On Wed, Jun 03, 2026 at 06:17:12AM -0500, John Goerzen wrote: > On Tue, Jun 02 2026, Adrian Bunk wrote: > > > On Sun, May 24, 2026 at 07:27:12AM -0500, John Goerzen wrote: > >> Just to be very clear: the ideal release would have my patch, but I am > >> also fine with one that lacks it. > > > > Is "my patch" the CVE-2025-68920 fix? > > > > My proposed update contains both the CVE fix and the removal of the > > OpenSSL version check, and if that looks good to you then I can upload > > it again. > > > > But if you have any objection to adding the CVE-2025-68920 fix in stable, > > then I can also prepare an update removing only the OpenSSL version check. > > Sorry, let me be more clear: > > Ideally, the upload to stable would have both the CVE-2025-68920 fix AND > the removal of the OpenSSL version check. > > However, the CVE fix is more important, so if only one can be used, use > that one.
Disabling the OpenSSL version check (or at a minimum a rebuild) is really needed in stable, and no one raised any objections to that. Salvatore requested that I ask you regarding the CVE fix, and since you agree that the CVE fix is wanted in stable I've uploaded my proposed package again. > - John Thanks Adrian
