Re: Upcoming OpenSSL release
On 2023-05-28 07:44:13 [+0200], Paul Gevers wrote: > Hi, Hi, > Given the impact of openssl, lets have that exception. Quiet period starts > on 2023-06-04, we need to ensure it migrated *before* then. Okay. I'm going to upload to unstable and open an unblock bug. Thank you for the confirmation. > Paul Sebastian
Re: Upcoming OpenSSL release
Hi, On 28-05-2023 07:21, Salvatore Bonaccorso wrote: On Sat, May 27, 2023 at 02:17:54PM +0200, Sebastian Andrzej Siewior wrote: For Bookworm I would much rather prefer to upload 3.0.9 to unstable and open a unblock bug for Bookworm. Looking at the history it contains 169 commits and only fixes which don't qualify as security issues. After talking to carnil I now know that 3.0.9 does have security fixes (I wasn't reading that). The Bookworm release is scheduled for the 10th and the announce mail claims that the unblock should happen on the 28th (tomorrow) at the latest. This will be hard to achieve given that my time machine is currently out of operation. This probably means that I need to upload to Bookworm-security unless there are exceptions. Given the impact of openssl, lets have that exception. Quiet period starts on 2023-06-04, we need to ensure it migrated *before* then. Paul OpenPGP_signature Description: OpenPGP digital signature
Re: Upcoming OpenSSL release
Hi Sebastian On Sat, May 27, 2023 at 02:17:54PM +0200, Sebastian Andrzej Siewior wrote: > Hi, > > there is an upcoming OpenSSL scheduled for next TUE (2023-05-30) > including one security fix of moderate severity [0]. > For Bullseye I am going backport ~6 fixes (4 security fixes of minor > severity which were not yet addressed, the upcoming fix and an > alternative fix for CVE-2022-4304). > _Later_ (once time permits) I would open a pu for Bullseye to include > the final release (1.1.1u) since it only contains fixes. This sounds good, thanks and hope this time we can do the rebase to 1.1.1u in bullseye-pu accordingly. I suggest to make sure this is early on the radar of the stable release managers for review but feel free to ping. > For Bookworm I would much rather prefer to upload 3.0.9 to unstable and > open a unblock bug for Bookworm. Looking at the history it contains 169 > commits and only fixes which don't qualify as security issues. (Same for > the 1.1.1 series but I would prefer to do some testing first and push it > slowly via pu since it is much further behind (not that I expect > anything to happen)). > The Bookworm release is scheduled for the 10th and the announce mail > claims that the unblock should happen on the 28th (tomorrow) at the > latest. This will be hard to achieve given that my time machine is > currently out of operation. This probably means that I need to upload > to Bookworm-security unless there are exceptions. If Paul Gevers agrees then I think this is a good plan. If it is too risky for for the release managers at this point and rather not wanting to do it, we have already bookworm-security infrastructure setup. In later case we can have the upload done, have some exposure there, and upload a 3.0.9~deb12u1 released trhough bookworm-security (if done before bookworm release just without DSA advisory). > Are there other preferences/ suggestions from the release or security > team? Release managers (Paul, Sebastian, Graham), I know you are right now busy with the last bits, if you find to comment that would be great. Would you be fine to process an unblock request for the security update for openssl rebasing to 3.0.9? Regards, Salvatore
Upcoming OpenSSL release
Hi, there is an upcoming OpenSSL scheduled for next TUE (2023-05-30) including one security fix of moderate severity [0]. For Bullseye I am going backport ~6 fixes (4 security fixes of minor severity which were not yet addressed, the upcoming fix and an alternative fix for CVE-2022-4304). _Later_ (once time permits) I would open a pu for Bullseye to include the final release (1.1.1u) since it only contains fixes. For Bookworm I would much rather prefer to upload 3.0.9 to unstable and open a unblock bug for Bookworm. Looking at the history it contains 169 commits and only fixes which don't qualify as security issues. (Same for the 1.1.1 series but I would prefer to do some testing first and push it slowly via pu since it is much further behind (not that I expect anything to happen)). The Bookworm release is scheduled for the 10th and the announce mail claims that the unblock should happen on the 28th (tomorrow) at the latest. This will be hard to achieve given that my time machine is currently out of operation. This probably means that I need to upload to Bookworm-security unless there are exceptions. Are there other preferences/ suggestions from the release or security team? [0] https://mta.openssl.org/pipermail/openssl-announce/2023-May/000258.html Sebastian