[Debian-iot-maintainers] Bug#1137236: trixie-pu: package mbedtls/3.6.6-0.1~deb13u1
Adrian Bunk
bunk at debian.org
Thu May 21 13:58:45 BST 2026
Package: release.debian.org
Severity: normal
Tags: trixie moreinfo
X-Debbugs-Cc: mbedtls at packages.debian.org, security at debian.org
Control: affects -1 + src:mbedtls
User: release.debian.org at packages.debian.org
Usertags: pu
* New upstream release.
- CVE-2026-25834: Signature Algorithm Injection
- CVE-2026-25835: PSA random generator cloning
- CVE-2026-34872: FFDH: improper input validation
- CVE-2026-34873: Client impersonation resuming a TLS 1.3 session
- CVE-2026-34874: Null pointer dereference setting a distinguished name
- CVE-2026-34875: Buffer overflow in FFDH public key export
- CVE-2026-34876: CCM multipart finish tag-length validation bypass
(Closes: #1133841, #1132577)
This is ~deb13u1 of the package that I've NMUed in sid by updating
to a new upstream version. Similar to the previous update (#1124567),
this is a release on an LTS branch with few other changes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Backporting only the CVE fixes to 3.6.5 should be possible if 3.6.6
is not wanted, backporting fixes for all unfixed CVEs to the bookworm
version is outside my skill set.
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff-mbedtls_3.6.6-0.1~deb13u1.xz
Type: application/x-xz
Size: 229328 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-iot-maintainers/attachments/20260521/63e3ded7/attachment-0001.xz>
More information about the Debian-iot-maintainers
mailing list