Re: Bug#927437: unblock: openssl/1.1.1b-2
Cyril Brulebois: > Hi Kurt, > > Kurt Roeckx (2019-04-19): >> Can you please unblock openssl. It fixes 2 important bugs. >> debdiff attached. > > (And thanks for the cc.) > > I have been able to confirm during my work on haveged (#923675) that > your upload indeed fixes the wget issues we had in d-i (#926315); so > thanks also for that, and no objections on the d-i side regarding the > unblock request. > >> diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog >> --- openssl-1.1.1b/debian/changelog 2019-02-26 19:52:12.0 +0100 >> +++ openssl-1.1.1b/debian/changelog 2019-04-16 21:31:11.0 +0200 >> @@ -1,3 +1,11 @@ >> +openssl (1.1.1b-2) unstable; urgency=medium >> + >> + * Fix BUF_MEM regression (Closes: #923516) >> + * Fix error when config can't be opened (Closes: #926315) >> + * Ship an openssl.cnf in libssl1.1-udeb.dirs > > The last entry is slightly odd, as that's the parent directory > (/usr/lib/ssl) for openssl.cnf that's being added to its fellow > companion (libcrypto1.1-udeb.dirs), rather than libssl1.1-udeb.dirs > itself? The changelog entry could be fixed in the next upload though, > not a huge issue. > > > Cheers, > Unblocked, thanks. ~Niels
Re: Bug#927437: unblock: openssl/1.1.1b-2
Hi Kurt, Kurt Roeckx (2019-04-19): > Can you please unblock openssl. It fixes 2 important bugs. > debdiff attached. (And thanks for the cc.) I have been able to confirm during my work on haveged (#923675) that your upload indeed fixes the wget issues we had in d-i (#926315); so thanks also for that, and no objections on the d-i side regarding the unblock request. > diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog > --- openssl-1.1.1b/debian/changelog 2019-02-26 19:52:12.0 +0100 > +++ openssl-1.1.1b/debian/changelog 2019-04-16 21:31:11.0 +0200 > @@ -1,3 +1,11 @@ > +openssl (1.1.1b-2) unstable; urgency=medium > + > + * Fix BUF_MEM regression (Closes: #923516) > + * Fix error when config can't be opened (Closes: #926315) > + * Ship an openssl.cnf in libssl1.1-udeb.dirs The last entry is slightly odd, as that's the parent directory (/usr/lib/ssl) for openssl.cnf that's being added to its fellow companion (libcrypto1.1-udeb.dirs), rather than libssl1.1-udeb.dirs itself? The changelog entry could be fixed in the next upload though, not a huge issue. Cheers, -- Cyril Brulebois (k...@debian.org)<https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant signature.asc Description: PGP signature
Bug#927437: unblock: openssl/1.1.1b-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Hi, Can you please unblock openssl. It fixes 2 important bugs. debdiff attached. Kurt diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog --- openssl-1.1.1b/debian/changelog 2019-02-26 19:52:12.0 +0100 +++ openssl-1.1.1b/debian/changelog 2019-04-16 21:31:11.0 +0200 @@ -1,3 +1,11 @@ +openssl (1.1.1b-2) unstable; urgency=medium + + * Fix BUF_MEM regression (Closes: #923516) + * Fix error when config can't be opened (Closes: #926315) + * Ship an openssl.cnf in libssl1.1-udeb.dirs + + -- Kurt Roeckx Tue, 16 Apr 2019 21:31:11 +0200 + openssl (1.1.1b-1) unstable; urgency=medium [ Sebastian Andrzej Siewior ] diff -Nru openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs --- openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs2019-02-26 19:25:16.0 +0100 +++ openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs2019-04-16 21:31:11.0 +0200 @@ -1 +1,2 @@ usr/lib +usr/lib/ssl diff -Nru openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch --- openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch 1970-01-01 01:00:00.0 +0100 +++ openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch 2019-04-16 21:23:57.0 +0200 @@ -0,0 +1,118 @@ +From 43bb4dec99f4bed1ec20836c79967ea790594fce Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 3 Apr 2019 12:31:32 +0200 +Subject: [PATCH 1/5] Fix for BIO_get_mem_ptr and related regressions + +Reviewed-by: Bernd Edlinger +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/8649) + +(cherry picked from commit b238fb79709a180ba9b4d837101c9f75e2978dc0) +--- + crypto/bio/bss_mem.c | 40 + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c +index 10fcbf7a7c..abf0f04111 100644 +--- a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c +@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = { + NULL, /* mem_callback_ctrl */ + }; + +-/* BIO memory stores buffer and read pointer */ ++/* ++ * BIO memory stores buffer and read pointer ++ * however the roles are different for read only BIOs. ++ * In that case the readp just stores the original state ++ * to be used for reset. ++ */ + typedef struct bio_buf_mem_st { + struct buf_mem_st *buf; /* allocated buffer */ + struct buf_mem_st *readp; /* read pointer */ +@@ -192,6 +197,8 @@ static int mem_read(BIO *b, char *out, int outl) + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm = bbm->readp; + ++if (b->flags & BIO_FLAGS_MEM_RDONLY) ++bm = bbm->buf; + BIO_clear_retry_flags(b); + ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl; + if ((out != NULL) && (ret > 0)) { +@@ -241,29 +248,36 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm; + ++if (b->flags & BIO_FLAGS_MEM_RDONLY) ++bm = bbm->buf; ++else ++bm = bbm->readp; ++ + switch (cmd) { + case BIO_CTRL_RESET: + bm = bbm->buf; + if (bm->data != NULL) { +-/* For read only case reset to the start again */ +-if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) { +-bm->length = bm->max; ++if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) { ++if (b->flags & BIO_FLAGS_NONCLEAR_RST) { ++bm->length = bm->max; ++} else { ++memset(bm->data, 0, bm->max); ++bm->length = 0; ++} ++*bbm->readp = *bbm->buf; + } else { +-memset(bm->data, 0, bm->max); +-bm->length = 0; ++/* For read only case just reset to the start again */ ++*bbm->buf = *bbm->readp; + } +-*bbm->readp = *bbm->buf; + } + break; + case BIO_CTRL_EOF: +-bm = bbm->readp; + ret = (long)(bm->length == 0); + break; + case BIO_C_SET_BUF_MEM_EOF_RETURN: + b->num = (int)num; + break; + case BIO_CTRL_INFO: +-bm = bbm->readp; + ret = (long)bm->length; + if (ptr != NULL) { + pptr = (char **)ptr; +@@ -278,8 +292,9 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) + break; + case BIO_C_GET_BUF_MEM_PTR: + if (ptr
Re: Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois: > Cyril Brulebois(2017-02-21): >> I think that should work, yes. Please let me know when that's happened, >> and I'll do the testing as soon as possible. > > This has happened, and building a netboot-gtk image with stretch udebs > and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package, > with the following changes: > > +libcrypto1.1-udeb > -libssl1.0.2-udeb > +libssl1.1-udeb > > I've successfully tested a full installation over https, so I think it's > fine to accept wget from tpu. > > > KiBi. > Ack, done. Thanks, ~Niels
Re: Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois(2017-02-21): > I think that should work, yes. Please let me know when that's happened, > and I'll do the testing as soon as possible. This has happened, and building a netboot-gtk image with stretch udebs and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package, with the following changes: +libcrypto1.1-udeb -libssl1.0.2-udeb +libssl1.1-udeb I've successfully tested a full installation over https, so I think it's fine to accept wget from tpu. KiBi. signature.asc Description: Digital signature
Re: Bug#855432: unblock: openssl/1.1.0e-1
Niels Thykier(2017-02-20): > I did and I agree on the testing part. Would a "no-change rebuild" tpu > upload of wget be a solution for you? That should ensure we control > when the wget change migrates to testing (which is somewhat more > difficult with binNMUs). I think that should work, yes. Please let me know when that's happened, and I'll do the testing as soon as possible. KiBi. signature.asc Description: Digital signature
Re: Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois: > Niels Thykier(2017-02-19): >> [...] > > Hrm. You mentioned on IRC you were pondering possibly rebuilding wget > against 1.1 for stretch; if that happens, this needs d-i testing… > > > KiBi. > I did and I agree on the testing part. Would a "no-change rebuild" tpu upload of wget be a solution for you? That should ensure we control when the wget change migrates to testing (which is somewhat more difficult with binNMUs). Thanks, ~Niels
Re: Bug#855432: unblock: openssl/1.1.0e-1
Niels Thykier(2017-02-19): > Cyril Brulebois: > > We have this right now: > > > > wget-udeb | 1.18-4| testing → built against 1.0.2 > > wget-udeb | 1.19.1-1 | unstable → built against 1.1 > > > > If we're not getting a newer wget for stretch (at least I didn't find > > anything wget-related relevant for stretch in my debian-release folder), > > I can't think of another libssl user for d-i, which seems confirmed by > > looking at libssl*-udeb rdepends in sid. > > > > Unless I'm missing something obvious: no objections. > > Unblocked, thanks. Hrm. You mentioned on IRC you were pondering possibly rebuilding wget against 1.1 for stretch; if that happens, this needs d-i testing… KiBi. signature.asc Description: Digital signature
Re: Bug#855432: unblock: openssl/1.1.0e-1
Cyril Brulebois: > Kurt Roeckx(2017-02-18): >> On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: >>> How soon do you want to see this package in testing? Given I've just >>> fixed a few things related to https support in d-i, it would be nice if >>> I were able to perform a full test with https here, making sure we don't >>> hit a regression there. If a reply this sunday is sufficient, I can do >>> that. > > We have this right now: > > wget-udeb | 1.18-4| testing → built against 1.0.2 > wget-udeb | 1.19.1-1 | unstable → built against 1.1 > > If we're not getting a newer wget for stretch (at least I didn't find > anything wget-related relevant for stretch in my debian-release folder), > I can't think of another libssl user for d-i, which seems confirmed by > looking at libssl*-udeb rdepends in sid. > > Unless I'm missing something obvious: no objections. > > > KiBi. > Unblocked, thanks. ~Niels
Re: Bug#855432: unblock: openssl/1.1.0e-1
On Sun, Feb 19, 2017 at 07:33:20AM +0100, Cyril Brulebois wrote: > Kurt Roeckx(2017-02-18): > > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: > > > How soon do you want to see this package in testing? Given I've just > > > fixed a few things related to https support in d-i, it would be nice if > > > I were able to perform a full test with https here, making sure we don't > > > hit a regression there. If a reply this sunday is sufficient, I can do > > > that. > > We have this right now: > > wget-udeb | 1.18-4| testing → built against 1.0.2 > wget-udeb | 1.19.1-1 | unstable → built against 1.1 > > If we're not getting a newer wget for stretch (at least I didn't find > anything wget-related relevant for stretch in my debian-release folder), > I can't think of another libssl user for d-i, which seems confirmed by > looking at libssl*-udeb rdepends in sid. > > Unless I'm missing something obvious: no objections. Can someone please also change the age to 2 days? Kurt
Re: Bug#855432: unblock: openssl/1.1.0e-1
Kurt Roeckx(2017-02-18): > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote: > > How soon do you want to see this package in testing? Given I've just > > fixed a few things related to https support in d-i, it would be nice if > > I were able to perform a full test with https here, making sure we don't > > hit a regression there. If a reply this sunday is sufficient, I can do > > that. We have this right now: wget-udeb | 1.18-4| testing → built against 1.0.2 wget-udeb | 1.19.1-1 | unstable → built against 1.1 If we're not getting a newer wget for stretch (at least I didn't find anything wget-related relevant for stretch in my debian-release folder), I can't think of another libssl user for d-i, which seems confirmed by looking at libssl*-udeb rdepends in sid. Unless I'm missing something obvious: no objections. KiBi. signature.asc Description: Digital signature
Bug#855432: unblock: openssl/1.1.0e-1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: unblock Severity: normal Hi, There was a new upstream release fixing a high severity security issue. The changelog entry is: openssl (1.1.0e-1) unstable; urgency=high * New upstream version - Fixes CVE-2017-3733 - Remove patches that are applied upstream. -- Kurt RoeckxThu, 16 Feb 2017 18:57:58 +0100 I've attached the full debdiff between the version in testing and unstable. Kurt diff -Nru openssl-1.1.0d/apps/openssl.c openssl-1.1.0e/apps/openssl.c --- openssl-1.1.0d/apps/openssl.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/openssl.c 2017-02-16 12:58:20.0 +0100 @@ -58,7 +58,6 @@ static void list_disabled(void); char *default_config_file = NULL; -static CONF *config = NULL; BIO *bio_in = NULL; BIO *bio_out = NULL; BIO *bio_err = NULL; @@ -248,8 +247,6 @@ end: OPENSSL_free(copied_argv); OPENSSL_free(default_config_file); -NCONF_free(config); -config = NULL; lh_FUNCTION_free(prog); OPENSSL_free(arg.argv); diff -Nru openssl-1.1.0d/apps/req.c openssl-1.1.0e/apps/req.c --- openssl-1.1.0d/apps/req.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/req.c 2017-02-16 12:58:20.0 +0100 @@ -121,7 +121,7 @@ {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Enable support for multivalued RDNs"}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, -{"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"}, +{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, {"extensions", OPT_EXTENSIONS, 's', "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', diff -Nru openssl-1.1.0d/apps/s_cb.c openssl-1.1.0e/apps/s_cb.c --- openssl-1.1.0d/apps/s_cb.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/s_cb.c 2017-02-16 12:58:20.0 +0100 @@ -922,6 +922,7 @@ BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } +*pexc = exc; exc->certfile = opt_arg(); break; case OPT_X_KEY: diff -Nru openssl-1.1.0d/apps/ts.c openssl-1.1.0e/apps/ts.c --- openssl-1.1.0d/apps/ts.c 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/apps/ts.c 2017-02-16 12:58:20.0 +0100 @@ -890,9 +890,15 @@ goto err; f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { +BIO *out = NULL; + f |= TS_VFY_DATA; -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) +if ((out = BIO_new_file(data, "rb")) == NULL) goto err; +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) { +BIO_free_all(out); +goto err; +} } else if (digest != NULL) { long imprint_len; unsigned char *hexstr = OPENSSL_hexstr2buf(digest, _len); diff -Nru openssl-1.1.0d/CHANGES openssl-1.1.0e/CHANGES --- openssl-1.1.0d/CHANGES 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/CHANGES 2017-02-16 12:58:20.0 +0100 @@ -2,6 +2,19 @@ OpenSSL CHANGES ___ + Changes between 1.1.0d and 1.1.0e [16 Feb 2017] + + *) Encrypt-Then-Mac renegotiation crash + + During a renegotiation handshake if the Encrypt-Then-Mac extension is + negotiated where it was not in the original handshake (or vice-versa) then + this can cause OpenSSL to crash (dependant on ciphersuite). Both clients + and servers are affected. + + This issue was reported to OpenSSL by Joe Orton (Red Hat). + (CVE-2017-3733) + [Matt Caswell] + Changes between 1.1.0c and 1.1.0d [26 Jan 2017] *) Truncated packet could crash via OOB read diff -Nru openssl-1.1.0d/Configurations/unix-Makefile.tmpl openssl-1.1.0e/Configurations/unix-Makefile.tmpl --- openssl-1.1.0d/Configurations/unix-Makefile.tmpl 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 12:58:20.0 +0100 @@ -285,6 +285,7 @@ -$(RM) `find . -name '*{- $objext -}' -a \! -path "./.git/*"` $(RM) core $(RM) tags TAGS + $(RM) test/.rnd $(RM) openssl.pc libcrypto.pc libssl.pc -$(RM) `find . -type l -a \! -path "./.git/*"` $(RM) $(TARFILE) diff -Nru openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl --- openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl 2017-01-26 14:10:21.0 +0100 +++ openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl 2017-02-16 12:58:20.0 +0100 @@ -59,9 +59,12 @@ .text ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); -$code.=".arch armv7-a\n.fpu neon\n.code 32\n" if ($flavour !~ /64/); - #^^ this is done to simplify adoption by not depending - # on latest binutils. +$code.=<<___ if ($flavour !~ /64/); +.arch armv7-a // don't confuse not-so-latest binutils with argv8 :-) +.fpu neon +.code 32 +#undef __thumb2__
Re: Bug#854155: unblock: openssl/1.1.0d-2
On 13/02/17 21:37, Sebastian Andrzej Siewior wrote: > On 2017-02-13 18:01:34 [+0100], Emilio Pozuelo Monfort wrote: >> On 04/02/17 15:20, Sebastian Andrzej Siewior wrote: >>> Package: release.debian.org >>> User: release.debian@packages.debian.org >>> Usertags: unblock >>> Severity: normal >>> >>> Please unblock package openssl. It contains a redo of the rules file >>> among other packaging related changes which did not migrate in time due >>> to the new release of the d version which fixes 3 CVE bugs. The d-2 >>> version fixes a regression discovered by perl and FTBFS of openssl >>> itself if arch-any and arch-all were built in one go. >>> >>> unblock openssl/1.1.0d-2 >> >> That includes some changes we don't like during the freeze, but given those >> were >> done before the freeze and I wouldn't want them reverted this early in the >> freeze, I would be happy to unblock this... but can you attach a binary >> debdiff >> (e.g. debdiff an old and new .changes file) to make sure things are still >> looking good? > > sure. I've build c-2 and d-2 with _all an amd64 in todays sid to get the > changes files and this the resulting debdiff: > > [The following lists of changes regard files as different if they have > different names, permissions or owners.] > > Files in second .changes but not in first > - > -rw-r--r-- root/root > /usr/lib/debug/.build-id/2b/578462762f19aca2fce5f18f02136a0e040ffa.debug > -rw-r--r-- root/root > /usr/lib/debug/.build-id/54/06ecde81b1cb2ef22ddd54e5dfe2e17a6484ce.debug > -rw-r--r-- root/root > /usr/lib/debug/.build-id/83/ab63854f485098aabd85de0468f307bc3223e9.debug > -rw-r--r-- root/root > /usr/lib/debug/.build-id/8a/753d613f23da52c564ce14f8dc406baaf34a8f.debug > -rw-r--r-- root/root > /usr/lib/debug/.build-id/cd/a94b3e615e2dd7c14de4c2d600e020c765a6d3.debug > -rw-r--r-- root/root /usr/share/doc/openssl/NEWS.Debian.gz > -rw-r--r-- root/root /usr/share/lintian/overrides/openssl > -rw-r--r-- root/root /usr/share/man/man3/X509_digest.3ssl.gz > lrwxrwxrwx root/root /usr/share/doc/libssl1.1-dbgsym -> libssl1.1 > lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn.3ssl.gz -> > BIO_set_callback.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn_ex.3ssl.gz -> > BIO_set_callback.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/BIO_get_callback_ex.3ssl.gz -> > BIO_set_callback.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/BIO_set_callback_ex.3ssl.gz -> > BIO_set_callback.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/CRYPTO_secure_used.3ssl.gz -> > OPENSSL_secure_malloc.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/DH_check_params.3ssl.gz -> > DH_generate_parameters.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/ERR_FATAL_ERROR.3ssl.gz -> > ERR_GET_LIB.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/EVP_PKEY_gen_cb.3ssl.gz -> > EVP_PKEY_keygen.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2b512.3ssl.gz -> > EVP_DigestInit.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2s256.3ssl.gz -> > EVP_DigestInit.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20.3ssl.gz -> > EVP_EncryptInit.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20_poly1305.3ssl.gz -> > EVP_EncryptInit.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/GEN_SESSION_CB.3ssl.gz -> > SSL_CTX_set_generate_session_id.3ssl.gz > lrwxrwxrwx root/root > /usr/share/man/man3/PKCS7_ISSUER_AND_SERIAL_digest.3ssl.gz -> > X509_digest.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get0_name.3ssl.gz -> > SSL_COMP_add_compression_method.3ssl.gz > lrwxrwxrwx root/root > /usr/share/man/man3/SSL_COMP_get_compression_methods.3ssl.gz -> > SSL_COMP_add_compression_method.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get_id.3ssl.gz -> > SSL_COMP_add_compression_method.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/SSL_verify_cb.3ssl.gz -> > SSL_CTX_set_verify.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/X509_CRL_digest.3ssl.gz -> > X509_digest.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/X509_NAME_digest.3ssl.gz -> > X509_digest.3ssl.gz > lrwxrwxrwx root/root /usr/share/man/man3/X509_REQ_digest.3ssl.gz -> > X509_digest.3ssl.gz > lrwxrwxrwx root/root > /usr/share/man/man3/X509_STORE_CTX_cert_crl_fn.3ssl.gz -> > X509_STORE_set_verify_cb_func.3ssl.gz > lrwxrwxrwx root/root > /usr/
Re: Bug#854155: unblock: openssl/1.1.0d-2
On 2017-02-13 18:01:34 [+0100], Emilio Pozuelo Monfort wrote: > On 04/02/17 15:20, Sebastian Andrzej Siewior wrote: > > Package: release.debian.org > > User: release.debian@packages.debian.org > > Usertags: unblock > > Severity: normal > > > > Please unblock package openssl. It contains a redo of the rules file > > among other packaging related changes which did not migrate in time due > > to the new release of the d version which fixes 3 CVE bugs. The d-2 > > version fixes a regression discovered by perl and FTBFS of openssl > > itself if arch-any and arch-all were built in one go. > > > > unblock openssl/1.1.0d-2 > > That includes some changes we don't like during the freeze, but given those > were > done before the freeze and I wouldn't want them reverted this early in the > freeze, I would be happy to unblock this... but can you attach a binary > debdiff > (e.g. debdiff an old and new .changes file) to make sure things are still > looking good? sure. I've build c-2 and d-2 with _all an amd64 in todays sid to get the changes files and this the resulting debdiff: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .changes but not in first - -rw-r--r-- root/root /usr/lib/debug/.build-id/2b/578462762f19aca2fce5f18f02136a0e040ffa.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/54/06ecde81b1cb2ef22ddd54e5dfe2e17a6484ce.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/83/ab63854f485098aabd85de0468f307bc3223e9.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/8a/753d613f23da52c564ce14f8dc406baaf34a8f.debug -rw-r--r-- root/root /usr/lib/debug/.build-id/cd/a94b3e615e2dd7c14de4c2d600e020c765a6d3.debug -rw-r--r-- root/root /usr/share/doc/openssl/NEWS.Debian.gz -rw-r--r-- root/root /usr/share/lintian/overrides/openssl -rw-r--r-- root/root /usr/share/man/man3/X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/doc/libssl1.1-dbgsym -> libssl1.1 lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_callback_fn_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_get_callback_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/BIO_set_callback_ex.3ssl.gz -> BIO_set_callback.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/CRYPTO_secure_used.3ssl.gz -> OPENSSL_secure_malloc.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/DH_check_params.3ssl.gz -> DH_generate_parameters.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/ERR_FATAL_ERROR.3ssl.gz -> ERR_GET_LIB.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_PKEY_gen_cb.3ssl.gz -> EVP_PKEY_keygen.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2b512.3ssl.gz -> EVP_DigestInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_blake2s256.3ssl.gz -> EVP_DigestInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20.3ssl.gz -> EVP_EncryptInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/EVP_chacha20_poly1305.3ssl.gz -> EVP_EncryptInit.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/GEN_SESSION_CB.3ssl.gz -> SSL_CTX_set_generate_session_id.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/PKCS7_ISSUER_AND_SERIAL_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get0_name.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get_compression_methods.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_COMP_get_id.3ssl.gz -> SSL_COMP_add_compression_method.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/SSL_verify_cb.3ssl.gz -> SSL_CTX_set_verify.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_CRL_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_NAME_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_REQ_digest.3ssl.gz -> X509_digest.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_cert_crl_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_crl_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_issued_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_policy_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/root /usr/share/man/man3/X509_STORE_CTX_check_revocation_fn.3ssl.gz -> X509_STORE_set_verify_cb_func.3ssl.gz lrwxrwxrwx root/
Re: Bug#854155: unblock: openssl/1.1.0d-2
Hi, Emilio Pozuelo Monfort <po...@debian.org> (2017-02-13): > On 04/02/17 15:20, Sebastian Andrzej Siewior wrote: > > Please unblock package openssl. It contains a redo of the rules file > > among other packaging related changes which did not migrate in time > > due to the new release of the d version which fixes 3 CVE bugs. The > > d-2 version fixes a regression discovered by perl and FTBFS of > > openssl itself if arch-any and arch-all were built in one go. > > > > unblock openssl/1.1.0d-2 > > That includes some changes we don't like during the freeze, but given > those were done before the freeze and I wouldn't want them reverted > this early in the freeze, I would be happy to unblock this... but can > you attach a binary debdiff (e.g. debdiff an old and new .changes > file) to make sure things are still looking good? I'm also interested in seeing a binary debdiff to make sure things are still in place in the udeb (since that's something the maintainer would usually be less aware of or not able to easily test)… > Also please make minimal changes from now on (e.g. for 1.1.0e). > > Cyril, does this look fine from a d-i perspective at this stage? No specific objections (even if I prefer shorter diffs too). KiBi. signature.asc Description: Digital signature
Re: Bug#854155: unblock: openssl/1.1.0d-2
On 04/02/17 15:20, Sebastian Andrzej Siewior wrote: > Package: release.debian.org > User: release.debian@packages.debian.org > Usertags: unblock > Severity: normal > > Please unblock package openssl. It contains a redo of the rules file > among other packaging related changes which did not migrate in time due > to the new release of the d version which fixes 3 CVE bugs. The d-2 > version fixes a regression discovered by perl and FTBFS of openssl > itself if arch-any and arch-all were built in one go. > > unblock openssl/1.1.0d-2 That includes some changes we don't like during the freeze, but given those were done before the freeze and I wouldn't want them reverted this early in the freeze, I would be happy to unblock this... but can you attach a binary debdiff (e.g. debdiff an old and new .changes file) to make sure things are still looking good? Also please make minimal changes from now on (e.g. for 1.1.0e). Cyril, does this look fine from a d-i perspective at this stage? Cheers, Emilio
Bug#780902: unblock: openssl/1.0.1k-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, 1.0.1k-2 contains security fixes. Could you please unblock it? Kurt -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150321094038.ga19...@roeckx.be
Re: Bug#775025: unblock: openssl/1.0.1k-1
On 2015-01-25 22:16, Cyril Brulebois wrote: Control: tag -1 confirmed Kurt Roeckx k...@roeckx.be (2015-01-20): Can you ACK that, or is there someone else in the d-i team that can do that? Not at the time this unblock was requested or pinged, but right now: yes. Mraw, KiBi. Added -udeb unblock as well, thanks. ~Niels -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54c56484.7060...@thykier.net
Re: Bug#775025: unblock: openssl/1.0.1k-1
Control: tag -1 confirmed Kurt Roeckx k...@roeckx.be (2015-01-20): Can you ACK that, or is there someone else in the d-i team that can do that? Not at the time this unblock was requested or pinged, but right now: yes. Mraw, KiBi. signature.asc Description: Digital signature
Re: Bug#775025: unblock: openssl/1.0.1k-1
Hi, Can you ACK that, or is there someone else in the d-i team that can do that? Kurt On Wed, Jan 14, 2015 at 05:52:58PM +0100, Niels Thykier wrote: Control: tags -1 d-i On 2015-01-10 12:01, Kurt Roeckx wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, I've uploaded a new upstream version of openssl to unstable. This contains fixes for 7 security issues affecting jessie. It also contains a lot of other bug fixes. Can you please unblock it? Kurt No problems from my PoV. CC'ing KiBi for d-i ACK. ~Niels -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b69eea.7020...@thykier.net -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150120121730.ga20...@roeckx.be
Re: Unblock openssl
Kurt Roeckx wrote: Hi, Can openssl 0.9.8g-16 be hinted to testing? It fixes a security issue. It has a udeb. unblocked Cheers Luk -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Unblock openssl
Hi, Can openssl 0.9.8g-16 be hinted to testing? It fixes a security issue. It has a udeb. Kurt -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org