Bug#1025789: marked as done (bullseye-pu: wolfssl/4.6.0+p1-0+deb11u2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 10 Feb 2024 13:02:54 +0000
with message-id <E1rYn0Q-002xoP-Qm@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1025789,
regarding bullseye-pu: wolfssl/4.6.0+p1-0+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025789: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025789
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bullseye-pu: wolfssl/4.6.0+p1-0+deb11u1_4.6.0+p1-0+deb11u2.debdiff
• From: Felix Lechner <felix.lechner@lease-up.com>
• Date: Thu, 8 Dec 2022 20:07:09 -0800
• Message-id: <CAFHYt5700sEXvdtnSV93_V-+UcqH16MH5PHsOAorTWF6PaGp6A@mail.gmail.com>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: sirkilamole@msn.com

Hi,

The wolfssl upstream released three patches for the version in Debian
stable specifically in order to address the following three
vulnerabilities present in bullseye:

    - CVE-2022-42961, scored by NVD as "5.3 medium" [1]
    - CVE-2022-39173, scored by NVD as "7.5 high" [2]
    - CVE-2022-42905, scored by NVD as "9.1 critical" [3]

All three vulnerabilities are being tracked by DSA. [4] They were
already fixed in unstable.

There is no separate bug for the stable package.

Given the increased popularity of the package [5] and the severity of
the vulnerabilities, it seemed prudent to offer users of Debian stable
an update.

This bug was filed with a view toward the upcoming point release 11.6
for bullseye, which is scheduled for December 17. The freeze starts
this weekend.
The proposed upload has not seen a lot of testing.

Following devref 5.5.1 [7] a source debdiff was attached.

Please let me know if the version number is right and if you need any
more information, or whether I may upload the package. Thanks!

Kind regards,
Felix Lechner

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-42961
[2] https://nvd.nist.gov/vuln/detail/CVE-2022-39173
[3] https://nvd.nist.gov/vuln/detail/CVE-2022-42905
[4] https://security-tracker.debian.org/tracker/source-package/wolfssl
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023697#28
[6] https://lists.debian.org/debian-release/2022/11/msg00251.html
[7] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Attachment: wolfssl_4.6.0+p1-0+deb11u1.dsc_wolfssl_4.6.0+p1-0+deb11u2.dsc.debdiff.xz
Description: Binary data

--- End Message ---

--- Begin Message ---

• To: 1025789-done@bugs.debian.org
• Subject: Released with 11.9
• From: Jonathan Wiltshire <jmw@coccia.debian.org>
• Date: Sat, 10 Feb 2024 13:02:54 +0000
• Message-id: <E1rYn0Q-002xoP-Qm@coccia.debian.org>

Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---