See below. On Sat, Jun 15, 2019 at 9:42 PM Andreas Metzler <ametz...@bebt.de> wrote: > > On 2019-06-15 Ross Boylan <rossboy...@stanfordalumni.org> wrote: > > I've been following this bug because it came up as an issue for a > > security upgrade to libgnutls-openssl27 in buster. I'm still seeing > > 3.6.7-3 as the upgrade target. > > Hello Ross, > > I do not know whether this bug applies to packages using GnuTLS via the > openssl wrapper library. There aren't a lot of rdepends, and the wrapper > is thin and does not expose the complete functionality. > > > Will an openssl27 variant be coming? Or perhaps this problem never > > applied to -openssl27 and apt-listbugs just got over-eager? > > If the bug applies to libgnutls-openssl27 it will be fixed exactly when > the underlying libgnutls is fixed. There is no separate step involved, > it is just a wrapper. > > > I came > > here for ..ssl27; the original report is for ..ssl28; > > Where? I was going to upgrade libgnutls-openssl27 and apt-listbugs listed this bug as a critical one.
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=libgnutls-openssl27;dist=unstable identifies the source package as gnutls28 (sorry--no ssl in there), and apt-listbugs must have been reporting all bugs in the source package. The original bug report identifies libgnutls30 as the (presumably binary) package in which the bug is found. > > > the package the > > bug is filed against is apparently ..ssl30. The versioning is a bit > > mysterious to me :) > > It is pretty mch straightforward, when the ABI breaks we bump the > soname. ;-) I meant it was mysterious why all these different ABI versions are ending up together in the bug system. I think I've figured that out: they all are from the same source package. The libgnutls-openssl27 I would install now depends on libgnutls30 version 3.6.7-3. Currently installed libgnutls30 is 3.6.6-2. So it sounds as if I should wait til gnutls30 3.6.7-4 appears before doing the upgrade. Or maybe the security problem is serious enough to warrant an upgrade now? TLS is likely to matter to me only as a client. Ross
