[From nobody Sat Jun 13 19:51:05 2026 Received: (at 1139674-close) by bugs.debian.org; 13 Jun 2026 18:49:34 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 127; hammy, 150; neutral, 315; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo. Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:41218) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wYTQE-007Dc3-18 for 1139674-close@bugs.debian.org; Sat, 13 Jun 2026 18:49:34 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wYTQE-00G9sD-0U for 1139674-close@bugs.debian.org; Sat, 13 Jun 2026 18:49:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=ZDPIwLTa9XVxzelZbKkB+zVKJ994kFDjGBIbxgQ425Q=; b=AgjwD/5BCC3qkZkXoMVGJXSn43 HdFz8xdvV5lSWCoGbYmVM1i59uDCGeGKzpu/5HdVte3lY44rJgJc0U6XYEAmJBfpkwDeLOLroiOe+ L6rDPdrQFOYPG7BCWqUO+ZiMsOdzbnJ2gRD8ifGRhQm4HiihS3b38LgjU/byA10U4tGOfTjgZX3vN KXqxby9eYtoSRz2o7FRcje7g7mQ47oiPclOYeLdAl3SMPbsyJrGOxEjtj3wpbJPJNq++o6Mw3PvTc E2n3KS5Ynnc7VifCES59msBb/wAitxHup58S3uJikghQxoMxGqrpQyqgPgWDGMuYwLvAVL3Q667/k 4EkEhByA==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wYTQD-00000005DQs-1LRm; Sat, 13 Jun 2026 18:49:33 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> To: 1139674-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: openssl Debian: DAK Debian-Changes: openssl_3.6.3-1_source.changes Debian-Source: openssl Debian-Version: 3.6.3-1 Debian-Architecture: source Debian-Suite: unstable Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1139674: fixed in openssl 3.6.3-1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============6457504925204426497==" Message-Id: <E1wYTQD-00000005DQs-1LRm@fasolo.debian.org> Date: Sat, 13 Jun 2026 18:49:33 +0000 --===============6457504925204426497== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: openssl Source-Version: 3.6.3-1 Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1139674@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated open= ssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Jun 2026 19:00:51 +0200 Source: openssl Architecture: source Version: 3.6.3-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net> Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Closes: 1139674 Changes: openssl (3.6.3-1) unstable; urgency=3Dmedium . * Import 3.6.3 (Closes: #1139674) - CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion") - CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption") - CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing") - CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys") - CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged Messages") - CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler") - CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response") - CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet handling") - CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP Checking") - CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS Decryption") - CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue Decryption") - CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()") - CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate") - CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q") - CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path") - CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes") - CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()") Checksums-Sha1: d67d8b5686ae864769a69db788d960ddfbc24ef0 2675 openssl_3.6.3-1.dsc 72142e828396004a60af4a8458f30216a7906cbb 54953005 openssl_3.6.3.orig.tar.gz d35dd18a12f73c9f0fbcb52234ab8fd40a871236 833 openssl_3.6.3.orig.tar.gz.asc 2e81c08e0e82d4d9b2e8262ba0cb609f6953fd9b 51336 openssl_3.6.3-1.debian.tar.xz Checksums-Sha256: 490192136153d535905ab20e2912f6044a794bbd9abc2d7e5183753be53ba8b4 2675 openss= l_3.6.3-1.dsc 243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1 54953005 op= enssl_3.6.3.orig.tar.gz b63c50e25308f0ace0186196b0b65b698cc73e814a7cc29cd7a43c6d134fd8b4 833 openssl= _3.6.3.orig.tar.gz.asc 359040b3f618c38d601968fd097eef2eb4b66de0beb98d862457618f3ce13b26 51336 opens= sl_3.6.3-1.debian.tar.xz Files: a70389af7a456bd57c5fe302079da017 2675 utils optional openssl_3.6.3-1.dsc f388d6144fe20b9b2c6bf208280d6ec3 54953005 utils optional openssl_3.6.3.orig.= tar.gz 9f187ecf776ff34a1b9ea5631102d573 833 utils optional openssl_3.6.3.orig.tar.g= z.asc 06ea8671f50efb05844ca1105b9b533e 51336 utils optional openssl_3.6.3-1.debian= .tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmotooIACgkQBWQfF1cS +ltf9Qv/UsORjF5K2qoi+1wfiVLZ7ermyyOJF7mjdgQ1lXIzulIkxH6MwiR4Mm1b tiECpF+u8GXTKa+797BvEWz/dtLKs75o7nvxbwTJzr/44m+H6VDtgLu9/LIVjGy3 M2OhxWutqvBmf4HzQFmfZdupIJ4ZULAz0DqJuxdqABrCWdxlsO2sPFcWZTM1mSlh Mt2YoVcFLmCfBtSTkZBgYdTZkuDZZ7feS5OEugvM3OMeCLgXec0pdqGtMicrLBPL mzWn8CYoTSmjz4jEAX7ZdSz1w5TWGq8P/hGdgxJ2FBVLWm0gR1oe1gBjBm5ubTAN 6tUrSLdRQWf16YmtnP+OD6tux46zDBWiVAeeFESMUeVk8EUCQ5zHPN2GSqiVsErJ 7Pe5dOGEw8z/p2K5aQkCRWnDyl99ARoGx7NhrSy2UAh1/m3fYs8YQsuz9OZ0msqG wv8NMFsVxp3C6M+xRZqfr/hozJW2LkGIJYokIgeJxrxx5ipI1JWLZpviR7HKk6fA WC7lxzY/ =3DZ+hN -----END PGP SIGNATURE----- --===============6457504925204426497== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHQEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCai2mPQAKCRCb9qggYcy5 ISLtAPjSStoxVzq1p4EItDPafQSc7UfUhAEBXiKYEoVEIE13AQCWMtTfX5l7GRIg nEMB5z9MbL7VlBoldH2N5GTmtfk0AA== =A/Uy -----END PGP SIGNATURE----- --===============6457504925204426497==-- ]