On Sat, 2020-05-02 at 18:36 +0200, Sebastian Andrzej Siewior wrote: > I'm fairly late, I know.
Just a little. :-( Particularly as OpenSSL builds udebs. CCing KiBi and -boot so they're aware of the discussion, but this does come quite late. > The last update was addressed via DSA providing only a patch for the > CVE with severity high. This pu updates Buster's OpenSSL version from > `d' to current `g' fixing CVE-2019-1551 which was earlier skipped due > to its low severity. > The "EOF" bug-fix-regression introduced in `e' is reverted again in > `g'. > OpenSSL now checks certificates more strictly. There should be no > problems with "officially" issued certificats but some certificates > contain an invalid (combination of) attributes which are now. The `g' > version is since 25th April in testing and received no bug reports > but OpenSSL upstream received [0], [1] for custom issued OpenVPN > certificates. > Please find attached a compressed debdiff since last security update. > > [0] https://github.com/openssl/openssl/issues/11456 > [1] https://github.com/openssl/openssl/issues/11625 Do we have any feeling for how widespread such certificates might be? The fact that there have been two different upstream reports isn't particularly comforting. Regards, Adam
