Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1

To: 1006169@bugs.debian.org
Subject: Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1
From: Andrea Pappacoda <andrea@pappacoda.it>
Date: Wed, 20 Jul 2022 22:17:40 +0200
Message-id: <[🔎] HP5CFR.SO0VSQGL6OGG2@pappacoda.it>
Reply-to: Andrea Pappacoda <andrea@pappacoda.it>, 1006169@bugs.debian.org
References: <164535634701.5671.6493076207403857459.reportbug@debian>

Hi!

I'm bumping this thread because I believe that this has never reachedthe debian-release mailing list, as the original report contained a bigdebdiff and elbrus told me that reports with big attachments getdropped by the mailing list. I'm not going to attach a diff in thisemail, I'll do in another one so that this message doesn't get deleted.

I've been discussing this stable update with a couple of DDs atDebconf, and while we're not 100% happy with how upstream pollutedtheir LTS branch with cosmetic changes we think that upgrading to thelatest 2.16 LTS version is worth it.

As I mentioned in the original report, the 2.16.12 (and also 2.16.11and 2.16.10) release(s) fixes a couple of CVEs, but it also fixes a lotof security issues that are not associated to any CVE, socherry-picking just a couple of commits wouldn't really be enough, andfixing all of them would basically mean cherry-picking all non-cosmeticchanges.

To make reviewing easier, I've filtered the previous debdiff to(mostly) only include non-cosmetic changes, with this command:

debdiff mbedtls_2.16.9-0.1.dsc mbedtls_2.16.12-0+deb11u1.dsc |filterdiff -p 1 -x 'tests/*' -x 'visualc/*' -x 'programs/*' -x'.travis.yml' -x '.gitignore' -x 'include/mbedtls/aes.h' -x'include/mbedtls/arc4.h' -x 'include/mbedtls/aria.h' -x'include/mbedtls/asn1.h' -x include/mbedtls/base64.h -xinclude/mbedtls/bignum.h -x include/mbedtls/blowfish.h -xinclude/mbedtls/camellia.h -x include/mbedtls/ccm.h -xinclude/mbedtls/chacha20.h -x include/mbedtls/chachapoly.h -xinclude/mbedtls/cipher.h -x include/mbedtls/cmac.h -xinclude/mbedtls/config.h -x include/mbedtls/ctr_drbg.h -xinclude/mbedtls/des.h -x include/mbedtls/dhm.h -xinclude/mbedtls/entropy.h -x include/mbedtls/gcm.h -xinclude/mbedtls/hkdf.h -x include/mbedtls/hmac_drbg.h -xinclude/mbedtls/md2.h -x include/mbedtls/md4.h -x include/mbedtls/md5.h-x include/mbedtls/md.h -x include/mbedtls/net_sockets.h -xinclude/mbedtls/oid.h -x include/mbedtls/padlock.h -xinclude/mbedtls/pem.h -x include/mbedtls/pkcs12.h -xinclude/mbedtls/pkcs5.h -x include/mbedtls/pk.h -xinclude/mbedtls/platform.h -x include/mbedtls/poly1305.h -xinclude/mbedtls/ripemd160.h -x include/mbedtls/rsa.h -xinclude/mbedtls/sha1.h -x include/mbedtls/sha256.h -xinclude/mbedtls/sha512.h -x include/mbedtls/ssl.h -xinclude/mbedtls/ssl_ticket.h -x include/mbedtls/threading.h -xinclude/mbedtls/x509.h -x include/mbedtls/x509_crt.h -xinclude/mbedtls/xtea.h -x Makefile -x '*/Makefile'

Please take a look at the original bug report, as it contains a lot ofadditional information. Thanks!


--
OpenPGP key: 66DE F152 8299 0C21 99EF  A801 A8A1 28A8 AB1C EE49

Reply to:

Prev by Date: NEW changes in oldstable-new
Next by Date: Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1
Previous by thread: mathcomp-finmap abi-transition
Next by thread: Bug#1006169: bullseye-pu: package mbedtls/2.16.12-0+deb11u1
Index(es):
- Date
- Thread