On 2023-08-26 14:50:09 [+0200], To sub...@bugs.debian.org wrote: > Package: release.debian.org > Control: affects -1 + src:openssl > User: release.debian....@packages.debian.org > Usertags: pu > Tags: bullseye > Severity: normal > > This is an update of the openssl package to the 1.1.1v version, a patch > release > (bug and security fixes). This has been long overdue and was delayed on > my side mostly due to bad timing. > This update contains fixes for the the following CVEs: > > - CVE-2023-3446 (Excessive time spent checking DH keys and parameters). > - CVE-2023-3817 (Excessive time spent checking DH q parameter value). > > The NEWS/ CHANGES file lists more CVEs but those have been already > fixed via d-security. These two have been rated as minor and are port of > this pu. > > Besides security fixes, this update contains non-CVE/security related > fixes. > I deployed this release on a handful buster/bullseye servers of mine > with no known problems. Also I've seen no "regression" fixes on top in > upstream's 1.1.1 branch. I am not (knowingly) able to run debci tests to > comment on this. That said, I am not aware of a regression but willing > to look into should something pop up. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable
Just a friendly note that this has been filled but did not make it to the list. Sebastian
