Source: ganeti Version: 2.15.2-7+deb9u2 Severity: important Tags: patch Following up on #907216, the patch to use SHA256 for certificate signing should be backported to Stretch to allow users to switch to SHA256 certificates before upgrading to Buster. Certificate renewal has to take place in a co-ordinated fashion across a ganeti cluster (using `gnt-cluster upgrade`) and cannot be done for each node separately in the package's maintainer scripts, which means that we cannot rely on APT's sequencing between ganeti and libssl1.1 to resolve the situation on dist-upgrade.
Backporting the patch will allow users to prepare their clusters before upgrading to Buster and avoid the breakage caused by the installation of OpenSSL 1.1.1.