Last call for testing on this, I'll upload the 3.3.30 package on Monday if there's no objection until then.
On 2018-10-23 14:00:14, Antoine Beaupré wrote: > Hi, > > After the lengthy discussion[1] regarding the pending security issues in > GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have > determined it might be simpler to just upgrade to the latest upstream > 3.3.x version for which upstream is still providing updates. Upstream > agrees with the approach. This removes 35 Debian-specific, backported > patches and fixes other unrelated bugs. The API/ABI *changes*, but it > only adds *new* symbols so the soname versions do not change. > > [1]: CABY6=0nu1qg9beb5qc-mbzfubmqgxp9dbgnicfupppiwz+o...@mail.gmail.com > > I have uploaded the test package in the usual location here: > > https://people.debian.org/~anarcat/debian/jessie-lts/ > > Direct link to the .changes file: > > https://people.debian.org/~anarcat/debian/jessie-lts/gnutls28_3.3.30-1+deb8u_amd64.changes > > The debdiff is obviously quite large so I haven't audited the whole > diff, which would have basically meant reviewing all the releases > between upstream 3.3.8 and 3.3.0: > > 2151 files changed, 65784 insertions(+), 60661 deletions(-) > > Note that about 3000 lines of those are from debian/patches removals > that were now unnecessary. > > The upstream changelog details all the changes: > > https://gitlab.com/gnutls/gnutls/blob/gnutls_3_3_x/NEWS > > Our branch point was 3.3.8, over four years ago. The latest 3.3.30 > release was last july. > > It should be possible to backport the upstream patches for those issues > as well. But considering the amount of work that represented and how > sensitive the issue is, I felt more confident going with upstream's > recommendation. > > Extensive testing is recommended. The test suite obviously passes here > (otherwise the package does not build) but there might be other problems > that I haven't foreseen. > > Thanks for any feedback. > > A. > -- > Information is not knowledge. Knowledge is not wisdom. > Wisdom is not truth. Truth is not beauty. > Beauty is not love. Love is not music. > Music is the best. - Frank Zappa -- La guerre, c'est le massacre d'hommes qui ne se connaissent pas, au profit d'hommes qui se connaissent mais ne se massacreront pas. - Paul Valéry
