[Pkg-openssl-devel] openssl_4.0.1-1_amd64.changes ACCEPTED into experimental

Sat Jun 13 22:00:18 BST 2026

Thank you for your contribution to Debian.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Jun 2026 20:01:42 +0200
Source: openssl
Binary: libcrypto4-udeb libssl-dev libssl4 libssl4-dbgsym libssl4-udeb openssl openssl-dbgsym openssl-provider-fips openssl-provider-fips-dbgsym openssl-provider-legacy openssl-provider-legacy-dbgsym
Architecture: source amd64
Version: 4.0.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel at alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
Description:
 libcrypto4-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl4    - Secure Sockets Layer toolkit - shared libraries
 libssl4-udeb - ssl shared library - udeb (udeb)
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
 openssl-provider-fips - Secure Sockets Layer toolkit - cryptographic utility
 openssl-provider-legacy - Secure Sockets Layer toolkit - cryptographic utility
Changes:
 openssl (4.0.1-1) experimental; urgency=medium
 .
   * Import 4.0.1
    - CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String
      Conversion")
    - CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption")
    - CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing")
    - CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC
      Keys")
    - CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged
      Messages")
    - CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE
      Handler")
    - CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response")
    - CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet
      handling")
    - CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP
      Checking")
    - CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS
      Decryption")
    - CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue
      Decryption")
    - CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in
      CMS_decrypt() and PKCS7_decrypt()")
    - CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP
      rootCaKeyUpdate")
    - CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q")
    - CVE-2026-42771 ("Possible Out of Bounds Read in
      X509_VERIFY_PARAM_set1_email()")
    - CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path")
    - CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in
      AES-GCM-SIV and AES-SIV modes")
    - CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()")
Checksums-Sha1:
 7aa7561574cd1c40aa64dce9603e6814d9e9961d 2669 openssl_4.0.1-1.dsc
 eaf5ac943564691e22c3a303bc8ffc9ea928fd5a 55079428 openssl_4.0.1.orig.tar.gz
 5964e9b6df96b81caa955dac6feca74756dacea0 833 openssl_4.0.1.orig.tar.gz.asc
 10c88fc1ab2ee0aec9f3b8aadf08ee4cda0584de 48188 openssl_4.0.1-1.debian.tar.xz
 5994714849e6148d1b57d07a227662291dd34cd9 2032268 libcrypto4-udeb_4.0.1-1_amd64.udeb
 789a2a287982c5aeb5915102b3f8e6051cf7c5e6 3018404 libssl-dev_4.0.1-1_amd64.deb
 d18e8d67a0ecc750355a8c41cbe127aed33b5de5 6245372 libssl4-dbgsym_4.0.1-1_amd64.deb
 810cfb44588f9aed73d4ce5cc76db713f1017c71 404488 libssl4-udeb_4.0.1-1_amd64.udeb
 8af7c6486d366f984b07f4f5ffac05ed0dc935ec 2458108 libssl4_4.0.1-1_amd64.deb
 222abdc30df51d327d02bb970ab4c8c7333eac78 766860 openssl-dbgsym_4.0.1-1_amd64.deb
 49a7215965bf9e9f630e8a858b95e4532de544b7 1948588 openssl-provider-fips-dbgsym_4.0.1-1_amd64.deb
 7beba9cc4d7a6e42d1732f0fa840ca298ba1aed6 1159484 openssl-provider-fips_4.0.1-1_amd64.deb
 7070e7d8515b0026076bf45261674d975eace270 106116 openssl-provider-legacy-dbgsym_4.0.1-1_amd64.deb
 2d1f8ae308067b6160643c8ade6a8e78f70dc97c 327864 openssl-provider-legacy_4.0.1-1_amd64.deb
 92298487b4f3b1c0731bfddc2c71f4ba24f14b3c 1555908 openssl_4.0.1-1_amd64.deb
Checksums-Sha256:
 131c9a532ebe2997130976585009e01e837288b1d5cb43fa9bf81e8264b6f351 2669 openssl_4.0.1-1.dsc
 2db3f3a0d6ea4b59e1f094ace2c8cd536dffb87cdc39084c5afa1e6f7f37dd09 55079428 openssl_4.0.1.orig.tar.gz
 3caa59e3702d0ec6521ec4af8c28647dfd61fb66aa9b8cfe51464b4bb0c895b1 833 openssl_4.0.1.orig.tar.gz.asc
 e12247e4511f5f4bda99170b992aa5c012dc610f47e8277766aff190bdd304ca 48188 openssl_4.0.1-1.debian.tar.xz
 266e0fa885c6aa42d82ecdf86333890e630937e0db2076532a5d494c7e112098 2032268 libcrypto4-udeb_4.0.1-1_amd64.udeb
 2b3446ff49ac361ae5ae9a28fe40de8d75556311b6e1fe1991110dbf1ae15b18 3018404 libssl-dev_4.0.1-1_amd64.deb
 86c0e2cd2416ee135d070a4bf094f5e60997f5426f3dcc4072a75b735dfc2cf0 6245372 libssl4-dbgsym_4.0.1-1_amd64.deb
 dff3b3d9f8a03b1ae8ab6b061359c520ffedffa9b235b343b9946f71ab48cf67 404488 libssl4-udeb_4.0.1-1_amd64.udeb
 25dbbef61fbcf9390e32eea3e74421fee8dcd99d9a13ef654a4aa11bc6d338c5 2458108 libssl4_4.0.1-1_amd64.deb
 765183171dc8b8097c816c0f80f38d5e87d4fca4c39da2421273b35c8f26dbb1 766860 openssl-dbgsym_4.0.1-1_amd64.deb
 58bc39cdfd5b07b83b37f9e3e642d08f37eb27eb6bc5aa5f8729242636f3073b 1948588 openssl-provider-fips-dbgsym_4.0.1-1_amd64.deb
 542c9f0171f0feec0b56e2f7d1e1d483c5c022240dda3d544fa571dccdbbfaf5 1159484 openssl-provider-fips_4.0.1-1_amd64.deb
 1218bc84eeec8c669c30d24e810da5c7509e850ee1caa8a5b801dc4cc96a7205 106116 openssl-provider-legacy-dbgsym_4.0.1-1_amd64.deb
 8fd058c4f8e75ea3dcb2bfb01bbd8977888c58e1de0bec670a441a81b0a6a4ee 327864 openssl-provider-legacy_4.0.1-1_amd64.deb
 a999885a49508813bb0f4694d8966f98278cca33be211f66f24328613926d119 1555908 openssl_4.0.1-1_amd64.deb
Files:
 6cd363b5e1985191187b20459a84a1d4 2669 utils optional openssl_4.0.1-1.dsc
 07e316afe26b61e72206b81706b497bb 55079428 utils optional openssl_4.0.1.orig.tar.gz
 d9c36001ce69e21ab8126dc9a478538f 833 utils optional openssl_4.0.1.orig.tar.gz.asc
 ae7f03d5e4fa26666c6224f17a0dd471 48188 utils optional openssl_4.0.1-1.debian.tar.xz
 86b229cad0988c1c21ba46e8dbba94e0 2032268 debian-installer optional libcrypto4-udeb_4.0.1-1_amd64.udeb
 39de93e5c1ef975c4be3be509aa99834 3018404 libdevel optional libssl-dev_4.0.1-1_amd64.deb
 e621f73c7fdd35c7711c6ba413474cc9 6245372 debug optional libssl4-dbgsym_4.0.1-1_amd64.deb
 c7f9817bbdc33bcc5d730c4fc4fbfa1f 404488 debian-installer optional libssl4-udeb_4.0.1-1_amd64.udeb
 1e32ac599d3a6980300aac03896e4e7b 2458108 libs optional libssl4_4.0.1-1_amd64.deb
 cd25ac7136d23cf80324daffe69d9514 766860 debug optional openssl-dbgsym_4.0.1-1_amd64.deb
 acf3cd519272295a3c789c8944b955dd 1948588 debug optional openssl-provider-fips-dbgsym_4.0.1-1_amd64.deb
 bc359e537d60070b7cddf3e29a357ae3 1159484 utils optional openssl-provider-fips_4.0.1-1_amd64.deb
 fcd4d56208d2b5c2465df62d8b324196 106116 debug optional openssl-provider-legacy-dbgsym_4.0.1-1_amd64.deb
 8071bface5ae022df45e806b718f5245 327864 utils optional openssl-provider-legacy_4.0.1-1_amd64.deb
 4d347b8b2e5bc6e6da00d764ee2717d0 1555908 utils optional openssl_4.0.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmotq2kACgkQBWQfF1cS
+ltJ8Av+MiQwF+uqB2J6yS19e9epl3SeY0fSBTBI494vL73QiPErqPo2LJnkfKJ/
B7JECA7CvD/QigGSHpd4ljY9SZ3LcK1skohKrxv2nId2hm0+ohL8ig3XkOXU2YOR
V0fZuVwi1EMN9FKfqipLoCgQ/xit5eAFqNLGoyt0dQpnav2DffJMil8pDBnc4suZ
IH45NZs7ZxBG1xoalXJzuP4eH3DfSPO00krlY0jfgVMSBq1bPuPDBoyNQ2oXREVL
gc+zMzLRkneIxYSHTiL0D+VvOfcd3OuDlmDIS4Xr+xckKURXu/P07DMxFv0RxVKy
0dqBN59ve1m4EvbV4PoGM97a0j9XsAZbV/CdAw0K4VsIPZK3GD5J8TB0nvHyMkP6
v7tMsco8bGGJEX8zSFt2mJgalfqv74R6Y3aKh83V7o4lCJPnbD2w2loh06YCMH50
Ebff/AGUPHLRJoNDiCn28L4wRImKUsALKVJwdKk8Z0ubB189vn41kUSBP1liBQCk
eKXiq2ap
=VMiq
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20260613/e092fdce/attachment.sig>