On Thu, 2022-03-24 at 22:00 +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-24 12:39:55 [+], Adam D. Barratt wrote:
> > I've added that text to the announcement for the buster point
> > release.
> Thanks.
>
> > If anyone has any changes, please yell ASAP.
>
> The gnutls and perl changes
On 2022-03-24 12:39:55 [+], Adam D. Barratt wrote:
> I've added that text to the announcement for the buster point release.
Thanks.
> If anyone has any changes, please yell ASAP.
The gnutls and perl changes are not yet built. I guess this is intended
;)
> Regards,
>
> Adam
Sebastian
On Wed, 2022-03-23 at 22:38 +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-23 17:40:59 [+], Adam D. Barratt wrote:
> > Right, let's have another go at this then:
> >
> > "
> > OpenSSL signature algorithm check tightening
> > =
> >
> > The Open
On 2022-03-23 17:40:59 [+], Adam D. Barratt wrote:
> Right, let's have another go at this then:
>
> "
> OpenSSL signature algorithm check tightening
> =
>
> The OpenSSL update provided in this point release includes a
> change to ensure that the req
On Tue, 2022-03-22 at 22:13 +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> > On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> > > OpenSSL signature algorithm check tightening
> > > =
> > >
On Tue, Mar 22, 2022 at 10:13:25PM +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> > On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> > > OpenSSL signature algorithm check tightening
> > > =
On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> > OpenSSL signature algorithm check tightening
> > =
> >
> > The OpenSSL update included in this point release includes a change to
>
On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> OpenSSL signature algorithm check tightening
> =
>
> The OpenSSL update included in this point release includes a change to
> ensure that the requested signature algorithm is supported by
On Tue, Mar 22, 2022 at 08:19:01PM +, Adam D. Barratt wrote:
> Is the note below accurate?
Yes.
Kurt
On Tue, 2022-03-22 at 21:01 +0100, Kurt Roeckx wrote:
> On Tue, Mar 22, 2022 at 07:37:00PM +, Adam D. Barratt wrote:
> > On Mon, 2022-03-21 at 00:12 +0100, Sebastian Andrzej Siewior wrote:
> > > The change in openssl is commit
> > >cc7c6eb8135b ("Check that the default signature type is
> >
On Tue, Mar 22, 2022 at 07:37:00PM +, Adam D. Barratt wrote:
> On Mon, 2022-03-21 at 00:12 +0100, Sebastian Andrzej Siewior wrote:
> > The change in openssl is commit
> >cc7c6eb8135b ("Check that the default signature type is allowed")
> >
> > Before the commit in question it connects as:
On Mon, 2022-03-21 at 00:12 +0100, Sebastian Andrzej Siewior wrote:
> The change in openssl is commit
>cc7c6eb8135b ("Check that the default signature type is allowed")
>
> Before the commit in question it connects as:
> - Description: (TLS1.0)-(ECDHE-SECP384R1)-(AES-256-CBC)-(SHA1)
>
> aft
On 2022-03-21 22:11:17 [+0100], Julien Cristau wrote:
> Hi,
Hi,
> Specifically, we were hoping to better understand the risk of openssl
> changes breaking existing setups. It's possible the issues with gnutls
> and libnet-ssleay-perl tests were narrowly scoped enough that that risk
> is low, but
Hi,
Specifically, we were hoping to better understand the risk of openssl
changes breaking existing setups. It's possible the issues with gnutls
and libnet-ssleay-perl tests were narrowly scoped enough that that risk
is low, but we're just not sure right now. Other input would be
welcome.
Thank
I would like to stop receiving these emails
How do I stop these emails
On Mon, Mar 21, 2022, 3:27 PM Adam D. Barratt
wrote:
> On Sun, 2022-03-20 at 22:00 +0100, Paul Gevers wrote:
> > Dear Sebastian, Kurt,
> >
> > On 19-03-2022 12:33, Adam D Barratt wrote:
> > > Upload details
> > > ==
> > >
> > > Package: openssl
> > > Versio
On Sun, 2022-03-20 at 22:00 +0100, Paul Gevers wrote:
> Dear Sebastian, Kurt,
>
> On 19-03-2022 12:33, Adam D Barratt wrote:
> > Upload details
> > ==
> >
> > Package: openssl
> > Version: 1.1.1n-0+deb10u1
> >
> > Explanation: new upstream release
>
> We're seeing a regression in bu
X-Debbugs-Cc: gnutl...@packages.debian.org, Kurt Roeckx , Paul
Gevers , Sebastian Andrzej Siewior
On 2022-03-21 Sebastian Andrzej Siewior wrote:
> On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote:
> > doesn't help here but
> > -cipher "ALL:@SECLEVEL=1"
> > does.
> Only debci is affe
On 2022-03-21 00:12:11 [+0100], To Kurt Roeckx wrote:
> doesn't help here but
>-cipher "ALL:@SECLEVEL=1"
>
> does.
Only debci is affected. The package builds because this testsuite is not
part of the build process.
I prepared a NMU against Buster for gnutls. I can open later today a
bust
On Mon, Mar 21, 2022 at 12:12:11AM +0100, Sebastian Andrzej Siewior wrote:
>
> The change in openssl is commit
>cc7c6eb8135b ("Check that the default signature type is allowed")
So that's:
commit cc7c6eb8135be665d0acc176a5963e1eaf52e4e2
Author: Kurt Roeckx
Date: Thu Jan 2 22:53:32 2020 +01
On 2022-03-20 23:15:57 [+0100], Kurt Roeckx wrote:
> > https://ci.debian.net/data/autopkgtest/oldstable/amd64/g/gnutls28/20199677/log.gz
> >
> > Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > %COMPAT: Checking TLS 1.0 with ECDHE-ECDSA (SECP384R1)...
> > *** Fatal error: A TLS fatal alert has
On Sun, Mar 20, 2022 at 10:00:15PM +0100, Paul Gevers wrote:
> Dear Sebastian, Kurt,
>
> On 19-03-2022 12:33, Adam D Barratt wrote:
> > Upload details
> > ==
> >
> > Package: openssl
> > Version: 1.1.1n-0+deb10u1
> >
> > Explanation: new upstream release
>
> We're seeing a regressio
Dear Sebastian, Kurt,
On 19-03-2022 12:33, Adam D Barratt wrote:
Upload details
==
Package: openssl
Version: 1.1.1n-0+deb10u1
Explanation: new upstream release
We're seeing a regression in buster in the autopkgtest of gnutls28 with
the new version of openssl on all tested archit
package release.debian.org
tags 959469 = buster pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into
the proposed-updates queue for Debian buster.
Thanks for your contribution!
Upload details
==
Package: openssl
Version: 1.1.1n-0+deb10u1
On 2021-03-22 19:52:00 [+0100], To Kurt Roeckx wrote:
> > I will prepare 1.1.1k for unstable, do buster-security based on
> > 1.1.1d-0+deb10u5 and then come back with an updated pu :)
New round. I prepared a pu for Buster based on OpenSSL 1.1.1k. The
unstable release migrated to testing. I am not
Resending because I managed to accidently clear TO:
On 2021-03-22 19:48:31 [+0100], Cc 959...@bugs.debian.org wrote:
> On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote:
> > On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote:
> > > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a
On 2021-02-24 23:23:07 [+0100], To Kurt Roeckx wrote:
> On 2021-02-10 21:52:46 [+0100], To Kurt Roeckx wrote:
> > OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security
> > fix classified as MODERATE [1].
So this happened. OpenSSL upstream announced [0] 1.1.1k for next
Thursday (25
On 2021-02-01 23:50:03 [+0100], To Kurt Roeckx wrote:
> in case someone wants to test.
> I think the ship for this pu is sailing without me but I'm ready for the
> next cruise :)
OpenSSL upstream announced [0] 1.1.1j for next Tuesday with a security
fix classified as MODERATE [1].
[0] https://mta
On 2021-01-29 20:35:52 [+0100], To Kurt Roeckx wrote:
> On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote:
> > On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> > > There are a whole bunch of other issues and pull requests related to
> > > this. I hope this is the end of the regression
On 2021-01-28 00:28:03 [+0100], Kurt Roeckx wrote:
> On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> > There are a whole bunch of other issues and pull requests related to
> > this. I hope this is the end of the regressions in the X509 code.
>
> So there is something else now:
> htt
On Thu, Jan 14, 2021 at 07:03:37PM +0100, Kurt Roeckx wrote:
> There are a whole bunch of other issues and pull requests related to
> this. I hope this is the end of the regressions in the X509 code.
So there is something else now:
https://github.com/openssl/openssl/issues/13931
https://github.com
On 2021-01-25 19:57:18 [+0100], Cyril Brulebois wrote:
> Not really *much* easier, to be honest. I can definitely build a package
> locally given a source debdiff, or slightly better, given a source
> package I can run dget against (since we're talking about new upstream
> releases, by the looks of
Adam D. Barratt (2021-01-25):
> KiBi - I'm assuming that it would be much easier for you to check d-i
> against the new OpenSSL version if it were already in p-u?
Not really *much* easier, to be honest. I can definitely build a package
locally given a source debdiff, or slightly better, given a s
On Sun, 2021-01-24 at 12:25 +0100, Sebastian Andrzej Siewior wrote:
> On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> > Both would be good, please.
>
> Here is the complete diff against the last openssl release in Buster.
Thanks.
I realise that this has been dragging on for quite some t
On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> Assuming that a patched m2crypto will also build fine against openssl
> 1.1.1d, then there's no reason that the two shouldn't proceed in
> parallel (i.e. feel free to file the m2crypto request already).
Yes, it does. Bug filled. Thank you.
On 2021-01-22 16:38:28 [+], Adam D. Barratt wrote:
> Both would be good, please.
here is the with the two additional patches.
Sebastian
diff --git a/debian/changelog b/debian/changelog
index 088c914a3dd4a..56a950734f01d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,9 @@ open
On Thu, 2021-01-21 at 21:06 +0100, Sebastian Andrzej Siewior wrote:
> On 2021-01-16 19:14:53 [+0100], Kurt Roeckx wrote:
> > So I went over the open issues and pull requests, and currently
> > don't see a reason not to upload it to unstable with those 2
> > patches. I don't know about any other reg
On 2021-01-16 19:14:53 [+0100], Kurt Roeckx wrote:
> So I went over the open issues and pull requests, and currently
> don't see a reason not to upload it to unstable with those 2
> patches. I don't know about any other regressions in 1.1.1.
The openssl package migrated to testing.
I would prepare
On Thu, Jan 14, 2021 at 09:13:49PM +0100, Sebastian Andrzej Siewior wrote:
> On 2021-01-14 19:03:37 [+0100], Kurt Roeckx wrote:
> > > Do you have pointers to upstream issues?
> >
> > There are a whole bunch of other issues and pull requests related to
> > this. I hope this is the end of the regres
On 2021-01-14 19:03:37 [+0100], Kurt Roeckx wrote:
> > Do you have pointers to upstream issues?
>
> There are a whole bunch of other issues and pull requests related to
> this. I hope this is the end of the regressions in the X509 code.
Okay. Please ping once this gets sorted out and I will prepe
On Thu, Jan 14, 2021 at 05:43:00PM +, Adam D. Barratt wrote:
> Hi,
>
> On Fri, 2021-01-08 at 23:59 +0100, Kurt Roeckx wrote:
> > On Fri, Jan 08, 2021 at 11:39:13PM +0100, Sebastian Andrzej Siewior
> > wrote:
> [...]
> > > The i release in unstable managed to migrate to testing. It was
> > > bl
Hi,
On Fri, 2021-01-08 at 23:59 +0100, Kurt Roeckx wrote:
> On Fri, Jan 08, 2021 at 11:39:13PM +0100, Sebastian Andrzej Siewior
> wrote:
[...]
> > The i release in unstable managed to migrate to testing. It was
> > blocked due to ci by m2crypto and swi-prolog. The swi-prolog issue
> > got fixed in
On Fri, Jan 08, 2021 at 11:39:13PM +0100, Sebastian Andrzej Siewior wrote:
> On 2020-11-24 20:18:15 [+], Adam D. Barratt wrote:
>
> > At some point, could we please have a combined / single diff between
> > the current 1.1.1d-0+deb10u3 and the proposed 1.1.1h-0+deb10u1 (I
> > assume)?
>
> Ple
On 2020-11-24 20:18:15 [+], Adam D. Barratt wrote:
> That would be preferable at this point, yes, sorry. We should try and
> make sure it's sorted soon afterwards though, to avoid things getting
> stuck again.
I will set up an alarm on my side :)
> At some point, could we please have a combin
On Fri, 2020-11-20 at 21:04 +0100, Sebastian Andrzej Siewior wrote:
> On 2020-11-20 17:24:30 [+], Adam D. Barratt wrote:
> > Predictably we're again quite close to a point release. :-( (One
> > week from freeze, specifically.)
>
> oh.
In fairness, given an approximately two month cycle, we're
On 2020-11-20 17:24:30 [+], Adam D. Barratt wrote:
> Predictably we're again quite close to a point release. :-( (One week
> from freeze, specifically.)
oh.
> Looking at the upstream issues regarding certificate validation changes
> between 1.1.1e and f/g, #11456 appears to have been addresse
On Sun, 2020-11-15 at 11:29 +0100, Sebastian Andrzej Siewior wrote:
> control: retitle -1 buster-pu: package openssl/1.1.1h-1
>
> On 2020-05-02 22:34:40 [+0100], Adam D. Barratt wrote:
> > > > Do we have any feeling for how widespread such certificates
> > > > might be?
> > > > The fact that there
On 2020-11-15 20:59:18 [+0100], Paul Gevers wrote:
> Hi Sebastian,
Hi Paul,
> I don't fully understand what you say here. We *do* run autopkgtests in
> stable to check for issues.
Yes, but the package does not use it in stable.
Sebastian
Hi Sebastian,
On 15-11-2020 11:29, Sebastian Andrzej Siewior wrote:
> The same error is also present in the stable version of swi-prolog.
> However, this is not the only failure in the test suite (it also
> complains about too small keys) and there is no debci for stable which
> would cause a regr
Processing control commands:
> retitle -1 buster-pu: package openssl/1.1.1h-1
Bug #959469 [release.debian.org] buster-pu: package openssl/1.1.1g-1
Changed Bug title to 'buster-pu: package openssl/1.1.1h-1' from 'buster-pu:
package openssl/1.1.1g-1'.
--
959469: https://
control: retitle -1 buster-pu: package openssl/1.1.1h-1
On 2020-05-02 22:34:40 [+0100], Adam D. Barratt wrote:
> > > Do we have any feeling for how widespread such certificates might
> > > be?
> > > The fact that there have been two different upstream reports isn't
> > > particularly comforting.
>
On Sat, 2020-05-02 at 22:29 +0200, Sebastian Andrzej Siewior wrote:
> On 2020-05-02 20:32:01 [+0100], Adam D. Barratt wrote:
> > On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote:
> > > I'm fairly late, I know.
> >
> > Just a little. :-( Particularly as OpenSSL builds udebs.
> >
On 2020-05-02 20:32:01 [+0100], Adam D. Barratt wrote:
> On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote:
> > I'm fairly late, I know.
>
> Just a little. :-( Particularly as OpenSSL builds udebs.
>
> CCing KiBi and -boot so they're aware of the discussion, but this does
> come
On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote:
> I'm fairly late, I know.
Just a little. :-( Particularly as OpenSSL builds udebs.
CCing KiBi and -boot so they're aware of the discussion, but this does
come quite late.
> The last update was addressed via DSA providing only a
On 2020-05-02 18:36:42 [+0200], To sub...@bugs.debian.org wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: buster
> Severity: normal
>
> I'm fairly late, I know.
> The last update was addressed via DSA providing only a patch for the CVE
> w
55 matches
Mail list logo