XPost: linux.debian.devel.release
--4ec523137846da9bf40201d7323cb4244054642a54b9e6d7e27d2093fcc7 Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8; format=Flowed
Package: release.debian.org
Control: affects -1 + src:mbedtls
X-Debbugs-Cc:
[email protected]
User:
[email protected]
Usertags: unblock
Severity: normal
Please unblock package mbedtls
[ Reason ]
I have updated the package to the latest upstream LTS branch release to
fix several CVEs. Upstream takes great care of not breaking
compatibility between patch releases.
[ Impact ]
If the unblock isn't granted, trixie will ship with an already unsecure version of the library, which is particularly important for a crypto/TLS package.
[ Tests ]
New upstream tests were added which test against the old security bugs, alongside the comprehensive pre-existing test suite.
[ Risks ]
MbedTLS is a key package. Still, I believe the risks are low as upstream
has always been careful with such releases. Autopkgtests exist too.
[ Checklist ]
[x] all changes are documented in the d/changelog (assuming "new
upstream release fixing CVEs a, b, and c" is enough)
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
[ Other info ]
As I didn't realize the library was a key package, and the full freeze
isn't started yet, I have already pushed this to unstable. Ops.
The debdiff is huge, and I haven't included it here. This is because
upstream likes to also backport non-critical changes like test updates, documentation improvements, and similar.
During Debconf I have talked with Andrej Shadura, which has prepared
stable updates to the library in the past. He said that only backporting commits which fix the issues while leaving out the cosmetic fixes is borderline infeasable, as fixes are often split in several commits and tracking them down all can be hard. While this makes diffs big, and it
sucks, I also believe that keeping only "the important stuff" is really
not worth the effort, and increases the risk of messing up by leaving
out parts of the patches backported into the LTS branch by upstream.
Bye!
unblock mbedtls/3.6.4-2
--4ec523137846da9bf40201d7323cb4244054642a54b9e6d7e27d2093fcc7
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iIcEABYKAC8WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCaH0tRBEcdGFjaGlAZGVi aWFuLm9yZwAKCRBKkgiiRVB3pwB9AQCSKgQIFNtu2QoV9JzHSDJpnsOub4nYzLt8 LzZXZ+hKdwD+MfBuzx+lkGZPy+v+kS+CrVmwvP4mq/Ie3ZOS4SBbxg0=TeoQ
-----END PGP SIGNATURE-----
--4ec523137846da9bf40201d7323cb4244054642a54b9e6d7e27d2093fcc7--
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)