Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: gnutls28@packages.debian.org Please unblock gnutls28 3.7.1. This is the first bugfix release for the 3.7.x series. Most notably it features the fix for a non-DSA security issue (potential use-after-free in sending "key_share" and "pre_shared_key" extensions. GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232). Apart from that there is plethora of minor and medium fixes. Fwiw it was released at this point of time (just before the freeze) specifically to give us a chance to ship in Debian bulleye. While the diff is huge I strongly believe we make the right trade-off in shipping this instead of cherry-picking more fixes: * It has run through upstream's CI. Which is significant. * GnuTLS probably will have CVE's during bullseye lifetime. Shipping .1 instead of .0 will ease our work then a lot both in checking whether we are vulnerable and in applying patches. * The cleanups are worth having. Diff analysis: ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | lsdiff | wc 1722 1722 91156 Let's filter out auto* and the autogenerated documentation: ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' | lsdiff | wc 434 434 17963 m4 is also copied autofoo stuff except for hooks.m4 which has the libtool minor version bump (LT_REVISION 1 instead of 0). Then there is a minor gnulib update. ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | lsdiff | wc 314 314 13901 A huge part of the rest is testsuite cleanups, most noteably 0ae814c77b18a925552b7a763a13ed1c63e2d1bd tests: suffix .sh for all shell-script tests Otherwise valgrind will run against /bin/sh. 416485f6d4dde63e90d19916ab9dee8fe972be10 tests: make any ad-hoc timeout setting controllable through envvar ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | filterdiff -i '*/tests/*' | lsdiff | wc 244 244 11059 Dropping this, /debian/patches/ and some more generated files ... ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' -x '*/tests/*' -x '*/debian/patches/*' -x '*/doc/gnutls-guile.*' -x '*/doc/gnutls.html' -x '*/gtk-doc.make' -x '*/aclocal.m4' | lsdiff | wc 55 55 1817 unblock gnutls28/3.7.1-1 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Attachment:
full.debdiff.xz
Description: application/xz
Attachment:
stripped_down.debdiff.xz
Description: application/xz
Attachment:
signature.asc
Description: PGP signature