Hi, On Fri, Feb 05, 2016 at 08:44:37PM +0000, James Cowgill wrote: > Hi! > > On Fri, 2016-02-05 at 14:24 +0100, Guido Günther wrote: > > Hi, > > On Mon, Feb 01, 2016 at 09:51:54AM +0100, Sébastien Delafond wrote: > > > On Jan/31, Guido Günther wrote: > > > > Uploaded now. Thanks! > > > > > > Hi Guido, > > > > > > have you looked into fixing the jessie version (1.3.9-2.1) as well ? If > > > not, I'll need to look into it later this week, so that a DSA for > > > CVE-2015-5291 fixes both wheezy and jessie. > > > > Debdiff attached. It's far more intrusive since we also have to deal > > with CVE-2015-8036. > > > > James you alread discussed the best way forward at > > > > > > https://tls.mbed.org/discussions/bug-report-issues/question-about-cve-2015-5291 > > > > with upstream so I'm very interesed in your opinion on this as well. > > Upstream would obviously like Debian to use the point releases of > polarssl, but they broke the ABI in the 1.3 series since 1.3.9 so we > can't use them directly. I had a go at reverting the ABI breaking > changes and I posted my attempt earlier to this bug report, but the > changes I had to make were very intrusive and they'll probably have to > fixed up again every time there is a new release.
>From what I read and figured from the Git commits I wonder if we should open CVEs for the other fixes in 1.3.14 too? > I'm beginning to feel like cherry picking the CVE related fixes (like > you've done) is probably the best solution, especially since this has > already taken some time to fix. Yeah, I think we should go ahead an fix these and rather revisit the problem in case we have more issues to fix. > > A few things on the debdiff you just posted: > - The attachment came though in ISO-8859-1 instead of UTF-8 and > lintian didn't like it. Hopefully the file is ok on your machine > though. > - I think the ssl-server-test needs an 'isolation-container' > restriction since it opens TCP ports. Good point, isolation-container restricction added. Cheers, -- Guido