Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted openssl 3.6.3-1 (source) into unstable
Date: Sat, 13 Jun 2026 18:49:33 +0000
Signed by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Jun 2026 19:00:51 +0200
Source: openssl
Architecture: source
Version: 3.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1139674
Changes:
 openssl (3.6.3-1) unstable; urgency=medium
 .
   * Import 3.6.3 (Closes: #1139674)
    - CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String
      Conversion")
    - CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption")
    - CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing")
    - CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC
      Keys")
    - CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged
      Messages")
    - CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE
      Handler")
    - CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response")
    - CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet
      handling")
    - CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP
      Checking")
    - CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS
      Decryption")
    - CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue
      Decryption")
    - CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in
      CMS_decrypt() and PKCS7_decrypt()")
    - CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP
      rootCaKeyUpdate")
    - CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q")
    - CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path")
    - CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in
      AES-GCM-SIV and AES-SIV modes")
    - CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()")
Checksums-Sha1:
 d67d8b5686ae864769a69db788d960ddfbc24ef0 2675 openssl_3.6.3-1.dsc
 72142e828396004a60af4a8458f30216a7906cbb 54953005 openssl_3.6.3.orig.tar.gz
 d35dd18a12f73c9f0fbcb52234ab8fd40a871236 833 openssl_3.6.3.orig.tar.gz.asc
 2e81c08e0e82d4d9b2e8262ba0cb609f6953fd9b 51336 openssl_3.6.3-1.debian.tar.xz
Checksums-Sha256:
 490192136153d535905ab20e2912f6044a794bbd9abc2d7e5183753be53ba8b4 2675 openssl_3.6.3-1.dsc
 243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1 54953005 openssl_3.6.3.orig.tar.gz
 b63c50e25308f0ace0186196b0b65b698cc73e814a7cc29cd7a43c6d134fd8b4 833 openssl_3.6.3.orig.tar.gz.asc
 359040b3f618c38d601968fd097eef2eb4b66de0beb98d862457618f3ce13b26 51336 openssl_3.6.3-1.debian.tar.xz
Files:
 a70389af7a456bd57c5fe302079da017 2675 utils optional openssl_3.6.3-1.dsc
 f388d6144fe20b9b2c6bf208280d6ec3 54953005 utils optional openssl_3.6.3.orig.tar.gz
 9f187ecf776ff34a1b9ea5631102d573 833 utils optional openssl_3.6.3.orig.tar.gz.asc
 06ea8671f50efb05844ca1105b9b533e 51336 utils optional openssl_3.6.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmotooIACgkQBWQfF1cS
+ltf9Qv/UsORjF5K2qoi+1wfiVLZ7ermyyOJF7mjdgQ1lXIzulIkxH6MwiR4Mm1b
tiECpF+u8GXTKa+797BvEWz/dtLKs75o7nvxbwTJzr/44m+H6VDtgLu9/LIVjGy3
M2OhxWutqvBmf4HzQFmfZdupIJ4ZULAz0DqJuxdqABrCWdxlsO2sPFcWZTM1mSlh
Mt2YoVcFLmCfBtSTkZBgYdTZkuDZZ7feS5OEugvM3OMeCLgXec0pdqGtMicrLBPL
mzWn8CYoTSmjz4jEAX7ZdSz1w5TWGq8P/hGdgxJ2FBVLWm0gR1oe1gBjBm5ubTAN
6tUrSLdRQWf16YmtnP+OD6tux46zDBWiVAeeFESMUeVk8EUCQ5zHPN2GSqiVsErJ
7Pe5dOGEw8z/p2K5aQkCRWnDyl99ARoGx7NhrSy2UAh1/m3fYs8YQsuz9OZ0msqG
wv8NMFsVxp3C6M+xRZqfr/hozJW2LkGIJYokIgeJxrxx5ipI1JWLZpviR7HKk6fA
WC7lxzY/
=Z+hN
-----END PGP SIGNATURE-----
News for package openssl
