[From nobody Sat Jun 13 19:51:05 2026 Received: (at submit) by bugs.debian.org; 11 Jun 2026 03:14:37 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,FOURLA,HAS_PACKAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 30; hammy, 150; neutral, 105; spammy, 0. spammytokens: hammytokens:0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug, 0.000-+--H*Ad:N*Tracking, 0.000-+--forky, 0.000-+--HTo:N*System Return-path: <calestyo@scientia.org> Received: from seashell.cherry.relay.mailchannels.net ([23.83.223.162]:35909) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <calestyo@scientia.org>) id 1wXVsK-00GoUc-19 for submit@bugs.debian.org; Thu, 11 Jun 2026 03:14:37 +0000 X-Sender-Id: instrampxe0y3a|x-authuser|calestyo@scientia.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B371A8C28DC; Thu, 11 Jun 2026 03:08:46 +0000 (UTC) Received: from cpanel-007-fra.hostingww.com (100-106-41-195.trex-nlb.outbound.svc.cluster.local [100.106.41.195]) (Authenticated sender: instrampxe0y3a) by relay.mailchannels.net (Postfix) with ESMTPA id 150EB8C27F7 for <submit@bugs.debian.org>; Thu, 11 Jun 2026 03:08:45 +0000 (UTC) X-Sender-Id: instrampxe0y3a|x-authuser|calestyo@scientia.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: instrampxe0y3a|x-authuser|calestyo@scientia.org X-MailChannels-Auth-Id: instrampxe0y3a X-Whispering-Whistle: 1157e41c780e6749_1781147326568_395028591 X-MC-Loop-Signature: 1781147326568:2179029876 X-MC-Ingress-Time: 1781147326568 Received: from cpanel-007-fra.hostingww.com (cpanel-007-fra.hostingww.com [3.69.87.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.106.41.195 (trex/7.1.5); Thu, 11 Jun 2026 03:08:46 +0000 Received: from ipbcc0feaa.dynamic.kabel-deutschland.de ([188.192.254.170]:62351 helo=heisenberg.scientia.org) by cpanel-007-fra.hostingww.com with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.99.4) (envelope-from <calestyo@scientia.org>) id 1wXVmd-0000000AKsy-41hc; Thu, 11 Jun 2026 03:08:44 +0000 Received: by heisenberg.scientia.org (Postfix, from userid 1000) id 2581985FCEE5; Thu, 11 Jun 2026 05:08:43 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Christoph Anton Mitterer <calestyo@scientia.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: libssl3t64: various CVEs, including CVE-2026-45447 with possible RCE Message-ID: <178114732311.133681.14803335737739643621.reportbug@heisenberg.scientia.org> X-Mailer: reportbug 13.2.0 Date: Thu, 11 Jun 2026 05:08:43 +0200 X-AuthUser: calestyo@scientia.org Delivered-To: submit@bugs.debian.org Package: libssl3t64 Version: 3.6.2-1 Severity: grave Tags: upstream Justification: user security hole Hey. There's multiple CVEs: https://openssl-library.org/news/secadv/20260609.txt includnig CVE-2026-45447 which potentially allows for RCE. These have all been fixed in stable 2 days ago, but unstable/testing have been left out (which seems unfortunate, given that probably many DDs/DMs also run on either of the two). Cheers, Chris. -- System Information: Debian Release: forky/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 7.0.12+deb14-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libssl3t64 depends on: ii libc6 2.42-16 ii libzstd1 1.5.7+dfsg-3+b2 ii openssl-provider-legacy 3.6.2-1 ii zlib1g 1:1.3.dfsg+really1.3.2-3 libssl3t64 recommends no packages. libssl3t64 suggests no packages. -- no debconf information ]