Your message dated Sat, 11 Jul 2026 13:19:52 +0000
with message-id <[email protected]>
and subject line Bug#1141184: fixed in p11-kit 0.26.4-1
has caused the Debian Bug report #1141184,
regarding p11-kit: CVE-2026-13757
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141184: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141184
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: p11-kit
Version: 0.26.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi Andreas,

The following vulnerability was published for p11-kit.

Sorry for the wague report.

CVE-2026-13757[0]:
| A flaw was found in p11-kit. The RPC message attribute parsing
| functions p11_rpc_message_get_attribute() and
| p11_rpc_message_get_attribute_array_value() form a mutually-
| recursive call chain with no recursion depth limit when processing
| nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and
| CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with
| local access to the p11-kit RPC Unix domain socket can send a
| specially crafted request with deeply nested template attributes,
| causing stack exhaustion and crashing the p11-kit server process and
| its dependent services.

TTBOMK, so far the only reference is actually the bugzilla entry form
Red Hat. Is upstream aware of the issue, or is there actually an
upstream tracking of it?


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-13757
    https://www.cve.org/CVERecord?id=CVE-2026-13757
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2494556

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: p11-kit
Source-Version: 0.26.4-1
Done: Andreas Metzler <[email protected]>

We believe that the bug you reported is fixed in the latest version of
p11-kit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated p11-kit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 Jul 2026 15:01:13 +0200
Source: p11-kit
Architecture: source
Version: 0.26.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1141184
Changes:
 p11-kit (0.26.4-1) unstable; urgency=medium
 .
   * New upstream version.
     + server: fixed stack exhaustion via unbounded recursion in RPC attribute
       parsing by enforcing a recursion depth limit (CVE-2026-13757)
       Closes: #1141184
     + Drop 40-Fix-autoreconf-error-with-gettext-1.0.patch
   * Use debhelper-compat v14.
Checksums-Sha1: 
 899b90ebae49cfe420e888cb00ef5e53a022cc1f 2541 p11-kit_0.26.4-1.dsc
 2c50b7695f11d0de52e23b1320675b15f9a1042b 1081912 p11-kit_0.26.4.orig.tar.xz
 479a182b6f30b527f72e6d4616541ca58f85343e 228 p11-kit_0.26.4.orig.tar.xz.asc
 01f9f5018b19c8fb7957346d1028356f1e5143bf 24564 p11-kit_0.26.4-1.debian.tar.xz
Checksums-Sha256: 
 7d84cf28d361f0ff3fc3d84ca4f8af055dafe6fc3c9ff4321a5b7eb74106e5de 2541 
p11-kit_0.26.4-1.dsc
 89c3ffb10e076ee036e14732bf6547a1e1c4fb48699a5dee7ceb5ce4f7c0c462 1081912 
p11-kit_0.26.4.orig.tar.xz
 d90cf61ce8586e7cbd00088057ad8f1b6ef5fba0bff085a16ffca99b8e72289e 228 
p11-kit_0.26.4.orig.tar.xz.asc
 1c90bd8e284394c651748da318021eaaa6f5f1e728bc4793b88fe9fed10aff0a 24564 
p11-kit_0.26.4-1.debian.tar.xz
Files: 
 f16992c829a40be1458a6d84938d0f1e 2541 libs optional p11-kit_0.26.4-1.dsc
 4c0d2f26fd93278f5b0d22ec917cf030 1081912 libs optional 
p11-kit_0.26.4.orig.tar.xz
 267f97ce4a4eda6794cbdb0555dadadb 228 libs optional 
p11-kit_0.26.4.orig.tar.xz.asc
 060365a613b1c4893859adfea825e6a6 24564 libs optional 
p11-kit_0.26.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmpSP1AACgkQpU8BhUOC
FIQo1w//cJM8O3RkI+A0oPDArqVJtGwkI3D6eLIi+rwpvwPe3VCbFbf3gPjm5iXb
ZcQTt9nPTK7d0pycuXF32vUJGoJyPuIBgxQ81CDXhEeF8Eer9ZfaWtoQb8FF1DZu
4RtP8zZ2JXSq/A9b/B1iKAdRiPOnkNmiyFyiGp7rWpm6lvRlqCj4r7UIoKf2zD1b
I2/3FdrkJ9+Dvi3mOH066MDQQl1U1TR3qp1y8wBYe61crWAtIKxPkhymZwcsvLO2
A+iYnRc1X71+4SnAER9ejD3I1rNHi71FZeKkJd+N0lmOLzQnJQdxT2Z+wceIBgGU
P3BpDwQl6NIe3n7PG6uWRia8IUd4/e6g5ZEFtketGK2isTQ2we8U/sWVsndxabWP
mnEMz/rodgNJx+8SZ76V09dlL2Ml8hi2apc2ItJ8IV7o4knWwPe10+pu7tyoIe4x
1D64XF4SDY5GIIsGLZyWgOWUaZiBIPRX1O7Eyoeu1gwhmUId9UKhr0n06E7hFATZ
tGzZKuuwhqjX4+y8EjA+IoNo3PBbsvmpNtDyLF6axfaAPxd1E5nIMUre+qgfqEIU
RvhhzzkvqlnXbeJD8jmjgZWGjBN3RKS1BuRxy1zV3aWmIjG6MzePC+dcyuEmK6s/
NKMDSin0Ie//6lokTMkk+dPZ/sicGSxtGJLVS7aoGF33LtfrZYU=
=BGWk
-----END PGP SIGNATURE-----

Attachment: pgpC2wFi_qa3T.pgp
Description: PGP signature


--- End Message ---

Reply via email to