Hello,
On 09/09/2021 19:11, Stefan Huehner wrote:
looking a tiny bit at changelog for gnutls buster it looks like the backport was already done :)
3.6.7-4+deb10u5
the _16 + _17 patches from the description sound like what i understand the fix is (explore alternative verification paths...)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889
Thanks, that's a good reference for the gnutls part.
On 10/09/2021 10:55, Christoph Berg wrote:
Note that stretch and later are using libssl1.1 by default, so only packages
who were actively patched to keep using 1.0 are affected.
Thanks.
This notably includes curl :/ So this needs fixing as well.
An openssl[1.0] update is underway, I'll coordinate with Thorsten.
Also, a work-around is to drop the expiring CA:
$ rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ update-ca-certificate