Package: release.debian.org Control: affects -1 + src:mbedtls X-Debbugs-Cc: mbed...@packages.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package mbedtls [ Reason ]I have updated the package to the latest upstream LTS branch release to fix several CVEs. Upstream takes great care of not breaking compatibility between patch releases.
[ Impact ]If the unblock isn't granted, trixie will ship with an already unsecure version of the library, which is particularly important for a crypto/TLS package.
[ Tests ]New upstream tests were added which test against the old security bugs, alongside the comprehensive pre-existing test suite.
[ Risks ]MbedTLS is a key package. Still, I believe the risks are low as upstream has always been careful with such releases. Autopkgtests exist too.
[ Checklist ][x] all changes are documented in the d/changelog (assuming "new upstream release fixing CVEs a, b, and c" is enough)
[x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing [ Other info ]As I didn't realize the library was a key package, and the full freeze isn't started yet, I have already pushed this to unstable. Ops.
The debdiff is huge, and I haven't included it here. This is because upstream likes to also backport non-critical changes like test updates, documentation improvements, and similar.
During Debconf I have talked with Andrej Shadura, which has prepared stable updates to the library in the past. He said that only backporting commits which fix the issues while leaving out the cosmetic fixes is borderline infeasable, as fixes are often split in several commits and tracking them down all can be hard. While this makes diffs big, and it sucks, I also believe that keeping only "the important stuff" is really not worth the effort, and increases the risk of messing up by leaving out parts of the patches backported into the LTS branch by upstream.
Bye! unblock mbedtls/3.6.4-2
signature.asc
Description: PGP signature
