From noreply at release.debian.org Thu May 21 05:39:16 2026 From: noreply at release.debian.org (Debian testing watch) Date: Thu, 21 May 2026 04:39:16 +0000 Subject: [Debian-iot-maintainers] mbedtls 3.6.6-0.1 MIGRATED to testing Message-ID: FYI: The status of the mbedtls source package in Debian's testing distribution has changed. Previous version: 3.6.5-0.1 Current version: 3.6.6-0.1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From bunk at debian.org Thu May 21 13:58:45 2026 From: bunk at debian.org (Adrian Bunk) Date: Thu, 21 May 2026 15:58:45 +0300 Subject: [Debian-iot-maintainers] Bug#1137236: trixie-pu: package mbedtls/3.6.6-0.1~deb13u1 Message-ID: <177936832592.3948373.14827955383994417509.reportbug@localhost> Package: release.debian.org Severity: normal Tags: trixie moreinfo X-Debbugs-Cc: mbedtls at packages.debian.org, security at debian.org Control: affects -1 + src:mbedtls User: release.debian.org at packages.debian.org Usertags: pu * New upstream release. - CVE-2026-25834: Signature Algorithm Injection - CVE-2026-25835: PSA random generator cloning - CVE-2026-34872: FFDH: improper input validation - CVE-2026-34873: Client impersonation resuming a TLS 1.3 session - CVE-2026-34874: Null pointer dereference setting a distinguished name - CVE-2026-34875: Buffer overflow in FFDH public key export - CVE-2026-34876: CCM multipart finish tag-length validation bypass (Closes: #1133841, #1132577) This is ~deb13u1 of the package that I've NMUed in sid by updating to a new upstream version. Similar to the previous update (#1124567), this is a release on an LTS branch with few other changes: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6 Backporting only the CVE fixes to 3.6.5 should be possible if 3.6.6 is not wanted, backporting fixes for all unfixed CVEs to the bookworm version is outside my skill set. Tagged moreinfo, as question to the security team whether they want this in pu or as DSA. -------------- next part -------------- A non-text attachment was scrubbed... Name: debdiff-mbedtls_3.6.6-0.1~deb13u1.xz Type: application/x-xz Size: 229328 bytes Desc: not available URL: