[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]
From: |
Marius Bakke |
Subject: |
[bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]. |
Date: |
Tue, 25 May 2021 21:46:10 +0200 |
Leo Famulari <leo@famulari.name> skriver:
> Grafts effectively rewrite binary references in compiled software, so
> it's kind of a kludge. The binary interface of the new grafted
> replacement must be compatible with the original package, and if it's
> not, the problems can be hidden and subtle.
>
> For that reason, it's important to make the smallest change possible
> when grafting, to reduce the chance of breakage.
>
> So, the question is, does 3.6.16 include only the fix for
> CVE-2021-20305? Or does it also include other changes? If the former, we
> should instead cherry-pick the CVE bug fix instead of updating.
GnuTLS usually mention whether or not an update is ABI-compatible:
https://lists.gnupg.org/pipermail/gnutls-help/2021-May/004707.html
However it's good practice to verify that with something like 'abidiff'
(from the 'libabigail' package). I.e.:
abidiff $(guix build gnutls)/lib/libgnutls.so \
$(./pre-inst-env guix build gnutls)/lib/libgnutls.so
(this won't work because of multiple outputs, but you get the drill)
When there is no change, the graft _should_ be perfectly safe. If there
are changes, it becomes a judgement call. The 'abidiff' output is of
great assistance in that case.
Anyway, just some general notes on grafting. Thanks a lot for looking
after security issues Solene.
signature.asc
Description: PGP signature
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305].,
Marius Bakke <=
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/25
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/27
- [bug#48648] [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Solene Rapenne, 2021/05/28
- bug#48648: [PATCH] gnu: gnutls: Update to 3.6.16 [fixes CVE-2021-20305]., Leo Famulari, 2021/05/28