[Git][security-tracker-team/security-tracker][master] Track fixed version for openssl issues via unstable

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Jun 14 20:52:54 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
13932f85 by Salvatore Bonaccorso at 2026-06-14T21:52:26+02:00
Track fixed version for openssl issues via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3040,7 +3040,7 @@ CVE-2016-20062 (Simply Poll 1.4.1 plugin for WordPress contains an SQL injection
 	NOT-FOR-US: WordPress plugin
 CVE-2026-45446 (Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-S ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3 (openssl-3.0.21)
@@ -3050,25 +3050,25 @@ CVE-2026-42771 (Issue summary: When the X509_VERIFY_PARAM_set1_email is called b
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-42770 (Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/7fbfde7677ed8808828bf00ff01c937ca04bdda2 (openssl-3.0.21)
 	NOTE: Introduced with: https://github.com/openssl/openssl/commit/46eee7104d77f9d303e06a398febdc60fd014d33
 CVE-2026-42769 (Issue Summary: An error in the callback used to verify the certificate ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-42768 (Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnera ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-42767 (Issue summary: An attacker-controlled CMP (Certificate Management Prot ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <no-dsa> (Minor issue; can be fixed in next update)
 	[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
@@ -3077,40 +3077,40 @@ CVE-2026-42767 (Issue summary: An attacker-controlled CMP (Certificate Managemen
 	NOTE: Introduced with: https://github.com/openssl/openssl/commit/a61b7f2fa6de3bf8d5b1436e66c52d6bf7150ae4
 CVE-2026-42766 (Issue summary: A specially crafted password-encrypted CMS message can  ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7 (openssl-3.0.21)
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/ba699b606969d20a108dda3cfe5422d4cc94eefb (openssl-3.0.21)
 CVE-2026-42765 (Issue summary: When a partial-chain certificate verification is enable ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl <not-affected> (Vulnerable code not present)
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-34181 (Issue Summary: The PKCS#12 file processing fails to perform sufficient ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-34180 (Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a pr ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83 (openssl-3.0.21)
 CVE-2026-9076 (Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6 (openssl-3.0.21)
 CVE-2026-7383 (Issue summary: A signed integer overflow when sizing the destination b ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974 (openssl-3.0.21)
 CVE-2026-45445 (Issue summary: When an application drives an AES-OCB context through t ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[bullseye] - openssl <not-affected> (see below)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451 (openssl-3.0.21)
@@ -3118,26 +3118,26 @@ CVE-2026-45445 (Issue summary: When an application drives an AES-OCB context thr
 	NOTE: releases the IV is applied synchronously during cipher initialisation
 	NOTE: and the AES-OCB one-shot rejects data submitted before the IV is set.
 CVE-2026-42764 (Issue summary: Receiving a QUIC initial packet with an invalid token m ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-35188 (Issue summary: A malicious server can exploit TLS OCSP stapling by del ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl <not-affected> (Vulnerable code not present)
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-34183 (Issue summary: Remote peer may exhaust heap memory of the QUIC server  ...)
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[trixie] - openssl 3.5.6-1~deb13u2
 	[bookworm] - openssl <not-affected> (Vulnerable code not present)
 	[bullseye] - openssl <not-affected> (Vulnerable code not present)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 CVE-2026-34182 (Issue Summary: Cryptographic Message Services (CMS) processing fails t ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/03c1f4d45fb963aee7d5833390c507cd290182bc (openssl-3.0.21)
@@ -3145,7 +3145,7 @@ CVE-2026-34182 (Issue Summary: Cryptographic Message Services (CMS) processing f
 	NOTE: Introduced with: https://github.com/openssl/openssl/commit/924663c36d47066d5307937da77fed7e872730c7
 CVE-2026-45447 (Issue summary: A specially crafted PKCS#7 or S/MIME signed message cou ...)
 	{DSA-6335-1}
-	- openssl <unfixed> (bug #1139674)
+	- openssl 3.6.3-1 (bug #1139674)
 	NOTE: https://openssl-library.org/news/secadv/20260609.txt
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 (openssl-3.0.21)
 	NOTE: Fixed by: https://github.com/openssl/openssl/commit/18de9aba8294b5fb0915866cf3a1bb45f9599b8d (openssl-3.0.21)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13932f85e437dc3ebddc7d54144bc596c06948b0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13932f85e437dc3ebddc7d54144bc596c06948b0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260614/d1d6b4e4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list