Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted mbedtls 3.6.6-0.1 (source) into unstable
Date: Fri, 15 May 2026 17:48:50 +0000
Signed by: Adrian Bunk <bunk@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 30 Apr 2026 15:38:39 +0300
Source: mbedtls
Architecture: source
Version: 3.6.6-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers <debian-iot-maintainers@alioth-lists.debian.net>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1132577 1133841
Changes:
 mbedtls (3.6.6-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2026-25834: Signature Algorithm Injection
     - CVE-2026-25835: PSA random generator cloning
     - CVE-2026-34872: FFDH: improper input validation
     - CVE-2026-34873: Client impersonation resuming a TLS 1.3 session
     - CVE-2026-34874: Null pointer dereference setting a distinguished name
     - CVE-2026-34875: Buffer overflow in FFDH public key export
     - CVE-2026-34876: CCM multipart finish tag-length validation bypass
     (Closes: #1133841, #1132577)
Checksums-Sha1:
 a874b9a95ac96434584f7dc5afd71143997edfd5 2456 mbedtls_3.6.6-0.1.dsc
 71dd91cc76e77a0dcf0d8020377523ed7e703d8e 5508045 mbedtls_3.6.6.orig.tar.bz2
 d13733695145ca25276cd740d4753a536e65085e 19060 mbedtls_3.6.6-0.1.debian.tar.xz
Checksums-Sha256:
 cb5fe6f6b65667f993092eb7359b98155ceb8e67fa978afdf06256c75efe0bb4 2456 mbedtls_3.6.6-0.1.dsc
 8fb65fae8dcae5840f793c0a334860a411f884cc537ea290ce1c52bb64ca007a 5508045 mbedtls_3.6.6.orig.tar.bz2
 223d5b247d60c8954cd14a6c685a9fbaf68578dc19c8f7b70b29a29cc5aa48aa 19060 mbedtls_3.6.6-0.1.debian.tar.xz
Files:
 30c4ca31518e43e0d230d1e58af35bb2 2456 libs optional mbedtls_3.6.6-0.1.dsc
 8147a63a1ce289ebc0fb2190a5cce03f 5508045 libs optional mbedtls_3.6.6.orig.tar.bz2
 2de996e1eaeafb07437fc64a3a3c8d89 19060 libs optional mbedtls_3.6.6-0.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmnzh3EACgkQiNJCh6LY
mLHFbBAAwas+HcuktlyDLsAO18i1skoPIHWz9/rooR/yAN2i69ykhN5D8nel4rIT
30nb4clQzFftZojiLbCsLH0+vEIyDvbd6VJQgBqXGOQZf/JdDcRGdEBPoDVupPdY
2STexUbGcCfshgixj8DYiPbEU4ulFT6gI6AO39P9zwjfs1LVXGXtITCR4d1lJY0i
Z2jlJmg9BVXzy8CEfmLSUCiuJeRBEt3/85+LPUc22tQ4hfbF/XfcjVo88STKY+gG
1y0nfkZgex4p+YTvAOOgmufstqHKdPx1bFRNTezdAQwtHfCnvR70VCAWihqZiQHx
4tkyBnUiHAEISx7orYYlO5TugrEbE8EHdcF1pq7Mhf33OQgNo9XQlK+uiWpuaB0N
Ad8fkGfC4DBzK0dnYwXvePo9uJ9ysyebfjFrBbhQnGzDzcAKF8mdFmD01+tidlQH
4/0f1+PqSttNOsg0awfxnv73mxJpuDFt4hbhxNzs9EgIzTJkjaYUxh9fYxU4tAZm
+dt+3bBI4mJsg5KwLeyd6qLbUFM7FdiXAnCiWNTcjcELonMRKZNn2H2k9drRDi1Q
zx+/YfWgs7YBPLUp5AxEGxrYTaEAwyLTJ15n2ElouLnexLHWoX6j6cunX4igjbNG
AEZIibOJPNSpPGIVhql/wS7YiCdoda2pzNaorQTXyi1tJ2VOj4A=
=kXe0
-----END PGP SIGNATURE-----

News for package mbedtls