[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926412: marked as done (unblock: gnutls28/3.6.7-2)

Your message dated Thu, 30 May 2019 12:07:00 +0000
with message-id <10f1ba2b-fce1-fdca-0a1b-ac942f61e26b@thykier.net>
and subject line Re: Bug#926412: unblock: gnutls28/3.6.7-2
has caused the Debian Bug report #926412,
regarding unblock: gnutls28/3.6.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926412
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gnutls28.

This is a upstream bugfix release featuring two security fixes

    + Fixes a memory corruption (double free) vulnerability in the
      certificate verification API.
      https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829
      GNUTLS-SA-2019-03-27
    + Fixes an invalid pointer access via malformed TLS1.3 async messages;
      https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836
      GNUTLS-SA-2019-03-27

One of these is fixed by a hardening measure (gnutls_free() will
automatically set the free'd pointer to NULL.) It also unbreaks
vlc (#922879) and has some TLS1.3 related changes.

The straight debdiff is huge, because of a) usual release updates of
autogenerated files and b) because it includes a global
's/http:/https:/'. Stripped down debdiff is attached.

unblock gnutls28/3.6.7-2

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Attachment: smaller.debdiff.diff.xz
Description: application/xz

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Andreas Metzler:
> On 2019-05-20 Paul Gevers <elbrus@debian.org> wrote:
>> On 19-05-2019 10:33, Andreas Metzler wrote:
>>> I probably could try to pick the CVE related changes and other important
>>> bug-fixes, however I do not think it is the right choice. The changes
>>> will be smaller but the risk of breakage is higher.
> 
>> Can you explain why do you believe that?
> 
>>> Also 3.6.7 now has
>>> been tested in sid for almost two months now. 
> 
>> Ack.
> 
> Hello Paul,
> 
> well, apart from the two CVE fixes there are many bugfixes in this
> release that we probably want, e.g.
> https://gitlab.com/gnutls/gnutls/issues/690
> https://gitlab.com/gnutls/gnutls/issues/689
> https://gitlab.com/gnutls/gnutls/issues/713
> https://gitlab.com/gnutls/gnutls/issues/698
> etc.
> 
> Most of these are related to TLS 1.3. - They might not show up as bug
> reports now because it TLS1.3 is not that common yet but will propably
> cause issues later in buster's lifetime. And the more fixes there the
> more error-prone complicated cherry-picking s going to be.
> 
>>>> You bumped the debhelper compat level. That isn't a change we find
>>>> acceptable during the freeze.
>>>
>>> I will immediately revert this if it helps.
> 
>> I don't have enough experience yet with reviewing unblocks, that I feel
>> comfortable reviewing and unblocking the current package, so if your
>> insisting on the whole, somebody else will have to do the review. I am
>> sure this revert will be a requirement though.
> 
> The revert has been in sid for a week now.
> 
> cu Andreas
> 

Unblocked.

The upload had a poor signal-to-noise ratio (most of the diff being
version bumps in manpages, etc.).  A selective filterdiff *might* have
made this go quicker - as a suggestion for next time.

Thanks,
~Niels

--- End Message ---
Reply to: