA for
> > > CVE-2015-5291 fixes both wheezy and jessie.
> > 
> > Debdiff attached. It's far more intrusive since we also have to deal
> > with CVE-2015-8036.
> > 
> > James you alread discussed the best way forward at
> > 
> >     https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
> > 
> > with upstream so I'm very interesed in your opinion on this as well.
> 
> Upstream would obviously like Debian to use the point releases of
> polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we
> can't use them directly. I had a go at reverting the ABI breaking
> changes and I posted my attempt earlier to this bug report, but the
> changes I had to make were very intrusive and they'll probably have to
> fixed up again every time there is a new release.

>From what I read and figured from the Git commits I wonder if we should
open CVEs for the other fixes in 1.3.14 too?

> I'm beginning to feel like cherry picking the CVE related fixes (like
> you've done) is probably the best solution, especially since this has
> already taken some time to fix.

Yeah, I think we should go ahead an fix these and rather revisit the
problem in case we have more issues to fix.

> 
> A few things on the debdiff you just posted:
> - The attachment came though in ISO-8859-1 instead of UTF-8 and
>   lintian didn't like it. Hopefully the file is ok on your machine
>   though.
> - I think the ssl-server-test needs an 'isolation-container'
>   restriction since it opens TCP ports.

Good point, isolation-container restricction added.
Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
  - From: Sébastien Delafond <seb@debian.org>

References:
- Re: wheezy: update for polarssl's CVE-2015-5291
  - From: Sébastien Delafond <seb@debian.org>
- Re: wheezy: update for polarssl's CVE-2015-5291
  - From: Guido Günther <agx@sigxcpu.org>
- Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
  - From: James Cowgill <james410@cowgill.org.uk>

Prev by Date: Re: no support for matroska/ebml?
Next by Date: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
Previous by thread: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
Next by thread: Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
Index(es):
- Date
- Thread