Bug#352047: [Pkg-openssl-devel] Bug#352047: BIO_s_connect patch pending next 0.9.8 release

Kurt Roeckx kurt at roeckx.be
Thu Feb 9 17:55:26 UTC 2006 

severity 352047 serious
thanks

On Thu, Feb 09, 2006 at 02:27:19PM +0100, Gabriel Forté wrote:
> On Thu, Feb 09, 2006 at 03:08:01AM -0800, Steve Langasek wrote:
> > On Thu, Feb 09, 2006 at 11:39:29AM +0100, Gabriel Forté wrote:
> > > Package: libssl0.9.8
> > > Version: 0.9.8a-6
> > > Severity: critical
> > 
> > > the following openssl-dev mailing-list thread documents a regression bug 
> > > in libssl which will be fixed in the upcoming upstream release (0.9.8b):
> > 
> > > http://www.mail-archive.com/openssl-dev@openssl.org/msg20804.html
> > 
> > None of which explains why this is "critical".
> 
> maybe this post later in the same thread is a better explanation:
> 
> http://www.mail-archive.com/openssl-dev@openssl.org/msg20815.html
> 
> 
> to me this breaks unrelated software using this feature in the library
> (or maybe am I wrong about the "unrelated" definition)

>From the documentation:
   critical
          makes unrelated software on the system (or the whole system)
          break, or causes serious data loss, or introduces a security
          hole on systems where you install the package.

   grave
          makes the package in question unusable or mostly so, or causes
          data loss, or introduces a security hole allowing access to the
          accounts of users who use the package.

   serious
          is a severe violation of Debian policy (roughly, it violates a
          "must" or "required" directive), or, in the package
          maintainer's opinion, makes the package unsuitable for release.

   important
          a bug which has a major effect on the usability of a package,
          without rendering it completely unusable to everyone.

Unrelated in this case would mean something that is not
linked to libssl.  I think critical isn't the right
severity.

Since you're about the first person to have a problem, I
think serious is the right severity.

> I'm currently forced to rebuild the package with that patch each time a
> new release comes out in order to work around this problem,
> which triggers a critical functional regression in something as trivial as
> establishing a TCP connection over the BIO API, and had to for about two
> months as of this day (the upstream maintainer didn't react about it until
> a few days ago).

Upstream isn't always that responsive.

I'll try and upload a fixed version shortly.


Kurt

More information about the Pkg-openssl-devel mailing list