Bug#985973: unblock: gnutls28/3.7.1-1

Andreas Metzler ametzler at bebt.de
Sat Mar 27 08:05:48 GMT 2021 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: gnutls28 at packages.debian.org

Please unblock gnutls28 3.7.1. This is the first bugfix release
for the 3.7.x series.

Most notably it features the fix for a non-DSA security issue (potential
use-after-free in sending "key_share" and "pre_shared_key" extensions.
GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232). Apart from that
there is plethora of minor and medium fixes. Fwiw it was released at
this point of time (just before the freeze) specifically to give us a
chance to ship in Debian bulleye.

While the diff is huge I strongly believe we make the right trade-off in
shipping this instead of cherry-picking more fixes:
* It has run through upstream's CI. Which is significant.
* GnuTLS probably will have CVE's during bullseye lifetime. Shipping .1
  instead of .0 will ease our work then a lot both in checking whether
  we are vulnerable and in applying patches.
* The cleanups are worth having.

Diff analysis:
ametzler at argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | lsdiff  | wc
   1722    1722   91156

Let's filter out auto* and the autogenerated documentation:
ametzler at argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak'  | lsdiff  | wc
    434     434   17963
m4 is also copied autofoo stuff except for hooks.m4 which has the
libtool minor version bump (LT_REVISION 1 instead of 0). Then there is a
minor gnulib update.
ametzler at argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | lsdiff  | wc
    314     314   13901

A huge part of the rest is testsuite cleanups, most noteably
        0ae814c77b18a925552b7a763a13ed1c63e2d1bd
        tests: suffix .sh for all shell-script tests Otherwise valgrind will
        run against /bin/sh.
        416485f6d4dde63e90d19916ab9dee8fe972be10
        tests: make any ad-hoc timeout setting controllable through envvar
ametzler at argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' | filterdiff -i '*/tests/*' | lsdiff | wc
    244     244   11059

Dropping this, /debian/patches/ and some more generated files ...
ametzler at argenau:/tmp/gnutls4bullsey$ debdiff gnutls28_3.7.0-7.dsc gnutls28_3.7.1-1.dsc | filterdiff -x '*/doc/*texi'  -x '*/doc/functions/*' -x '*/doc/manpages/*' -x '*/doc/gnutls.info*' -x '*/doc/reference/*' -x '*/build-aux/*' -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti'  -x '*/version.texi' -x '*/INSTALL' -x '*/ABOUT-NLS' -x'*.po' -x '*.bak' -x '*/gl/*' -x '*/m4/*' -x '*/tests/*' -x '*/debian/patches/*' -x '*/doc/gnutls-guile.*' -x '*/doc/gnutls.html' -x '*/gtk-doc.make' -x '*/aclocal.m4'   | lsdiff | wc
     55      55    1817

unblock gnutls28/3.7.1-1

Thanks, cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: full.debdiff.xz
Type: application/x-xz
Size: 244060 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20210327/0ffe9874/attachment-0002.xz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stripped_down.debdiff.xz
Type: application/x-xz
Size: 31932 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20210327/0ffe9874/attachment-0003.xz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20210327/0ffe9874/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list