Bug#1136309: trixie-pu: package wolfssl/5.9.1-0.1+deb13u1

Mon May 11 21:20:14 BST 2026

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: wolfssl at packages.debian.org, lighttpd at packages.debian.org, vdeplug-agno at packages.debian.org, sip-tester at packages.debian.org, kamailio at packages.debian.org
Control: affects -1 + src:wolfssl lighttpd-mod-wolfssl libvdeplug-agno swupdate sip-tester kamailio-tls-wolfssl-modules
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
trixie's wolfssl package is affected by 46 CVEs which are fixed in unstable.
Upstream does not provide stable releases and does not link CVEs to the
changesets that are required to fix them. Instead, in their release notes
the CVEs are claimed to be fixed.

The Security Team does not support wolfssl and that is why they have not
issued a DSA.

As identifying and backporting the changes that fix the CVEs is a massive task,
hardly anyone is going to do that. The maintainer is pretty passive.
Therefore, I am proposing to update to the current sid version as a stable update.

[ Impact ]
The users are potentially vulnerable for the CVEs documented to affect wolfssl.

[ Tests ]
I have verified that the reverse dependency swupdate can continue cryptographic
operations.

For the release architectures the build succeeds.
All reverse dependencies build against the proposed version on amd64.

[ Risks ]
There might be side effects of the version update. Much code is changed.
I have kept the ABI compatible with the trixie version and have reduced
the additionally exported symbols as much as possible. I think we can bear the
risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
* New upstream release 5.9.1 (currently in unstable).
  (Closes: #1133835,  CVE-2026-5187 CVE-2026-5188
  CVE-2026-5194 CVE-2026-5263 CVE-2026-5264 CVE-2026-5295 CVE-2026-5392
  CVE-2026-5393 CVE-2026-5446 CVE-2026-5447 CVE-2026-5448 CVE-2026-5460
  CVE-2026-5466 CVE-2026-5477 CVE-2026-5479 CVE-2026-5500 CVE-2026-5501
  CVE-2026-5503 CVE-2026-5504 CVE-2026-5507 CVE-2026-5772 CVE-2026-5778)
* Fix for CVE-2025-12888, CVE-2025-11936, CVE-2025-11935, CVE-2025-11934,
  CVE-2025-11933, CVE-2025-11932, CVE-2025-11931, CVE-2025-12889.
  (Closes: #1121196, #1121197, #1121198, #1121199, #1121200, #1121202,
  #1121204, #1121205)
* Drop upstream patch for CVE-2025-7394 contained in 5.9.1.
* Keep PKCS#7 verification working. (Closes: #1132097)
* Eliminate unnecessary disable-crl-monitor.patch and disable-jobserver.patch.
* Update debian/copyright to GPL3+. I have checked the reverse dependencies
  to be compatible.
* Apply configuration that closely matches 5.7.2-0.1+deb13u1.
* Don't install cmake files because the trixie version does not have any.

[ Other info ]
I have kept the pkg up to date in unstable via NMUs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wolfssl_5.9.1-0.1+deb13u1.debdiff.gz
Type: application/gzip
Size: 7452951 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20260511/0ce854d1/attachment-0001.gz>