[FFe] Update to 3.0.6
Bug #1991771 reported by
Simon Chopin
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openssl (Ubuntu) |
Won't Fix
|
High
|
Unassigned | ||
Bug Description
There's an upcoming security release for OpenSSL according to https:/
The timing is somewhat unfortunate given our own release schedule.
The current version of openssl in kinetic, 3.0.5-2ubuntu1, is actually a snapshot of the 3.0 branch ahead of 3.0.5 (inherited from Debian during the last merge).
Sadly, they don't have a proper changelog (even partial) for the upcoming release yet, but I'll attach the diff and shortlog between our current version and the current state of the branch to get an idea of what's to come. As usual for their 3.0 point releases, it's not just security fixes but general bugfixes as well.
Revision history for this message
| Simon Chopin (schopin) wrote | #1 |
Revision history for this message
| Simon Chopin (schopin) wrote | #2 |
| Changed in openssl (Ubuntu): | |
| status: | Confirmed → New |
Revision history for this message
| Steve Langasek (vorlon) wrote | #3 |
| Changed in openssl (Ubuntu): | |
| status: | New → Triaged |
| Changed in openssl (Ubuntu): | |
| status: | Triaged → Won't Fix |
To post a comment you must log in.
Given the late glibc change now in flight, I do not think we have the capacity to take an openssl change this late in the release cycle without significantly taxing the team to make the release happen. Especially since the security fixes are low impact and the upstream release is not security-fix-only, I definitely do not think we can grant a freeze exception at this point, and think the chances of granting one on Tuesday when the upstream release has happened are low. I would advise that you work with the Security Team to work out what a zero-day security update of this package should look like.