From foo@bar Sun Jun 14 00:30:03 2026 Format: 1.8 Date: Sat, 13 Jun 2026 20:01:42 +0200 Source: openssl Binary: libcrypto4-udeb libssl-dev libssl4 libssl4-dbgsym libssl4-udeb openssl openssl-dbgsym openssl-provider-fips openssl-provider-fips-dbgsym openssl-provider-legacy openssl-provider-legacy-dbgsym Architecture: alpha Version: 4.0.1-1 Distribution: experimental Urgency: medium Maintainer: alpha Build Daemon (imago) Changed-By: Sebastian Andrzej Siewior Description: libcrypto4-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl4 - Secure Sockets Layer toolkit - shared libraries libssl4-udeb - ssl shared library - udeb (udeb) openssl - Secure Sockets Layer toolkit - cryptographic utility openssl-provider-fips - Secure Sockets Layer toolkit - cryptographic utility openssl-provider-legacy - Secure Sockets Layer toolkit - cryptographic utility Changes: openssl (4.0.1-1) experimental; urgency=medium . * Import 4.0.1 - CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion") - CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption") - CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing") - CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys") - CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged Messages") - CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler") - CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response") - CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet handling") - CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP Checking") - CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS Decryption") - CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue Decryption") - CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()") - CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate") - CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q") - CVE-2026-42771 ("Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email()") - CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path") - CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes") - CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()") Checksums-Sha1: b90ddec67a814edb0734b4876db14c194cab09a8 1686892 libcrypto4-udeb_4.0.1-1_alpha.udeb 9ec713b35a0b360ba2508de7259ee4910d5d738b 3113536 libssl-dev_4.0.1-1_alpha.deb c4cc8a34de3c80e52a3c0e591514d68f4b6f520e 5740792 libssl4-dbgsym_4.0.1-1_alpha.deb 7376ebf039531ff9b57733aeada9d4dc0ec784b6 393636 libssl4-udeb_4.0.1-1_alpha.udeb 0c3f93f559b681388bc017ae1a982496d5623785 2134352 libssl4_4.0.1-1_alpha.deb 0eee5930f12eac3732fad09cabd73817f19bd4d5 766544 openssl-dbgsym_4.0.1-1_alpha.deb d709b11a3b475140ca81105691db187f6b3d087b 1639076 openssl-provider-fips-dbgsym_4.0.1-1_alpha.deb a2a29ce7d55e3b5c47ddbf80cefe15d19332f949 852440 openssl-provider-fips_4.0.1-1_alpha.deb 1c032590473cf3ebaa7b148092775690b0e3a076 100828 openssl-provider-legacy-dbgsym_4.0.1-1_alpha.deb 5d7272ed4c62eb42f9eadcbd799ea242c7d2d747 329248 openssl-provider-legacy_4.0.1-1_alpha.deb 2c1b0c93726c74f7ec34758d2aaeac14918347c9 8203 openssl_4.0.1-1_alpha.buildinfo 4675a8d4966e3bea840f56a2a5d5a8e6433be046 1522360 openssl_4.0.1-1_alpha.deb Checksums-Sha256: fef8ff1c3956074e87e49b3970cb45537c20f2694e6e99ac2c50c796f6bfcbe0 1686892 libcrypto4-udeb_4.0.1-1_alpha.udeb d516dfc692b812a6b951189f557de01170a957800356d3cf68a454263c644e92 3113536 libssl-dev_4.0.1-1_alpha.deb 58d76aaadf9f156f7d47a06b89238805fad52dcba1931589c5a10b4f04731dff 5740792 libssl4-dbgsym_4.0.1-1_alpha.deb 33863e934fd42dcbf84cb55ceb3902985d51a30c8086f2804cc5cfe1b51f404b 393636 libssl4-udeb_4.0.1-1_alpha.udeb 96bf84ff111a415a257ead3b5633d76dc6b19d810ec44f4d9c7bc2b7df726c9b 2134352 libssl4_4.0.1-1_alpha.deb 0ff5891b802a6dfeebf984ca8ea2cb6854cd135290f9f2f4d1c9c477c34392ed 766544 openssl-dbgsym_4.0.1-1_alpha.deb 55352de1c55299c6b7fddfee032676c930d51a0acaa1ec5a8caa0f5184227210 1639076 openssl-provider-fips-dbgsym_4.0.1-1_alpha.deb e0128d4c26ba5a2ebf5cb3863372b2c01778d58b5729d7832608e57f90be2b50 852440 openssl-provider-fips_4.0.1-1_alpha.deb db040462dae199491226309c7136e8685c6ebab1636c6c05dcc2128aae8c85ee 100828 openssl-provider-legacy-dbgsym_4.0.1-1_alpha.deb 904c5514690dad2d9a5d77cdfad1affc600a69023fce5a407584bc1ca0987311 329248 openssl-provider-legacy_4.0.1-1_alpha.deb 6c2ec452cffd79a87c7257b575d2003e84394cfa655c7366f7e47287f58c656e 8203 openssl_4.0.1-1_alpha.buildinfo b880ecbe117945d5a20bab1376ac47654258d604f82483194901d19a47b00444 1522360 openssl_4.0.1-1_alpha.deb Files: 21d0da3002fa297f3e2f2fc4e15d3658 1686892 debian-installer optional libcrypto4-udeb_4.0.1-1_alpha.udeb 6913105e8f78ad925d7da360a6bc63cc 3113536 libdevel optional libssl-dev_4.0.1-1_alpha.deb 2b503685996cb3d0d15276b72adfbbb1 5740792 debug optional libssl4-dbgsym_4.0.1-1_alpha.deb 541cc8d97edf357233ac494635f10612 393636 debian-installer optional libssl4-udeb_4.0.1-1_alpha.udeb 2f46cd2f4cc404fd5a60a352538467fa 2134352 libs optional libssl4_4.0.1-1_alpha.deb 0c87673a47575c130d306bb6049ed6eb 766544 debug optional openssl-dbgsym_4.0.1-1_alpha.deb 71c79f2d0552bf24b8335ab93052e76c 1639076 debug optional openssl-provider-fips-dbgsym_4.0.1-1_alpha.deb 2296415a21816cdcfa185369420cf6f6 852440 utils optional openssl-provider-fips_4.0.1-1_alpha.deb 06f6b83ac4416644a98554543a7893ab 100828 debug optional openssl-provider-legacy-dbgsym_4.0.1-1_alpha.deb 2ecb331326cb07e7e266940212781b18 329248 utils optional openssl-provider-legacy_4.0.1-1_alpha.deb 8f073148d82e794eb0ec036929e7957c 8203 utils optional openssl_4.0.1-1_alpha.buildinfo 390956aeee71b67e5a4d2559c025aa86 1522360 utils optional openssl_4.0.1-1_alpha.deb Signed-By: buildd autosigning key imago