Your message dated Thu, 30 May 2019 12:07:00 +0000 with message-id <10f1ba2b-fce1-fdca-0a1b-ac942f61e26b@thykier.net> and subject line Re: Bug#926412: unblock: gnutls28/3.6.7-2 has caused the Debian Bug report #926412, regarding unblock: gnutls28/3.6.7-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 926412: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926412 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: gnutls28/3.6.7-2
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Thu, 4 Apr 2019 19:41:44 +0200
- Message-id: <20190404174144.GA24037@argenau.bebt.de>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package gnutls28. This is a upstream bugfix release featuring two security fixes + Fixes a memory corruption (double free) vulnerability in the certificate verification API. https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829 GNUTLS-SA-2019-03-27 + Fixes an invalid pointer access via malformed TLS1.3 async messages; https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836 GNUTLS-SA-2019-03-27 One of these is fixed by a hardening measure (gnutls_free() will automatically set the free'd pointer to NULL.) It also unbreaks vlc (#922879) and has some TLS1.3 related changes. The straight debdiff is huge, because of a) usual release updates of autogenerated files and b) because it includes a global 's/http:/https:/'. Stripped down debdiff is attached. unblock gnutls28/3.6.7-2 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'Attachment: smaller.debdiff.diff.xz
Description: application/xzAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Andreas Metzler <ametzler@bebt.de>, 926412-done@bugs.debian.org
- Subject: Re: Bug#926412: unblock: gnutls28/3.6.7-2
- From: Niels Thykier <niels@thykier.net>
- Date: Thu, 30 May 2019 12:07:00 +0000
- Message-id: <10f1ba2b-fce1-fdca-0a1b-ac942f61e26b@thykier.net>
- In-reply-to: <[🔎] 20190526085402.GA1509@argenau.bebt.de>
- References: <20190404174144.GA24037@argenau.bebt.de> <20190404174144.GA24037@argenau.bebt.de> <[🔎] eff302fe-4486-8db2-8a1b-ce8bdb737c02@debian.org> <20190404174144.GA24037@argenau.bebt.de> <[🔎] 20190519083351.GA1414@argenau.bebt.de> <[🔎] 5e0334a3-6e4e-d281-745a-d336b1aa7bbf@debian.org> <20190404174144.GA24037@argenau.bebt.de> <[🔎] 20190526085402.GA1509@argenau.bebt.de>
Andreas Metzler: > On 2019-05-20 Paul Gevers <elbrus@debian.org> wrote: >> On 19-05-2019 10:33, Andreas Metzler wrote: >>> I probably could try to pick the CVE related changes and other important >>> bug-fixes, however I do not think it is the right choice. The changes >>> will be smaller but the risk of breakage is higher. > >> Can you explain why do you believe that? > >>> Also 3.6.7 now has >>> been tested in sid for almost two months now. > >> Ack. > > Hello Paul, > > well, apart from the two CVE fixes there are many bugfixes in this > release that we probably want, e.g. > https://gitlab.com/gnutls/gnutls/issues/690 > https://gitlab.com/gnutls/gnutls/issues/689 > https://gitlab.com/gnutls/gnutls/issues/713 > https://gitlab.com/gnutls/gnutls/issues/698 > etc. > > Most of these are related to TLS 1.3. - They might not show up as bug > reports now because it TLS1.3 is not that common yet but will propably > cause issues later in buster's lifetime. And the more fixes there the > more error-prone complicated cherry-picking s going to be. > >>>> You bumped the debhelper compat level. That isn't a change we find >>>> acceptable during the freeze. >>> >>> I will immediately revert this if it helps. > >> I don't have enough experience yet with reviewing unblocks, that I feel >> comfortable reviewing and unblocking the current package, so if your >> insisting on the whole, somebody else will have to do the review. I am >> sure this revert will be a requirement though. > > The revert has been in sid for a week now. > > cu Andreas > Unblocked. The upload had a poor signal-to-noise ratio (most of the diff being version bumps in manpages, etc.). A selective filterdiff *might* have made this go quicker - as a suggestion for next time. Thanks, ~Niels
--- End Message ---