Hi Sebastian On Sat, May 27, 2023 at 02:17:54PM +0200, Sebastian Andrzej Siewior wrote: > Hi, > > there is an upcoming OpenSSL scheduled for next TUE (2023-05-30) > including one security fix of moderate severity [0]. > For Bullseye I am going backport ~6 fixes (4 security fixes of minor > severity which were not yet addressed, the upcoming fix and an > alternative fix for CVE-2022-4304). > _Later_ (once time permits) I would open a pu for Bullseye to include > the final release (1.1.1u) since it only contains fixes.
This sounds good, thanks and hope this time we can do the rebase to 1.1.1u in bullseye-pu accordingly. I suggest to make sure this is early on the radar of the stable release managers for review but feel free to ping. > For Bookworm I would much rather prefer to upload 3.0.9 to unstable and > open a unblock bug for Bookworm. Looking at the history it contains 169 > commits and only fixes which don't qualify as security issues. (Same for > the 1.1.1 series but I would prefer to do some testing first and push it > slowly via pu since it is much further behind (not that I expect > anything to happen)). > The Bookworm release is scheduled for the 10th and the announce mail > claims that the unblock should happen on the 28th (tomorrow) at the > latest. This will be hard to achieve given that my time machine is > currently out of operation. This probably means that I need to upload > to Bookworm-security unless there are exceptions. If Paul Gevers agrees then I think this is a good plan. If it is too risky for for the release managers at this point and rather not wanting to do it, we have already bookworm-security infrastructure setup. In later case we can have the upload done, have some exposure there, and upload a 3.0.9~deb12u1 released trhough bookworm-security (if done before bookworm release just without DSA advisory). > Are there other preferences/ suggestions from the release or security > team? Release managers (Paul, Sebastian, Graham), I know you are right now busy with the last bits, if you find to comment that would be great. Would you be fine to process an unblock request for the security update for openssl rebasing to 3.0.9? Regards, Salvatore
