Your message dated Tue, 22 Jul 2025 13:45:02 +0000
with message-id <[email protected]>
and subject line unblock mbedtls
has caused the Debian Bug report #1109602,
regarding unblock: mbedtls/3.6.4-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109602
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Control: affects -1 + src:mbedtls
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: unblock
Severity: normal
Please unblock package mbedtls
[ Reason ]
I have updated the package to the latest upstream LTS branch release to
fix several CVEs. Upstream takes great care of not breaking
compatibility between patch releases.
[ Impact ]
If the unblock isn't granted, trixie will ship with an already unsecure
version of the library, which is particularly important for a crypto/TLS
package.
[ Tests ]
New upstream tests were added which test against the old security bugs,
alongside the comprehensive pre-existing test suite.
[ Risks ]
MbedTLS is a key package. Still, I believe the risks are low as upstream
has always been careful with such releases. Autopkgtests exist too.
[ Checklist ]
[x] all changes are documented in the d/changelog (assuming "new
upstream release fixing CVEs a, b, and c" is enough)
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
[ Other info ]
As I didn't realize the library was a key package, and the full freeze
isn't started yet, I have already pushed this to unstable. Ops.
The debdiff is huge, and I haven't included it here. This is because
upstream likes to also backport non-critical changes like test updates,
documentation improvements, and similar.
During Debconf I have talked with Andrej Shadura, which has prepared
stable updates to the library in the past. He said that only backporting
commits which fix the issues while leaving out the cosmetic fixes is
borderline infeasable, as fixes are often split in several commits and
tracking them down all can be hard. While this makes diffs big, and it
sucks, I also believe that keeping only "the important stuff" is really
not worth the effort, and increases the risk of messing up by leaving
out parts of the patches backported into the LTS branch by upstream.
Bye!
unblock mbedtls/3.6.4-2
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked mbedtls.
--- End Message ---
