Bug#929907: implications for libgnutls-openssl27?
Ross Boylan
rossboylan at stanfordalumni.org
Sun Jun 16 20:45:40 BST 2019
See below.
On Sat, Jun 15, 2019 at 9:42 PM Andreas Metzler <ametzler at bebt.de> wrote:
>
> On 2019-06-15 Ross Boylan <rossboylan at stanfordalumni.org> wrote:
> > I've been following this bug because it came up as an issue for a
> > security upgrade to libgnutls-openssl27 in buster. I'm still seeing
> > 3.6.7-3 as the upgrade target.
>
> Hello Ross,
>
> I do not know whether this bug applies to packages using GnuTLS via the
> openssl wrapper library. There aren't a lot of rdepends, and the wrapper
> is thin and does not expose the complete functionality.
>
> > Will an openssl27 variant be coming? Or perhaps this problem never
> > applied to -openssl27 and apt-listbugs just got over-eager?
>
> If the bug applies to libgnutls-openssl27 it will be fixed exactly when
> the underlying libgnutls is fixed. There is no separate step involved,
> it is just a wrapper.
>
> > I came
> > here for ..ssl27; the original report is for ..ssl28;
>
> Where?
I was going to upgrade libgnutls-openssl27 and apt-listbugs listed
this bug as a critical one.
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libgnutls-openssl27;dist=unstable
identifies the source package as gnutls28 (sorry--no ssl in there),
and apt-listbugs must have been reporting all bugs in the source
package.
The original bug report identifies libgnutls30 as the (presumably
binary) package in which the bug is found.
>
> > the package the
> > bug is filed against is apparently ..ssl30. The versioning is a bit
> > mysterious to me :)
>
> It is pretty mch straightforward, when the ABI breaks we bump the
> soname. ;-)
I meant it was mysterious why all these different ABI versions are
ending up together in the bug system. I think I've figured that out:
they all are from the same source package.
The libgnutls-openssl27 I would install now depends on libgnutls30
version 3.6.7-3.
Currently installed libgnutls30 is 3.6.6-2.
So it sounds as if I should wait til gnutls30 3.6.7-4 appears before
doing the upgrade. Or maybe the security problem is serious enough to
warrant an upgrade now? TLS is likely to matter to me only as a
client.
Ross
More information about the Pkg-gnutls-maint
mailing list