Hello, On 09/09/2021 19:11, Stefan Huehner wrote: > looking a tiny bit at changelog for gnutls buster it looks like the backport > was already done :) > > 3.6.7-4+deb10u5 > the _16 + _17 patches from the description sound like what i understand the > fix is (explore alternative verification paths...) > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889
Thanks, that's a good reference for the gnutls part. On 10/09/2021 10:55, Christoph Berg wrote: > Note that stretch and later are using libssl1.1 by default, so only packages > who were actively patched to keep using 1.0 are affected. Thanks. This notably includes curl :/ So this needs fixing as well. An openssl[1.0] update is underway, I'll coordinate with Thorsten. Also, a work-around is to drop the expiring CA: $ rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt $ update-ca-certificate Cheers! Sylvain Beucler Debian LTS Team
