Your message dated Sat, 13 Jun 2026 18:49:33 +0000
with message-id <[email protected]>
and subject line Bug#1139674: fixed in openssl 3.6.3-1
has caused the Debian Bug report #1139674,
regarding libssl3t64: various CVEs, including CVE-2026-45447 with possible RCE
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139674
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl3t64
Version: 3.6.2-1
Severity: grave
Tags: upstream
Justification: user security hole
Hey.
There's multiple CVEs:
https://openssl-library.org/news/secadv/20260609.txt
includnig CVE-2026-45447 which potentially allows for RCE.
These have all been fixed in stable 2 days ago,
but unstable/testing have been left out (which seems unfortunate,
given that probably many DDs/DMs also run on either of the two).
Cheers,
Chris.
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.12+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libssl3t64 depends on:
ii libc6 2.42-16
ii libzstd1 1.5.7+dfsg-3+b2
ii openssl-provider-legacy 3.6.2-1
ii zlib1g 1:1.3.dfsg+really1.3.2-3
libssl3t64 recommends no packages.
libssl3t64 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.6.3-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jun 2026 19:00:51 +0200
Source: openssl
Architecture: source
Version: 3.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1139674
Changes:
openssl (3.6.3-1) unstable; urgency=medium
.
* Import 3.6.3 (Closes: #1139674)
- CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String
Conversion")
- CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption")
- CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing")
- CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC
Keys")
- CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged
Messages")
- CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE
Handler")
- CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response")
- CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet
handling")
- CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP
Checking")
- CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS
Decryption")
- CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue
Decryption")
- CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in
CMS_decrypt() and PKCS7_decrypt()")
- CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP
rootCaKeyUpdate")
- CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q")
- CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path")
- CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in
AES-GCM-SIV and AES-SIV modes")
- CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()")
Checksums-Sha1:
d67d8b5686ae864769a69db788d960ddfbc24ef0 2675 openssl_3.6.3-1.dsc
72142e828396004a60af4a8458f30216a7906cbb 54953005 openssl_3.6.3.orig.tar.gz
d35dd18a12f73c9f0fbcb52234ab8fd40a871236 833 openssl_3.6.3.orig.tar.gz.asc
2e81c08e0e82d4d9b2e8262ba0cb609f6953fd9b 51336 openssl_3.6.3-1.debian.tar.xz
Checksums-Sha256:
490192136153d535905ab20e2912f6044a794bbd9abc2d7e5183753be53ba8b4 2675
openssl_3.6.3-1.dsc
243a86649cf6f23eeb6a2ff2456e09e5d77dd9018a54d3d96b0c6bdd6ba6c7f1 54953005
openssl_3.6.3.orig.tar.gz
b63c50e25308f0ace0186196b0b65b698cc73e814a7cc29cd7a43c6d134fd8b4 833
openssl_3.6.3.orig.tar.gz.asc
359040b3f618c38d601968fd097eef2eb4b66de0beb98d862457618f3ce13b26 51336
openssl_3.6.3-1.debian.tar.xz
Files:
a70389af7a456bd57c5fe302079da017 2675 utils optional openssl_3.6.3-1.dsc
f388d6144fe20b9b2c6bf208280d6ec3 54953005 utils optional
openssl_3.6.3.orig.tar.gz
9f187ecf776ff34a1b9ea5631102d573 833 utils optional
openssl_3.6.3.orig.tar.gz.asc
06ea8671f50efb05844ca1105b9b533e 51336 utils optional
openssl_3.6.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmotooIACgkQBWQfF1cS
+ltf9Qv/UsORjF5K2qoi+1wfiVLZ7ermyyOJF7mjdgQ1lXIzulIkxH6MwiR4Mm1b
tiECpF+u8GXTKa+797BvEWz/dtLKs75o7nvxbwTJzr/44m+H6VDtgLu9/LIVjGy3
M2OhxWutqvBmf4HzQFmfZdupIJ4ZULAz0DqJuxdqABrCWdxlsO2sPFcWZTM1mSlh
Mt2YoVcFLmCfBtSTkZBgYdTZkuDZZ7feS5OEugvM3OMeCLgXec0pdqGtMicrLBPL
mzWn8CYoTSmjz4jEAX7ZdSz1w5TWGq8P/hGdgxJ2FBVLWm0gR1oe1gBjBm5ubTAN
6tUrSLdRQWf16YmtnP+OD6tux46zDBWiVAeeFESMUeVk8EUCQ5zHPN2GSqiVsErJ
7Pe5dOGEw8z/p2K5aQkCRWnDyl99ARoGx7NhrSy2UAh1/m3fYs8YQsuz9OZ0msqG
wv8NMFsVxp3C6M+xRZqfr/hozJW2LkGIJYokIgeJxrxx5ipI1JWLZpviR7HKk6fA
WC7lxzY/
=Z+hN
-----END PGP SIGNATURE-----
pgpSz2qx35Wf8.pgp
Description: PGP signature
--- End Message ---
