Re: Bug#801413: wheezy: update for polarssl's CVE-2015-5291
On Fri, Feb 05, 2016 at 08:44:37PM +0000, James Cowgill wrote:
> On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote:
> > Hi,
> > On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote:
> > > On Jan/31, Guido Günther wrote:
> > > > Uploaded now. Thanks!
> > >
> > > Hi Guido,
> > >
> > > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If
> > > not, I'll need to look into it later this week, so that a DSA for
> > > CVE-2015-5291 fixes both wheezy and jessie.
> > Debdiff attached. It's far more intrusive since we also have to deal
> > with CVE-2015-8036.
> > James you alread discussed the best way forward at
> > https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291
> > with upstream so I'm very interesed in your opinion on this as well.
> Upstream would obviously like Debian to use the point releases of
> polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we
> can't use them directly. I had a go at reverting the ABI breaking
> changes and I posted my attempt earlier to this bug report, but the
> changes I had to make were very intrusive and they'll probably have to
> fixed up again every time there is a new release.
>From what I read and figured from the Git commits I wonder if we should
open CVEs for the other fixes in 1.3.14 too?
> I'm beginning to feel like cherry picking the CVE related fixes (like
> you've done) is probably the best solution, especially since this has
> already taken some time to fix.
Yeah, I think we should go ahead an fix these and rather revisit the
problem in case we have more issues to fix.
> A few things on the debdiff you just posted:
> - The attachment came though in ISO-8859-1 instead of UTF-8 and
> lintian didn't like it. Hopefully the file is ok on your machine
> - I think the ssl-server-test needs an 'isolation-container'
> restriction since it opens TCP ports.
Good point, isolation-container restricction added.