On 2018-04-13 23:20:07 [+0300], Nicola wrote: > On 13 April 2018 at 22:45, Sebastian Andrzej Siewior > <sebast...@breakpoint.cc> wrote: > > On 2018-04-12 13:08:57 [+0000], Nicola Tuveri wrote: > >> Package: openssl > >> Version: 1.0.2l-1~bpo8+1 > >> Severity: important > >> Tags: patch > > > > backports? > > > > Yes, old-stable backports.
I see this in the version. You are two versions behind and there were a few CVEs released. I couldn't upload earlier, I would need to check if it changed but I did not receive a message that it did. > >> I marked this bug as important, as it stops everyone using official > >> debian packages from using third-party ENGINEs that require to use that > >> function to set special handling of ASN.1 format, which basically > >> includes every ENGINE that would add support for cryptosystems that > >> upstream OpenSSL does not support (defying the purpose of using some > >> ENGINEs). > > > > Not everyone. It should work in stable, doesn't it? > > Yes, my application does work in stable. Has symbol versioning been > completely disabled there? > > Or am I just lucky that the function I need was whitelisted when the > versioning script was created for the new release, but the same bug > can still resurface for the symbol OPENSSL_foobar_magic in future > OpenSSL 1.1.0x? If I am not mistaken the versioning is still in place but differently / with upstream support. So it should remain working. Can we consider this issue closed? > Thanks for your reply, > > Nicola Sebastian