Andrea Pappacoda
2022-07-20 20:30:02 UTC
Reply
PermalinkI'm bumping this thread because I believe that this has never reached
the debian-release mailing list, as the original report contained a big
debdiff and elbrus told me that reports with big attachments get
dropped by the mailing list. I'm not going to attach a diff in this
email, I'll do in another one so that this message doesn't get deleted.
I've been discussing this stable update with a couple of DDs at
Debconf, and while we're not 100% happy with how upstream polluted
their LTS branch with cosmetic changes we think that upgrading to the
latest 2.16 LTS version is worth it.
As I mentioned in the original report, the 2.16.12 (and also 2.16.11
and 2.16.10) release(s) fixes a couple of CVEs, but it also fixes a lot
of security issues that are not associated to any CVE, so
cherry-picking just a couple of commits wouldn't really be enough, and
fixing all of them would basically mean cherry-picking all non-cosmetic
changes.
To make reviewing easier, I've filtered the previous debdiff to
(mostly) only include non-cosmetic changes, with this command:
debdiff mbedtls_2.16.9-0.1.dsc mbedtls_2.16.12-0+deb11u1.dsc |
filterdiff -p 1 -x 'tests/*' -x 'visualc/*' -x 'programs/*' -x
'.travis.yml' -x '.gitignore' -x 'include/mbedtls/aes.h' -x
'include/mbedtls/arc4.h' -x 'include/mbedtls/aria.h' -x
'include/mbedtls/asn1.h' -x include/mbedtls/base64.h -x
include/mbedtls/bignum.h -x include/mbedtls/blowfish.h -x
include/mbedtls/camellia.h -x include/mbedtls/ccm.h -x
include/mbedtls/chacha20.h -x include/mbedtls/chachapoly.h -x
include/mbedtls/cipher.h -x include/mbedtls/cmac.h -x
include/mbedtls/config.h -x include/mbedtls/ctr_drbg.h -x
include/mbedtls/des.h -x include/mbedtls/dhm.h -x
include/mbedtls/entropy.h -x include/mbedtls/gcm.h -x
include/mbedtls/hkdf.h -x include/mbedtls/hmac_drbg.h -x
include/mbedtls/md2.h -x include/mbedtls/md4.h -x include/mbedtls/md5.h
-x include/mbedtls/md.h -x include/mbedtls/net_sockets.h -x
include/mbedtls/oid.h -x include/mbedtls/padlock.h -x
include/mbedtls/pem.h -x include/mbedtls/pkcs12.h -x
include/mbedtls/pkcs5.h -x include/mbedtls/pk.h -x
include/mbedtls/platform.h -x include/mbedtls/poly1305.h -x
include/mbedtls/ripemd160.h -x include/mbedtls/rsa.h -x
include/mbedtls/sha1.h -x include/mbedtls/sha256.h -x
include/mbedtls/sha512.h -x include/mbedtls/ssl.h -x
include/mbedtls/ssl_ticket.h -x include/mbedtls/threading.h -x
include/mbedtls/x509.h -x include/mbedtls/x509_crt.h -x
include/mbedtls/xtea.h -x Makefile -x '*/Makefile'
Please take a look at the original bug report, as it contains a lot of
additional information. Thanks!
--
OpenPGP key: 66DE F152 8299 0C21 99EF A801 A8A1 28A8 AB1C EE49
OpenPGP key: 66DE F152 8299 0C21 99EF A801 A8A1 28A8 AB1C EE49