Bug#765639: Bug#802159: New OpenSSL upstream version

On Thu, May 5, 2016 at 17:02:02 +0200, Kurt Roeckx wrote: > On Thu, May 05, 2016 at 04:58:05PM +0200, Julien Cristau wrote: > > Closing this as resolved, there will not be any further updates to > > wheezy, and jessie updates will be handled in separate bugs. > > You mean I should file an other

Bug#765639: Bug#802159: New OpenSSL upstream version

On Thu, May 05, 2016 at 04:58:05PM +0200, Julien Cristau wrote: > Closing this as resolved, there will not be any further updates to > wheezy, and jessie updates will be handled in separate bugs. You mean I should file an other bug for just the same question? Kurt

Bug#765639: Bug#802159: New OpenSSL upstream version

On 2016-04-13 21:36:49 [+0100], Adam D. Barratt wrote: > Assuming that we went ahead with upstream updates to Jessie (and future > supported stable distributions), I'm presuming that the preferred > workflow would be similar to other packages for which we ship upstream > stable trees - via the

Bug#765639: Bug#802159: New OpenSSL upstream version

On Wed, Apr 13, 2016 at 09:36:49PM +0100, Adam D. Barratt wrote: > [CCs adjusted to drop archived TC bug and add team@security] > Assuming that we went ahead with upstream updates to Jessie (and future > supported stable distributions), I'm presuming that the preferred > workflow would be similar

Bug#765639: Bug#802159: New OpenSSL upstream version

On Wed, Apr 13, 2016 at 09:36:49PM +0100, Adam D. Barratt wrote: > Assuming that we went ahead with upstream updates to Jessie (and future > supported stable distributions), I'm presuming that the preferred > workflow would be similar to other packages for which we ship upstream > stable trees -

Bug#765639: Bug#802159: New OpenSSL upstream version

[CCs adjusted to drop archived TC bug and add team@security] On Mon, 2016-03-28 at 19:46 +0200, Kurt Roeckx wrote: > On Tue, Jan 26, 2016 at 06:38:31AM +, Adam D. Barratt wrote: > > On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > > > However 1.0.1q hasn't been in stable at all,

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Jan 26, 2016 at 06:38:31AM +, Adam D. Barratt wrote: > On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > > However 1.0.1q hasn't been in stable at all, which is presumably what > > you'd be proposing introducing to oldstable at this juncture. (and which > > we'd therefore

Bug#765639: Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

The dhparam thing is really about a default that if you generate DH parameters that it defaults to 2048 instead of 1024. This shouldn't break anything itself, nor do I know of any other software that would get broken by this. Apparently Java 6 and 7 will fail to handshake if a server tries to

Bug#765639: Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Jan 26, 2016 at 06:38:31AM +, Adam D. Barratt wrote: > On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > > However 1.0.1q hasn't been in stable at all, which is presumably what > > you'd be proposing introducing to oldstable at this juncture. (and which > > we'd therefore

Bug#765639: Bug#802159: New OpenSSL upstream version

On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > However 1.0.1q hasn't been in stable at all, which is presumably what > you'd be proposing introducing to oldstable at this juncture. (and which > we'd therefore need to introduce to stable first, if we were to agree to > follow that

Bug#765639: Bug#802159: New OpenSSL upstream version

On Sun, Dec 06, 2015 at 11:46:01AM +0100, Moritz Mühlenhoff wrote: > Hi, > Personally I'm in favour of following the openssl point updates and I'd > like to add an additional data point to the discussion: > > CVE-2015-3196 was already fixed as a plain bugfix in an earlier point > release, but the

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, 2015-12-15 at 21:19 +0100, Kurt Roeckx wrote: > On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > > [dropped explicit CCs to RT and TC members] > > > > On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote: > > > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong

Bug#765639: Bug#802159: New OpenSSL upstream version

On Sun, 2015-12-06 at 11:46 +0100, Moritz Mühlenhoff wrote: > Hi, > Personally I'm in favour of following the openssl point updates and I'd Noted, thanks for the input. > like to add an additional data point to the discussion: > > CVE-2015-3196 was already fixed as a plain bugfix in an earlier

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > [dropped explicit CCs to RT and TC members] > > On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote: > > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote: > > > So from what I'm gathering, this looks like a case

Bug#765639: Bug#802159: New OpenSSL upstream version

[dropped explicit CCs to RT and TC members] On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote: > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote: > > So from what I'm gathering, this looks like a case where there isn't > > enough eyeballs to adequately review this particularly

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > > Even a naively filtered diff - excluding documentation and tests - > between the 1.0.1k tag and HEAD on upstream's stable branch is much > larger than I'd imagined (1091 files changed, 73609+, 68591-), but > paging through it

Bug#765639: Bug#802159: New OpenSSL upstream version

Hi, Personally I'm in favour of following the openssl point updates and I'd like to add an additional data point to the discussion: CVE-2015-3196 was already fixed as a plain bugfix in an earlier point release, but the security impact was only noticed later on, so following the point updates

Bug#765639: Bug#802159: New OpenSSL upstream version

On Wed, Nov 04, 2015 at 11:57:00AM -0600, Don Armstrong wrote: > > In this specific case, the specific set of changes which have been made, > coupled with documenting the policy of upstream for testing and making > changes to openssl would be a good start. I've pointed to upstream's policy

Bug#765639: Bug#802159: New OpenSSL upstream version

On Sat, 2015-10-31 at 00:02 +0100, Kurt Roeckx wrote: > On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > > On Tue, 20 Oct 2015, Don Armstrong wrote: > > > If there's something specific that you'd like the CTTE to try to do > > > beyond what I've just reported now, let me know. > >

Bug#765639: Bug#802159: New OpenSSL upstream version

On Sat, Oct 31, 2015 at 02:22:04PM +, Adam D. Barratt wrote: > On Sat, 2015-10-31 at 00:02 +0100, Kurt Roeckx wrote: > > On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > > > On Tue, 20 Oct 2015, Don Armstrong wrote: > > > > If there's something specific that you'd like the CTTE

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, 20 Oct 2015, Don Armstrong wrote: > If there's something specific that you'd like the CTTE to try to do > beyond what I've just reported now, let me know. Let me know if you'd like the CTTE to do something beyond what I've already done. -- Don Armstrong

Bug#765639: Bug#802159: New OpenSSL upstream version

On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > On Tue, 20 Oct 2015, Don Armstrong wrote: > > If there's something specific that you'd like the CTTE to try to do > > beyond what I've just reported now, let me know. > > Let me know if you'd like the CTTE to do something beyond

Bug#765639: Bug#802159: New OpenSSL upstream version

Kurt Roeckx writes: > The alternative is that I go and cherry pick the important bug > fixes. By this time there are really a lot that I would like to > have in the stable releases and I think going that way actually > has a higher chance of breaking things. We've run into this

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, 20 Oct 2015, Kurt Roeckx wrote: > So as already pointed out before, since the 1.0.0 release there is a > new release strategy that in the 1.0.x series, where x doesn't change, > no new features are added unless it's really needed for either > security reasons or compatibility reasons. As

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Oct 20, 2015 at 09:57:04AM -0500, Don Armstrong wrote: > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > I've been waiting for the release team for a while to make a decision > > on #765639 for a year now. Could you help in getting a decision? > > > > I've actually been waiting for longer

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote: > On Tue, 20 Oct 2015, Don Armstrong wrote: > > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > > I've been waiting for the release team for a while to make a decision > > > on #765639 for a year now. Could you help in getting a decision?

Bug#765639: Bug#802159: New OpenSSL upstream version

On Tue, 20 Oct 2015, Don Armstrong wrote: > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > I've been waiting for the release team for a while to make a decision > > on #765639 for a year now. Could you help in getting a decision? > > > > I've actually been waiting for longer than that, I can't

Bug#765639: Bug#802159: New OpenSSL upstream version

On Sat, 17 Oct 2015, Kurt Roeckx wrote: > I've been waiting for the release team for a while to make a decision > on #765639 for a year now. Could you help in getting a decision? > > I've actually been waiting for longer than that, I can't directly find > all links, but previous discussions about