Bug#802159: Bug#765639: Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2016-01-28 Thread peter green
The dhparam thing is really about a default that if you generate DH parameters that it defaults to 2048 instead of 1024. This shouldn't break anything itself, nor do I know of any other software that would get broken by this. Apparently Java 6 and 7 will fail to handshake if a server tries to

Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2016-01-26 Thread Kurt Roeckx
On Tue, Jan 26, 2016 at 06:38:31AM +, Adam D. Barratt wrote: > On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > > However 1.0.1q hasn't been in stable at all, which is presumably what > > you'd be proposing introducing to oldstable at this juncture. (and which > > we'd therefore

Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2016-01-25 Thread Adam D. Barratt
On Thu, 2015-12-17 at 23:38 +, Adam D. Barratt wrote: > However 1.0.1q hasn't been in stable at all, which is presumably what > you'd be proposing introducing to oldstable at this juncture. (and which > we'd therefore need to introduce to stable first, if we were to agree to > follow that

Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2016-01-09 Thread Kurt Roeckx
On Sun, Dec 06, 2015 at 11:46:01AM +0100, Moritz Mühlenhoff wrote: > Hi, > Personally I'm in favour of following the openssl point updates and I'd > like to add an additional data point to the discussion: > > CVE-2015-3196 was already fixed as a plain bugfix in an earlier point > release, but the

Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2015-12-17 Thread Adam D. Barratt
On Tue, 2015-12-15 at 21:19 +0100, Kurt Roeckx wrote: > On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > > [dropped explicit CCs to RT and TC members] > > > > On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote: > > > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong

Bug#802159: Bug#765639: Bug#802159: New OpenSSL upstream version

2015-12-17 Thread Adam D. Barratt
On Sun, 2015-12-06 at 11:46 +0100, Moritz Mühlenhoff wrote: > Hi, > Personally I'm in favour of following the openssl point updates and I'd Noted, thanks for the input. > like to add an additional data point to the discussion: > > CVE-2015-3196 was already fixed as a plain bugfix in an earlier

Bug#802159: New OpenSSL upstream version

2015-12-15 Thread Kurt Roeckx
On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > > Even a naively filtered diff - excluding documentation and tests - > between the 1.0.1k tag and HEAD on upstream's stable branch is much > larger than I'd imagined (1091 files changed, 73609+, 68591-), but > paging through it

Bug#802159: New OpenSSL upstream version

2015-12-15 Thread Kurt Roeckx
On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote: > [dropped explicit CCs to RT and TC members] > > On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote: > > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote: > > > So from what I'm gathering, this looks like a case

Bug#802159: New OpenSSL upstream version

2015-12-06 Thread Moritz Mühlenhoff
Hi, Personally I'm in favour of following the openssl point updates and I'd like to add an additional data point to the discussion: CVE-2015-3196 was already fixed as a plain bugfix in an earlier point release, but the security impact was only noticed later on, so following the point updates

Bug#802159: New OpenSSL upstream version

2015-11-24 Thread Adam D. Barratt
On Wed, 2015-10-21 at 15:02 -0500, Don Armstrong wrote: > It certainly doesn't seem reasonable to expect the SRMs to review line > by line, but maybe a summary of the changes would help them make a > decision? [...] > SRMs: what would be the best way for Kurt to move forward? Would a list > of the

Bug#802159: New OpenSSL upstream version

2015-11-08 Thread Kurt Roeckx
On Wed, Nov 04, 2015 at 11:57:00AM -0600, Don Armstrong wrote: > > In this specific case, the specific set of changes which have been made, > coupled with documenting the policy of upstream for testing and making > changes to openssl would be a good start. I've pointed to upstream's policy

Bug#802159: New OpenSSL upstream version

2015-11-04 Thread Don Armstrong
On Sat, 31 Oct 2015, Kurt Roeckx wrote: > On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > > On Tue, 20 Oct 2015, Don Armstrong wrote: > > > If there's something specific that you'd like the CTTE to try to do > > > beyond what I've just reported now, let me know. > > > > Let me

Bug#802159: New OpenSSL upstream version

2015-10-31 Thread Adam D. Barratt
On Sat, 2015-10-31 at 00:02 +0100, Kurt Roeckx wrote: > On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > > On Tue, 20 Oct 2015, Don Armstrong wrote: > > > If there's something specific that you'd like the CTTE to try to do > > > beyond what I've just reported now, let me know. > >

Bug#802159: New OpenSSL upstream version

2015-10-31 Thread Kurt Roeckx
On Sat, Oct 31, 2015 at 02:22:04PM +, Adam D. Barratt wrote: > On Sat, 2015-10-31 at 00:02 +0100, Kurt Roeckx wrote: > > On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > > > On Tue, 20 Oct 2015, Don Armstrong wrote: > > > > If there's something specific that you'd like the CTTE

Bug#802159: New OpenSSL upstream version

2015-10-30 Thread Kurt Roeckx
On Fri, Oct 30, 2015 at 02:38:13PM -0700, Don Armstrong wrote: > On Tue, 20 Oct 2015, Don Armstrong wrote: > > If there's something specific that you'd like the CTTE to try to do > > beyond what I've just reported now, let me know. > > Let me know if you'd like the CTTE to do something beyond

Bug#802159: New OpenSSL upstream version

2015-10-25 Thread Bdale Garbee
Kurt Roeckx writes: > The alternative is that I go and cherry pick the important bug > fixes. By this time there are really a lot that I would like to > have in the stable releases and I think going that way actually > has a higher chance of breaking things. We've run into this

Bug#802159: New OpenSSL upstream version

2015-10-21 Thread Don Armstrong
On Tue, 20 Oct 2015, Kurt Roeckx wrote: > So as already pointed out before, since the 1.0.0 release there is a > new release strategy that in the 1.0.x series, where x doesn't change, > no new features are added unless it's really needed for either > security reasons or compatibility reasons. As

Bug#802159: New OpenSSL upstream version

2015-10-20 Thread Kurt Roeckx
On Tue, Oct 20, 2015 at 09:57:04AM -0500, Don Armstrong wrote: > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > I've been waiting for the release team for a while to make a decision > > on #765639 for a year now. Could you help in getting a decision? > > > > I've actually been waiting for longer

Bug#802159: New OpenSSL upstream version

2015-10-20 Thread Don Armstrong
On Tue, 20 Oct 2015, Don Armstrong wrote: > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > I've been waiting for the release team for a while to make a decision > > on #765639 for a year now. Could you help in getting a decision? > > > > I've actually been waiting for longer than that, I can't

Bug#802159: New OpenSSL upstream version

2015-10-20 Thread Kurt Roeckx
On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote: > On Tue, 20 Oct 2015, Don Armstrong wrote: > > On Sat, 17 Oct 2015, Kurt Roeckx wrote: > > > I've been waiting for the release team for a while to make a decision > > > on #765639 for a year now. Could you help in getting a decision?

Bug#802159: New OpenSSL upstream version

2015-10-20 Thread Don Armstrong
On Sat, 17 Oct 2015, Kurt Roeckx wrote: > I've been waiting for the release team for a while to make a decision > on #765639 for a year now. Could you help in getting a decision? > > I've actually been waiting for longer than that, I can't directly find > all links, but previous discussions about

Bug#802159: New OpenSSL upstream version

2015-10-17 Thread Kurt Roeckx
Package: tech-ctte Hi, I've been waiting for the release team for a while to make a decision on #765639 for a year now. Could you help in getting a decision? I've actually been waiting for longer than that, I can't directly find all links, but previous discussions about it are at least: