Your message dated Sat, 27 Mar 2021 13:42:16 +0000 with message-id <E1lQ9Ci-0003Xb-0U@respighi.debian.org> and subject line unblock gnutls28 has caused the Debian Bug report #985973, regarding unblock: gnutls28/3.7.1-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 985973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985973 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: gnutls28/3.7.1-1
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Sat, 27 Mar 2021 09:05:48 +0100
- Message-id: <[🔎] YF7nXNKRFaYxgiZ5@argenau.bebt.de>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: gnutls28@packages.debian.org Please unblock gnutls28 3.7.1. This is the first bugfix release for the 3.7.x series. Most notably it features the fix for a non-DSA security issue (potential use-after-free in sending "key_share" and "pre_shared_key" extensions. GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232). Apart from that there is plethora of minor and medium fixes. Fwiw it was released at this point of time (just before the freeze) specifically to give us a chance to ship in Debian bulleye. While the diff is huge I strongly believe we make the right trade-off in shipping this instead of cherry-picking more fixes: * It has run through upstream's CI. Which is significant. * GnuTLS probably will have CVE's during bullseye lifetime. Shipping .1 instead of .0 will ease our work then a lot both in checking whether we are vulnerable and in applying patches. * The cleanups are worth having. Diff analysis: ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | lsdiff | wc 1722 1722 91156 Let's filter out auto* and the autogenerated documentation: ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' | lsdiff | wc 434 434 17963 m4 is also copied autofoo stuff except for hooks.m4 which has the libtool minor version bump (LT_REVISION 1 instead of 0). Then there is a minor gnulib update. ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | lsdiff | wc 314 314 13901 A huge part of the rest is testsuite cleanups, most noteably 0ae814c77b18a925552b7a763a13ed1c63e2d1bd tests: suffix .sh for all shell-script tests Otherwise valgrind will run against /bin/sh. 416485f6d4dde63e90d19916ab9dee8fe972be10 tests: make any ad-hoc timeout setting controllable through envvar ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | filterdiff -i '*/tests/*' | lsdiff | wc 244 244 11059 Dropping this, /debian/patches/ and some more generated files ... ametzler@argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi' -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' -x '*/tests/*' -x '*/debian/patches/*' -x '*/doc/gnutls-guile.*' -x '*/doc/gnutls.html' -x '*/gtk-doc.make' -x '*/aclocal.m4' | lsdiff | wc 55 55 1817 unblock gnutls28/3.7.1-1 Thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'Attachment: full.debdiff.xz
Description: application/xzAttachment: stripped_down.debdiff.xz
Description: application/xzAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 985973-done@bugs.debian.org
- Subject: unblock gnutls28
- From: Ivo De Decker <ivodd@respighi.debian.org>
- Date: Sat, 27 Mar 2021 13:42:16 +0000
- Message-id: <E1lQ9Ci-0003Xb-0U@respighi.debian.org>
Unblocked gnutls28.
--- End Message ---