Bug#926412: unblock: gnutls28/3.6.7-2

2019-05-26 Thread Andreas Metzler
On 2019-05-20 Paul Gevers  wrote:
> On 19-05-2019 10:33, Andreas Metzler wrote:
>> I probably could try to pick the CVE related changes and other important
>> bug-fixes, however I do not think it is the right choice. The changes
>> will be smaller but the risk of breakage is higher.

> Can you explain why do you believe that?

>> Also 3.6.7 now has
>> been tested in sid for almost two months now. 

> Ack.

Hello Paul,

well, apart from the two CVE fixes there are many bugfixes in this
release that we probably want, e.g.
https://gitlab.com/gnutls/gnutls/issues/690
https://gitlab.com/gnutls/gnutls/issues/689
https://gitlab.com/gnutls/gnutls/issues/713
https://gitlab.com/gnutls/gnutls/issues/698
etc.

Most of these are related to TLS 1.3. - They might not show up as bug
reports now because it TLS1.3 is not that common yet but will propably
cause issues later in buster's lifetime. And the more fixes there the
more error-prone complicated cherry-picking s going to be.

>>> You bumped the debhelper compat level. That isn't a change we find
>>> acceptable during the freeze.
>> 
>> I will immediately revert this if it helps.

> I don't have enough experience yet with reviewing unblocks, that I feel
> comfortable reviewing and unblocking the current package, so if your
> insisting on the whole, somebody else will have to do the review. I am
> sure this revert will be a requirement though.

The revert has been in sid for a week now.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



Bug#926412: unblock: gnutls28/3.6.7-2

2019-05-20 Thread Paul Gevers
Hi Andreas,

I am going to push back.

On 19-05-2019 10:33, Andreas Metzler wrote:
> I probably could try to pick the CVE related changes and other important
> bug-fixes, however I do not think it is the right choice. The changes
> will be smaller but the risk of breakage is higher.

Can you explain why do you believe that?

> Also 3.6.7 now has
> been tested in sid for almost two months now. 

Ack.

>> You bumped the debhelper compat level. That isn't a change we find
>> acceptable during the freeze.
> 
> I will immediately revert this if it helps.

I don't have enough experience yet with reviewing unblocks, that I feel
comfortable reviewing and unblocking the current package, so if your
insisting on the whole, somebody else will have to do the review. I am
sure this revert will be a requirement though.

Paul



signature.asc
Description: OpenPGP digital signature


Bug#926412: unblock: gnutls28/3.6.7-2

2019-05-19 Thread Andreas Metzler
On 2019-05-18 Paul Gevers  wrote:
[gnutls]
> Is it reasonably possible to split of the CVE changes and patch the
> version currently in testing? That would be much more comfortable for
> us. Either by reverting the new upstream version with e.g. an +really
> version number, or, but less preferred by us, via an upload to
> testing-proposed-updates.

Hello Paul,

I probably could try to pick the CVE related changes and other important
bug-fixes, however I do not think it is the right choice. The changes
will be smaller but the risk of breakage is higher. Also 3.6.7 now has
been tested in sid for almost two months now. 

> You bumped the debhelper compat level. That isn't a change we find
> acceptable during the freeze.

I will immediately revert this if it helps.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



Bug#926412: unblock: gnutls28/3.6.7-2

2019-05-18 Thread Paul Gevers
Control: tags -1 moreinfo

Hi Andreas,

On Thu, 4 Apr 2019 19:41:44 +0200 Andreas Metzler  wrote:
> The straight debdiff is huge, because of a) usual release updates of
> autogenerated files and b) because it includes a global
> 's/http:/https:/'. Stripped down debdiff is attached.

Indeed, even the stripped down version is still huge. It probably
explains why you haven't seen a response so far.

Is it reasonably possible to split of the CVE changes and patch the
version currently in testing? That would be much more comfortable for
us. Either by reverting the new upstream version with e.g. an +really
version number, or, but less preferred by us, via an upload to
testing-proposed-updates.

You bumped the debhelper compat level. That isn't a change we find
acceptable during the freeze.

Paul



signature.asc
Description: OpenPGP digital signature


Bug#926412: unblock: gnutls28/3.6.7-2

2019-05-17 Thread Andreas Metzler
On 2019-04-04 Andreas Metzler  wrote:
[...]
> This is a upstream bugfix release featuring two security fixes

> + Fixes a memory corruption (double free) vulnerability in the
>   certificate verification API.
>   https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829
>   GNUTLS-SA-2019-03-27
> + Fixes an invalid pointer access via malformed TLS1.3 async messages;
>   https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836
>   GNUTLS-SA-2019-03-27
[...]

Ping?



Bug#926412: unblock: gnutls28/3.6.7-2

2019-04-04 Thread Andreas Metzler
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package gnutls28.

This is a upstream bugfix release featuring two security fixes

+ Fixes a memory corruption (double free) vulnerability in the
  certificate verification API.
  https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829
  GNUTLS-SA-2019-03-27
+ Fixes an invalid pointer access via malformed TLS1.3 async messages;
  https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836
  GNUTLS-SA-2019-03-27

One of these is fixed by a hardening measure (gnutls_free() will
automatically set the free'd pointer to NULL.) It also unbreaks
vlc (#922879) and has some TLS1.3 related changes.

The straight debdiff is huge, because of a) usual release updates of
autogenerated files and b) because it includes a global
's/http:/https:/'. Stripped down debdiff is attached.

unblock gnutls28/3.6.7-2

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


smaller.debdiff.diff.xz
Description: application/xz


signature.asc
Description: PGP signature