Re: Bug#927437: unblock: openssl/1.1.1b-2

[Niels Thykier]

Cyril Brulebois:
> Hi Kurt,
> 
> Kurt Roeckx  (2019-04-19):
>> Can you please unblock openssl. It fixes 2 important bugs.
>> debdiff attached.
> 
> (And thanks for the cc.)
> 
> I have been able to confirm during my work on haveged (#923675) that
> your upload indeed fixes the wget issues we had in d-i (#926315); so
> thanks also for that, and no objections on the d-i side regarding the
> unblock request.
> 
>> diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog
>> --- openssl-1.1.1b/debian/changelog  2019-02-26 19:52:12.0 +0100
>> +++ openssl-1.1.1b/debian/changelog  2019-04-16 21:31:11.0 +0200
>> @@ -1,3 +1,11 @@
>> +openssl (1.1.1b-2) unstable; urgency=medium
>> +
>> +  * Fix BUF_MEM regression (Closes: #923516)
>> +  * Fix error when config can't be opened (Closes: #926315)
>> +  * Ship an openssl.cnf in libssl1.1-udeb.dirs
> 
> The last entry is slightly odd, as that's the parent directory
> (/usr/lib/ssl) for openssl.cnf that's being added to its fellow
> companion (libcrypto1.1-udeb.dirs), rather than libssl1.1-udeb.dirs
> itself? The changelog entry could be fixed in the next upload though,
> not a huge issue.
> 
> 
> Cheers,
> 

Unblocked, thanks.
~Niels

Re: Bug#927437: unblock: openssl/1.1.1b-2

[Cyril Brulebois]

Hi Kurt,

Kurt Roeckx  (2019-04-19):
> Can you please unblock openssl. It fixes 2 important bugs.
> debdiff attached.

(And thanks for the cc.)

I have been able to confirm during my work on haveged (#923675) that
your upload indeed fixes the wget issues we had in d-i (#926315); so
thanks also for that, and no objections on the d-i side regarding the
unblock request.

> diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog
> --- openssl-1.1.1b/debian/changelog   2019-02-26 19:52:12.0 +0100
> +++ openssl-1.1.1b/debian/changelog   2019-04-16 21:31:11.0 +0200
> @@ -1,3 +1,11 @@
> +openssl (1.1.1b-2) unstable; urgency=medium
> +
> +  * Fix BUF_MEM regression (Closes: #923516)
> +  * Fix error when config can't be opened (Closes: #926315)
> +  * Ship an openssl.cnf in libssl1.1-udeb.dirs

The last entry is slightly odd, as that's the parent directory
(/usr/lib/ssl) for openssl.cnf that's being added to its fellow
companion (libcrypto1.1-udeb.dirs), rather than libssl1.1-udeb.dirs
itself? The changelog entry could be fixed in the next upload though,
not a huge issue.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)<https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#927437: unblock: openssl/1.1.1b-2

[Kurt Roeckx]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Can you please unblock openssl. It fixes 2 important bugs.
debdiff attached.


Kurt

diff -Nru openssl-1.1.1b/debian/changelog openssl-1.1.1b/debian/changelog
--- openssl-1.1.1b/debian/changelog 2019-02-26 19:52:12.0 +0100
+++ openssl-1.1.1b/debian/changelog 2019-04-16 21:31:11.0 +0200
@@ -1,3 +1,11 @@
+openssl (1.1.1b-2) unstable; urgency=medium
+
+  * Fix BUF_MEM regression (Closes: #923516)
+  * Fix error when config can't be opened (Closes: #926315)
+  * Ship an openssl.cnf in libssl1.1-udeb.dirs
+
+ -- Kurt Roeckx   Tue, 16 Apr 2019 21:31:11 +0200
+
 openssl (1.1.1b-1) unstable; urgency=medium
 
   [ Sebastian Andrzej Siewior ]
diff -Nru openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs 
openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs
--- openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs2019-02-26 
19:25:16.0 +0100
+++ openssl-1.1.1b/debian/libcrypto1.1-udeb.dirs2019-04-16 
21:31:11.0 +0200
@@ -1 +1,2 @@
 usr/lib
+usr/lib/ssl
diff -Nru 
openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
 
openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
--- 
openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
1970-01-01 01:00:00.0 +0100
+++ 
openssl-1.1.1b/debian/patches/0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
2019-04-16 21:23:57.0 +0200
@@ -0,0 +1,118 @@
+From 43bb4dec99f4bed1ec20836c79967ea790594fce Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Wed, 3 Apr 2019 12:31:32 +0200
+Subject: [PATCH 1/5] Fix for BIO_get_mem_ptr and related regressions
+
+Reviewed-by: Bernd Edlinger 
+Reviewed-by: Matt Caswell 
+(Merged from https://github.com/openssl/openssl/pull/8649)
+
+(cherry picked from commit b238fb79709a180ba9b4d837101c9f75e2978dc0)
+---
+ crypto/bio/bss_mem.c | 40 
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
+index 10fcbf7a7c..abf0f04111 100644
+--- a/crypto/bio/bss_mem.c
 b/crypto/bio/bss_mem.c
+@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = {
+ NULL,  /* mem_callback_ctrl */
+ };
+ 
+-/* BIO memory stores buffer and read pointer  */
++/*
++ * BIO memory stores buffer and read pointer
++ * however the roles are different for read only BIOs.
++ * In that case the readp just stores the original state
++ * to be used for reset.
++ */
+ typedef struct bio_buf_mem_st {
+ struct buf_mem_st *buf;   /* allocated buffer */
+ struct buf_mem_st *readp; /* read pointer */
+@@ -192,6 +197,8 @@ static int mem_read(BIO *b, char *out, int outl)
+ BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
+ BUF_MEM *bm = bbm->readp;
+ 
++if (b->flags & BIO_FLAGS_MEM_RDONLY)
++bm = bbm->buf;
+ BIO_clear_retry_flags(b);
+ ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
+ if ((out != NULL) && (ret > 0)) {
+@@ -241,29 +248,36 @@ static long mem_ctrl(BIO *b, int cmd, long num, void 
*ptr)
+ BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
+ BUF_MEM *bm;
+ 
++if (b->flags & BIO_FLAGS_MEM_RDONLY)
++bm = bbm->buf;
++else
++bm = bbm->readp;
++
+ switch (cmd) {
+ case BIO_CTRL_RESET:
+ bm = bbm->buf;
+ if (bm->data != NULL) {
+-/* For read only case reset to the start again */
+-if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & 
BIO_FLAGS_NONCLEAR_RST)) {
+-bm->length = bm->max;
++if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
++if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
++bm->length = bm->max;
++} else {
++memset(bm->data, 0, bm->max);
++bm->length = 0;
++}
++*bbm->readp = *bbm->buf;
+ } else {
+-memset(bm->data, 0, bm->max);
+-bm->length = 0;
++/* For read only case just reset to the start again */
++*bbm->buf = *bbm->readp;
+ }
+-*bbm->readp = *bbm->buf;
+ }
+ break;
+ case BIO_CTRL_EOF:
+-bm = bbm->readp;
+ ret = (long)(bm->length == 0);
+ break;
+ case BIO_C_SET_BUF_MEM_EOF_RETURN:
+ b->num = (int)num;
+ break;
+ case BIO_CTRL_INFO:
+-bm = bbm->readp;
+ ret = (long)bm->length;
+ if (ptr != NULL) {
+ pptr = (char **)ptr;
+@@ -278,8 +292,9 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
+ break;
+ case BIO_C_GET_BUF_MEM_PTR:
+ if (ptr

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Niels Thykier]

Cyril Brulebois:
> Cyril Brulebois  (2017-02-21):
>> I think that should work, yes. Please let me know when that's happened,
>> and I'll do the testing as soon as possible.
> 
> This has happened, and building a netboot-gtk image with stretch udebs
> and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package,
> with the following changes:
> 
> +libcrypto1.1-udeb
> -libssl1.0.2-udeb
> +libssl1.1-udeb
> 
> I've successfully tested a full installation over https, so I think it's
> fine to accept wget from tpu.
> 
> 
> KiBi.
> 

Ack, done.

Thanks,
~Niels

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Cyril Brulebois]

Cyril Brulebois  (2017-02-21):
> I think that should work, yes. Please let me know when that's happened,
> and I'll do the testing as soon as possible.

This has happened, and building a netboot-gtk image with stretch udebs
and with p-u enabled got me a 1.18-4.1 version of the wget-udeb package,
with the following changes:

+libcrypto1.1-udeb
-libssl1.0.2-udeb
+libssl1.1-udeb

I've successfully tested a full installation over https, so I think it's
fine to accept wget from tpu.


KiBi.


signature.asc
Description: Digital signature

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Cyril Brulebois]

Niels Thykier  (2017-02-20):
> I did and I agree on the testing part.  Would a "no-change rebuild" tpu
> upload of wget be a solution for you?  That should ensure we control
> when the wget change migrates to testing (which is somewhat more
> difficult with binNMUs).

I think that should work, yes. Please let me know when that's happened,
and I'll do the testing as soon as possible.


KiBi.


signature.asc
Description: Digital signature

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Niels Thykier]

Cyril Brulebois:
> Niels Thykier  (2017-02-19):
>> [...]
> 
> Hrm. You mentioned on IRC you were pondering possibly rebuilding wget
> against 1.1 for stretch; if that happens, this needs d-i testing…
> 
> 
> KiBi.
> 

I did and I agree on the testing part.  Would a "no-change rebuild" tpu
upload of wget be a solution for you?  That should ensure we control
when the wget change migrates to testing (which is somewhat more
difficult with binNMUs).

Thanks,
~Niels

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Cyril Brulebois]

Niels Thykier  (2017-02-19):
> Cyril Brulebois:
> > We have this right now:
> > 
> > wget-udeb  | 1.18-4| testing  → built against 1.0.2
> > wget-udeb  | 1.19.1-1  | unstable → built against 1.1
> > 
> > If we're not getting a newer wget for stretch (at least I didn't find
> > anything wget-related relevant for stretch in my debian-release folder),
> > I can't think of another libssl user for d-i, which seems confirmed by
> > looking at libssl*-udeb rdepends in sid.
> > 
> > Unless I'm missing something obvious: no objections.
> 
> Unblocked, thanks.

Hrm. You mentioned on IRC you were pondering possibly rebuilding wget
against 1.1 for stretch; if that happens, this needs d-i testing…


KiBi.


signature.asc
Description: Digital signature

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Niels Thykier]

Cyril Brulebois:
> Kurt Roeckx  (2017-02-18):
>> On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
>>> How soon do you want to see this package in testing? Given I've just
>>> fixed a few things related to https support in d-i, it would be nice if
>>> I were able to perform a full test with https here, making sure we don't
>>> hit a regression there. If a reply this sunday is sufficient, I can do
>>> that.
> 
> We have this right now:
> 
> wget-udeb  | 1.18-4| testing  → built against 1.0.2
> wget-udeb  | 1.19.1-1  | unstable → built against 1.1
> 
> If we're not getting a newer wget for stretch (at least I didn't find
> anything wget-related relevant for stretch in my debian-release folder),
> I can't think of another libssl user for d-i, which seems confirmed by
> looking at libssl*-udeb rdepends in sid.
> 
> Unless I'm missing something obvious: no objections.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Kurt Roeckx]

On Sun, Feb 19, 2017 at 07:33:20AM +0100, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-02-18):
> > On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
> > > How soon do you want to see this package in testing? Given I've just
> > > fixed a few things related to https support in d-i, it would be nice if
> > > I were able to perform a full test with https here, making sure we don't
> > > hit a regression there. If a reply this sunday is sufficient, I can do
> > > that.
> 
> We have this right now:
> 
> wget-udeb  | 1.18-4| testing  → built against 1.0.2
> wget-udeb  | 1.19.1-1  | unstable → built against 1.1
> 
> If we're not getting a newer wget for stretch (at least I didn't find
> anything wget-related relevant for stretch in my debian-release folder),
> I can't think of another libssl user for d-i, which seems confirmed by
> looking at libssl*-udeb rdepends in sid.
> 
> Unless I'm missing something obvious: no objections.

Can someone please also change the age to 2 days?


Kurt

Re: Bug#855432: unblock: openssl/1.1.0e-1

[Cyril Brulebois]

Kurt Roeckx  (2017-02-18):
> On Sat, Feb 18, 2017 at 06:16:28PM +0100, Cyril Brulebois wrote:
> > How soon do you want to see this package in testing? Given I've just
> > fixed a few things related to https support in d-i, it would be nice if
> > I were able to perform a full test with https here, making sure we don't
> > hit a regression there. If a reply this sunday is sufficient, I can do
> > that.

We have this right now:

wget-udeb  | 1.18-4| testing  → built against 1.0.2
wget-udeb  | 1.19.1-1  | unstable → built against 1.1

If we're not getting a newer wget for stretch (at least I didn't find
anything wget-related relevant for stretch in my debian-release folder),
I can't think of another libssl user for d-i, which seems confirmed by
looking at libssl*-udeb rdepends in sid.

Unless I'm missing something obvious: no objections.


KiBi.


signature.asc
Description: Digital signature

Bug#855432: unblock: openssl/1.1.0e-1

[Kurt Roeckx]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

There was a new upstream release fixing a high severity security
issue.

The changelog entry is:
openssl (1.1.0e-1) unstable; urgency=high

  * New upstream version
- Fixes CVE-2017-3733
- Remove patches that are applied upstream.

 -- Kurt Roeckx   Thu, 16 Feb 2017 18:57:58 +0100

I've attached the full debdiff between the version in testing and
unstable.


Kurt

diff -Nru openssl-1.1.0d/apps/openssl.c openssl-1.1.0e/apps/openssl.c
--- openssl-1.1.0d/apps/openssl.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/openssl.c	2017-02-16 12:58:20.0 +0100
@@ -58,7 +58,6 @@
 static void list_disabled(void);
 char *default_config_file = NULL;
 
-static CONF *config = NULL;
 BIO *bio_in = NULL;
 BIO *bio_out = NULL;
 BIO *bio_err = NULL;
@@ -248,8 +247,6 @@
  end:
 OPENSSL_free(copied_argv);
 OPENSSL_free(default_config_file);
-NCONF_free(config);
-config = NULL;
 lh_FUNCTION_free(prog);
 OPENSSL_free(arg.argv);
 
diff -Nru openssl-1.1.0d/apps/req.c openssl-1.1.0e/apps/req.c
--- openssl-1.1.0d/apps/req.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/req.c	2017-02-16 12:58:20.0 +0100
@@ -121,7 +121,7 @@
 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
  "Enable support for multivalued RDNs"},
 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
-{"set_serial", OPT_SET_SERIAL, 'p', "Serial number to use"},
+{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
 {"extensions", OPT_EXTENSIONS, 's',
  "Cert extension section (override value in config file)"},
 {"reqexts", OPT_REQEXTS, 's',
diff -Nru openssl-1.1.0d/apps/s_cb.c openssl-1.1.0e/apps/s_cb.c
--- openssl-1.1.0d/apps/s_cb.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/s_cb.c	2017-02-16 12:58:20.0 +0100
@@ -922,6 +922,7 @@
 BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog());
 goto err;
 }
+*pexc = exc;
 exc->certfile = opt_arg();
 break;
 case OPT_X_KEY:
diff -Nru openssl-1.1.0d/apps/ts.c openssl-1.1.0e/apps/ts.c
--- openssl-1.1.0d/apps/ts.c	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/apps/ts.c	2017-02-16 12:58:20.0 +0100
@@ -890,9 +890,15 @@
 goto err;
 f = TS_VFY_VERSION | TS_VFY_SIGNER;
 if (data != NULL) {
+BIO *out = NULL;
+
 f |= TS_VFY_DATA;
-if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL)
+if ((out = BIO_new_file(data, "rb")) == NULL)
 goto err;
+if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
+BIO_free_all(out);
+goto err;
+}
 } else if (digest != NULL) {
 long imprint_len;
 unsigned char *hexstr = OPENSSL_hexstr2buf(digest, _len);
diff -Nru openssl-1.1.0d/CHANGES openssl-1.1.0e/CHANGES
--- openssl-1.1.0d/CHANGES	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/CHANGES	2017-02-16 12:58:20.0 +0100
@@ -2,6 +2,19 @@
  OpenSSL CHANGES
  ___
 
+ Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
+
+  *) Encrypt-Then-Mac renegotiation crash
+
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
+ and servers are affected.
+
+ This issue was reported to OpenSSL by Joe Orton (Red Hat).
+ (CVE-2017-3733)
+ [Matt Caswell]
+
  Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
 
   *) Truncated packet could crash via OOB read
diff -Nru openssl-1.1.0d/Configurations/unix-Makefile.tmpl openssl-1.1.0e/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0d/Configurations/unix-Makefile.tmpl	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl	2017-02-16 12:58:20.0 +0100
@@ -285,6 +285,7 @@
 	-$(RM) `find . -name '*{- $objext -}' -a \! -path "./.git/*"`
 	$(RM) core
 	$(RM) tags TAGS
+	$(RM) test/.rnd
 	$(RM) openssl.pc libcrypto.pc libssl.pc
 	-$(RM) `find . -type l -a \! -path "./.git/*"`
 	$(RM) $(TARFILE)
diff -Nru openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl
--- openssl-1.1.0d/crypto/aes/asm/aesv8-armx.pl	2017-01-26 14:10:21.0 +0100
+++ openssl-1.1.0e/crypto/aes/asm/aesv8-armx.pl	2017-02-16 12:58:20.0 +0100
@@ -59,9 +59,12 @@
 .text
 ___
 $code.=".arch	armv8-a+crypto\n"			if ($flavour =~ /64/);
-$code.=".arch	armv7-a\n.fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
-		#^^ this is done to simplify adoption by not depending
-		#	on latest binutils.
+$code.=<<___		if ($flavour !~ /64/);
+.arch	armv7-a	// don't confuse not-so-latest binutils with argv8 :-)
+.fpu	neon
+.code	32
+#undef	__thumb2__

Re: Bug#854155: unblock: openssl/1.1.0d-2

[Emilio Pozuelo Monfort]

On 13/02/17 21:37, Sebastian Andrzej Siewior wrote:
> On 2017-02-13 18:01:34 [+0100], Emilio Pozuelo Monfort wrote:
>> On 04/02/17 15:20, Sebastian Andrzej Siewior wrote:
>>> Package: release.debian.org
>>> User: release.debian@packages.debian.org
>>> Usertags: unblock
>>> Severity: normal
>>>
>>> Please unblock package openssl. It contains a redo of the rules file
>>> among other packaging related changes which did not migrate in time due
>>> to the new release of the d version which fixes 3 CVE bugs. The d-2
>>> version fixes a regression discovered by perl and FTBFS of openssl
>>> itself if arch-any and arch-all were built in one go.
>>>
>>> unblock openssl/1.1.0d-2
>>
>> That includes some changes we don't like during the freeze, but given those 
>> were
>> done before the freeze and I wouldn't want them reverted this early in the
>> freeze, I would be happy to unblock this... but can you attach a binary 
>> debdiff
>> (e.g. debdiff an old and new .changes file) to make sure things are still
>> looking good?
> 
> sure. I've build c-2 and d-2 with _all an amd64 in todays sid to get the
> changes files and this the resulting debdiff:
> 
> [The following lists of changes regard files as different if they have
> different names, permissions or owners.]
> 
> Files in second .changes but not in first
> -
> -rw-r--r--  root/root   
> /usr/lib/debug/.build-id/2b/578462762f19aca2fce5f18f02136a0e040ffa.debug
> -rw-r--r--  root/root   
> /usr/lib/debug/.build-id/54/06ecde81b1cb2ef22ddd54e5dfe2e17a6484ce.debug
> -rw-r--r--  root/root   
> /usr/lib/debug/.build-id/83/ab63854f485098aabd85de0468f307bc3223e9.debug
> -rw-r--r--  root/root   
> /usr/lib/debug/.build-id/8a/753d613f23da52c564ce14f8dc406baaf34a8f.debug
> -rw-r--r--  root/root   
> /usr/lib/debug/.build-id/cd/a94b3e615e2dd7c14de4c2d600e020c765a6d3.debug
> -rw-r--r--  root/root   /usr/share/doc/openssl/NEWS.Debian.gz
> -rw-r--r--  root/root   /usr/share/lintian/overrides/openssl
> -rw-r--r--  root/root   /usr/share/man/man3/X509_digest.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/doc/libssl1.1-dbgsym -> libssl1.1
> lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_callback_fn.3ssl.gz -> 
> BIO_set_callback.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_callback_fn_ex.3ssl.gz -> 
> BIO_set_callback.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_get_callback_ex.3ssl.gz -> 
> BIO_set_callback.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_set_callback_ex.3ssl.gz -> 
> BIO_set_callback.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/CRYPTO_secure_used.3ssl.gz -> 
> OPENSSL_secure_malloc.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/DH_check_params.3ssl.gz -> 
> DH_generate_parameters.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/ERR_FATAL_ERROR.3ssl.gz -> 
> ERR_GET_LIB.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_PKEY_gen_cb.3ssl.gz -> 
> EVP_PKEY_keygen.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_blake2b512.3ssl.gz -> 
> EVP_DigestInit.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_blake2s256.3ssl.gz -> 
> EVP_DigestInit.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_chacha20.3ssl.gz -> 
> EVP_EncryptInit.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_chacha20_poly1305.3ssl.gz -> 
> EVP_EncryptInit.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/GEN_SESSION_CB.3ssl.gz -> 
> SSL_CTX_set_generate_session_id.3ssl.gz
> lrwxrwxrwx  root/root   
> /usr/share/man/man3/PKCS7_ISSUER_AND_SERIAL_digest.3ssl.gz -> 
> X509_digest.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_COMP_get0_name.3ssl.gz -> 
> SSL_COMP_add_compression_method.3ssl.gz
> lrwxrwxrwx  root/root   
> /usr/share/man/man3/SSL_COMP_get_compression_methods.3ssl.gz -> 
> SSL_COMP_add_compression_method.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_COMP_get_id.3ssl.gz -> 
> SSL_COMP_add_compression_method.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_verify_cb.3ssl.gz -> 
> SSL_CTX_set_verify.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/X509_CRL_digest.3ssl.gz -> 
> X509_digest.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/X509_NAME_digest.3ssl.gz -> 
> X509_digest.3ssl.gz
> lrwxrwxrwx  root/root   /usr/share/man/man3/X509_REQ_digest.3ssl.gz -> 
> X509_digest.3ssl.gz
> lrwxrwxrwx  root/root   
> /usr/share/man/man3/X509_STORE_CTX_cert_crl_fn.3ssl.gz -> 
> X509_STORE_set_verify_cb_func.3ssl.gz
> lrwxrwxrwx  root/root   
> /usr/

Re: Bug#854155: unblock: openssl/1.1.0d-2

[Sebastian Andrzej Siewior]

On 2017-02-13 18:01:34 [+0100], Emilio Pozuelo Monfort wrote:
> On 04/02/17 15:20, Sebastian Andrzej Siewior wrote:
> > Package: release.debian.org
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > Severity: normal
> > 
> > Please unblock package openssl. It contains a redo of the rules file
> > among other packaging related changes which did not migrate in time due
> > to the new release of the d version which fixes 3 CVE bugs. The d-2
> > version fixes a regression discovered by perl and FTBFS of openssl
> > itself if arch-any and arch-all were built in one go.
> > 
> > unblock openssl/1.1.0d-2
> 
> That includes some changes we don't like during the freeze, but given those 
> were
> done before the freeze and I wouldn't want them reverted this early in the
> freeze, I would be happy to unblock this... but can you attach a binary 
> debdiff
> (e.g. debdiff an old and new .changes file) to make sure things are still
> looking good?

sure. I've build c-2 and d-2 with _all an amd64 in todays sid to get the
changes files and this the resulting debdiff:

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/2b/578462762f19aca2fce5f18f02136a0e040ffa.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/54/06ecde81b1cb2ef22ddd54e5dfe2e17a6484ce.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/83/ab63854f485098aabd85de0468f307bc3223e9.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/8a/753d613f23da52c564ce14f8dc406baaf34a8f.debug
-rw-r--r--  root/root   
/usr/lib/debug/.build-id/cd/a94b3e615e2dd7c14de4c2d600e020c765a6d3.debug
-rw-r--r--  root/root   /usr/share/doc/openssl/NEWS.Debian.gz
-rw-r--r--  root/root   /usr/share/lintian/overrides/openssl
-rw-r--r--  root/root   /usr/share/man/man3/X509_digest.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/doc/libssl1.1-dbgsym -> libssl1.1
lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_callback_fn.3ssl.gz -> 
BIO_set_callback.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_callback_fn_ex.3ssl.gz -> 
BIO_set_callback.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_get_callback_ex.3ssl.gz -> 
BIO_set_callback.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/BIO_set_callback_ex.3ssl.gz -> 
BIO_set_callback.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/CRYPTO_secure_used.3ssl.gz -> 
OPENSSL_secure_malloc.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/DH_check_params.3ssl.gz -> 
DH_generate_parameters.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/ERR_FATAL_ERROR.3ssl.gz -> 
ERR_GET_LIB.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_PKEY_gen_cb.3ssl.gz -> 
EVP_PKEY_keygen.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_blake2b512.3ssl.gz -> 
EVP_DigestInit.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_blake2s256.3ssl.gz -> 
EVP_DigestInit.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_chacha20.3ssl.gz -> 
EVP_EncryptInit.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/EVP_chacha20_poly1305.3ssl.gz -> 
EVP_EncryptInit.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/GEN_SESSION_CB.3ssl.gz -> 
SSL_CTX_set_generate_session_id.3ssl.gz
lrwxrwxrwx  root/root   
/usr/share/man/man3/PKCS7_ISSUER_AND_SERIAL_digest.3ssl.gz -> 
X509_digest.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_COMP_get0_name.3ssl.gz -> 
SSL_COMP_add_compression_method.3ssl.gz
lrwxrwxrwx  root/root   
/usr/share/man/man3/SSL_COMP_get_compression_methods.3ssl.gz -> 
SSL_COMP_add_compression_method.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_COMP_get_id.3ssl.gz -> 
SSL_COMP_add_compression_method.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/SSL_verify_cb.3ssl.gz -> 
SSL_CTX_set_verify.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/X509_CRL_digest.3ssl.gz -> 
X509_digest.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/X509_NAME_digest.3ssl.gz -> 
X509_digest.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/X509_REQ_digest.3ssl.gz -> 
X509_digest.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/X509_STORE_CTX_cert_crl_fn.3ssl.gz 
-> X509_STORE_set_verify_cb_func.3ssl.gz
lrwxrwxrwx  root/root   /usr/share/man/man3/X509_STORE_CTX_check_crl_fn.3ssl.gz 
-> X509_STORE_set_verify_cb_func.3ssl.gz
lrwxrwxrwx  root/root   
/usr/share/man/man3/X509_STORE_CTX_check_issued_fn.3ssl.gz -> 
X509_STORE_set_verify_cb_func.3ssl.gz
lrwxrwxrwx  root/root   
/usr/share/man/man3/X509_STORE_CTX_check_policy_fn.3ssl.gz -> 
X509_STORE_set_verify_cb_func.3ssl.gz
lrwxrwxrwx  root/root   
/usr/share/man/man3/X509_STORE_CTX_check_revocation_fn.3ssl.gz -> 
X509_STORE_set_verify_cb_func.3ssl.gz
lrwxrwxrwx  root/

Re: Bug#854155: unblock: openssl/1.1.0d-2

[Cyril Brulebois]

Hi,

Emilio Pozuelo Monfort <po...@debian.org> (2017-02-13):
> On 04/02/17 15:20, Sebastian Andrzej Siewior wrote:
> > Please unblock package openssl. It contains a redo of the rules file
> > among other packaging related changes which did not migrate in time
> > due to the new release of the d version which fixes 3 CVE bugs. The
> > d-2 version fixes a regression discovered by perl and FTBFS of
> > openssl itself if arch-any and arch-all were built in one go.
> > 
> > unblock openssl/1.1.0d-2
> 
> That includes some changes we don't like during the freeze, but given
> those were done before the freeze and I wouldn't want them reverted
> this early in the freeze, I would be happy to unblock this... but can
> you attach a binary debdiff (e.g. debdiff an old and new .changes
> file) to make sure things are still looking good?

I'm also interested in seeing a binary debdiff to make sure things are
still in place in the udeb (since that's something the maintainer would
usually be less aware of or not able to easily test)…

> Also please make minimal changes from now on (e.g. for 1.1.0e).
> 
> Cyril, does this look fine from a d-i perspective at this stage?

No specific objections (even if I prefer shorter diffs too).


KiBi.


signature.asc
Description: Digital signature

Re: Bug#854155: unblock: openssl/1.1.0d-2

[Emilio Pozuelo Monfort]

On 04/02/17 15:20, Sebastian Andrzej Siewior wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Please unblock package openssl. It contains a redo of the rules file
> among other packaging related changes which did not migrate in time due
> to the new release of the d version which fixes 3 CVE bugs. The d-2
> version fixes a regression discovered by perl and FTBFS of openssl
> itself if arch-any and arch-all were built in one go.
> 
> unblock openssl/1.1.0d-2

That includes some changes we don't like during the freeze, but given those were
done before the freeze and I wouldn't want them reverted this early in the
freeze, I would be happy to unblock this... but can you attach a binary debdiff
(e.g. debdiff an old and new .changes file) to make sure things are still
looking good?

Also please make minimal changes from now on (e.g. for 1.1.0e).

Cyril, does this look fine from a d-i perspective at this stage?

Cheers,
Emilio

Bug#780902: unblock: openssl/1.0.1k-2

[Kurt Roeckx]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

1.0.1k-2 contains security fixes.  Could you please unblock it?


Kurt


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150321094038.ga19...@roeckx.be

Re: Bug#775025: unblock: openssl/1.0.1k-1

[Niels Thykier]

On 2015-01-25 22:16, Cyril Brulebois wrote:
 Control: tag -1 confirmed
 
 Kurt Roeckx k...@roeckx.be (2015-01-20):
 Can you ACK that, or is there someone else in the d-i team that
 can do that?
 
 Not at the time this unblock was requested or pinged, but right now:
 yes.
 
 Mraw,
 KiBi.
 

Added -udeb unblock as well, thanks.

~Niels



-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54c56484.7060...@thykier.net

Re: Bug#775025: unblock: openssl/1.0.1k-1

[Cyril Brulebois]

Control: tag -1 confirmed

Kurt Roeckx k...@roeckx.be (2015-01-20):
 Can you ACK that, or is there someone else in the d-i team that
 can do that?

Not at the time this unblock was requested or pinged, but right now:
yes.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Bug#775025: unblock: openssl/1.0.1k-1

[Kurt Roeckx]

Hi,

Can you ACK that, or is there someone else in the d-i team that
can do that?


Kurt

On Wed, Jan 14, 2015 at 05:52:58PM +0100, Niels Thykier wrote:
 Control: tags -1 d-i
 
 On 2015-01-10 12:01, Kurt Roeckx wrote:
  Package: release.debian.org
  Severity: normal
  User: release.debian@packages.debian.org
  Usertags: unblock
  
  Hi,
  
  I've uploaded a new upstream version of openssl to unstable.  This
  contains fixes for 7 security issues affecting jessie.  It also
  contains a lot of other bug fixes.
  
  Can you please unblock it?
  
  
  Kurt
  
  
 
 No problems from my PoV.  CC'ing KiBi for d-i ACK.
 
 ~Niels
 
 
 -- 
 To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
 with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
 Archive: https://lists.debian.org/54b69eea.7020...@thykier.net
 


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150120121730.ga20...@roeckx.be

Re: Unblock openssl

[Luk Claes]

Kurt Roeckx wrote:
 Hi,
 
 Can openssl 0.9.8g-16 be hinted to testing?
 
 It fixes a security issue.
 
 It has a udeb.

unblocked

Cheers

Luk


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Unblock openssl

[Kurt Roeckx]

Hi,

Can openssl 0.9.8g-16 be hinted to testing?

It fixes a security issue.

It has a udeb.


Kurt


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org