Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-05-20 Paul Gevers wrote: > On 19-05-2019 10:33, Andreas Metzler wrote: >> I probably could try to pick the CVE related changes and other important >> bug-fixes, however I do not think it is the right choice. The changes >> will be smaller but the risk of breakage is higher. > Can you explain why do you believe that? >> Also 3.6.7 now has >> been tested in sid for almost two months now. > Ack. Hello Paul, well, apart from the two CVE fixes there are many bugfixes in this release that we probably want, e.g. https://gitlab.com/gnutls/gnutls/issues/690 https://gitlab.com/gnutls/gnutls/issues/689 https://gitlab.com/gnutls/gnutls/issues/713 https://gitlab.com/gnutls/gnutls/issues/698 etc. Most of these are related to TLS 1.3. - They might not show up as bug reports now because it TLS1.3 is not that common yet but will propably cause issues later in buster's lifetime. And the more fixes there the more error-prone complicated cherry-picking s going to be. >>> You bumped the debhelper compat level. That isn't a change we find >>> acceptable during the freeze. >> >> I will immediately revert this if it helps. > I don't have enough experience yet with reviewing unblocks, that I feel > comfortable reviewing and unblocking the current package, so if your > insisting on the whole, somebody else will have to do the review. I am > sure this revert will be a requirement though. The revert has been in sid for a week now. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#926412: unblock: gnutls28/3.6.7-2
Hi Andreas, I am going to push back. On 19-05-2019 10:33, Andreas Metzler wrote: > I probably could try to pick the CVE related changes and other important > bug-fixes, however I do not think it is the right choice. The changes > will be smaller but the risk of breakage is higher. Can you explain why do you believe that? > Also 3.6.7 now has > been tested in sid for almost two months now. Ack. >> You bumped the debhelper compat level. That isn't a change we find >> acceptable during the freeze. > > I will immediately revert this if it helps. I don't have enough experience yet with reviewing unblocks, that I feel comfortable reviewing and unblocking the current package, so if your insisting on the whole, somebody else will have to do the review. I am sure this revert will be a requirement though. Paul signature.asc Description: OpenPGP digital signature
Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-05-18 Paul Gevers wrote: [gnutls] > Is it reasonably possible to split of the CVE changes and patch the > version currently in testing? That would be much more comfortable for > us. Either by reverting the new upstream version with e.g. an +really > version number, or, but less preferred by us, via an upload to > testing-proposed-updates. Hello Paul, I probably could try to pick the CVE related changes and other important bug-fixes, however I do not think it is the right choice. The changes will be smaller but the risk of breakage is higher. Also 3.6.7 now has been tested in sid for almost two months now. > You bumped the debhelper compat level. That isn't a change we find > acceptable during the freeze. I will immediately revert this if it helps. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#926412: unblock: gnutls28/3.6.7-2
Control: tags -1 moreinfo Hi Andreas, On Thu, 4 Apr 2019 19:41:44 +0200 Andreas Metzler wrote: > The straight debdiff is huge, because of a) usual release updates of > autogenerated files and b) because it includes a global > 's/http:/https:/'. Stripped down debdiff is attached. Indeed, even the stripped down version is still huge. It probably explains why you haven't seen a response so far. Is it reasonably possible to split of the CVE changes and patch the version currently in testing? That would be much more comfortable for us. Either by reverting the new upstream version with e.g. an +really version number, or, but less preferred by us, via an upload to testing-proposed-updates. You bumped the debhelper compat level. That isn't a change we find acceptable during the freeze. Paul signature.asc Description: OpenPGP digital signature
Bug#926412: unblock: gnutls28/3.6.7-2
On 2019-04-04 Andreas Metzler wrote: [...] > This is a upstream bugfix release featuring two security fixes > + Fixes a memory corruption (double free) vulnerability in the > certificate verification API. > https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829 > GNUTLS-SA-2019-03-27 > + Fixes an invalid pointer access via malformed TLS1.3 async messages; > https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836 > GNUTLS-SA-2019-03-27 [...] Ping?
Bug#926412: unblock: gnutls28/3.6.7-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnutls28. This is a upstream bugfix release featuring two security fixes + Fixes a memory corruption (double free) vulnerability in the certificate verification API. https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829 GNUTLS-SA-2019-03-27 + Fixes an invalid pointer access via malformed TLS1.3 async messages; https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836 GNUTLS-SA-2019-03-27 One of these is fixed by a hardening measure (gnutls_free() will automatically set the free'd pointer to NULL.) It also unbreaks vlc (#922879) and has some TLS1.3 related changes. The straight debdiff is huge, because of a) usual release updates of autogenerated files and b) because it includes a global 's/http:/https:/'. Stripped down debdiff is attached. unblock gnutls28/3.6.7-2 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' smaller.debdiff.diff.xz Description: application/xz signature.asc Description: PGP signature