Bug#834854: jessie-pu: package charybdis/3.4.2-5~deb8u1
Control: tags -1 -moreinfo
Hi,
New developments on the Charybdis front: a patch has been developed
upstream to fix the issue, but it is pretty invasive. They have
basically rewritten the whole GNUTLS backend to make it on par with the
other implementations. It's a good thing: there were memory leaks and
all sorts of other issues, namely one that I mentioned earlier.
At the very least, we'd need to factor in this p-u a patch like this
one:
https://github.com/charybdis-ircd/charybdis/issues/215#issuecomment-246202759
... to fix timeout issues in the gnutls code that crashes the ssld. But
even with that, there are at least two major issues that should be fixed
here:
1. Charybdis 3.4 supports only SHA-1 for certificates, which has serious
security vulnerabilities. To give an unrelated example, the APT team
plans to remove all SHA-1 support in their repositories next year
2. 3.4 also has several memory leaks that are fixed by the gnutls
rewrite.
There are three way forward here:
1. ignore the above two extra issues and simply add the patch for #215
to the pile of patches in jessie
2. import the new gnutls.c module from an eventual new 3.5 release
upstream directly in jessie - this may be difficult because of internal
API changes
3. import 3.5.x directly in jessie
I would like to have feedback from the release team as to which approach
to take forward.
Thanks!
A.
--
Advertisers, not governments, are the primary censors of media content
in the United States today.
- C. Edwin Baker
Reply to: