[Debian-iot-maintainers] Bug#1109602: unblock: mbedtls/3.6.4-2

Andrea Pappacoda tachi at debian.org
Sun Jul 20 18:54:10 BST 2025 

Package: release.debian.org
Control: affects -1 + src:mbedtls
X-Debbugs-Cc: mbedtls at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package mbedtls

[ Reason ]
I have updated the package to the latest upstream LTS branch release to 
fix several CVEs. Upstream takes great care of not breaking 
compatibility between patch releases.

[ Impact ]
If the unblock isn't granted, trixie will ship with an already unsecure 
version of the library, which is particularly important for a crypto/TLS 
package.

[ Tests ]
New upstream tests were added which test against the old security bugs, 
alongside the comprehensive pre-existing test suite.

[ Risks ]
MbedTLS is a key package. Still, I believe the risks are low as upstream 
has always been careful with such releases. Autopkgtests exist too.

[ Checklist ]
  [x] all changes are documented in the d/changelog (assuming "new 
  upstream release fixing CVEs a, b, and c" is enough)
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

[ Other info ]
As I didn't realize the library was a key package, and the full freeze 
isn't started yet, I have already pushed this to unstable. Ops.

The debdiff is huge, and I haven't included it here. This is because 
upstream likes to also backport non-critical changes like test updates, 
documentation improvements, and similar.

During Debconf I have talked with Andrej Shadura, which has prepared 
stable updates to the library in the past. He said that only backporting 
commits which fix the issues while leaving out the cosmetic fixes is 
borderline infeasable, as fixes are often split in several commits and 
tracking them down all can be hard. While this makes diffs big, and it 
sucks, I also believe that keeping only "the important stuff" is really 
not worth the effort, and increases the risk of messing up by leaving 
out parts of the patches backported into the LTS branch by upstream.

Bye!

unblock mbedtls/3.6.4-2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-iot-maintainers/attachments/20250720/b8660608/attachment.sig>

More information about the Debian-iot-maintainers mailing list