Your message dated Sat, 04 Jul 2026 16:25:39 +0000
with message-id <[email protected]>
and subject line Bug#1140815: fixed in wolfssl 5.9.2-1
has caused the Debian Bug report #1140815,
regarding wolfssl: CVE-2026-55958 CVE-2026-55960 CVE-2026-55962 CVE-2026-55964 
CVE-2026-6092 CVE-2026-6325 CVE-2026-6329 CVE-2026-6330 CVE-2026-6331 
CVE-2026-6412 CVE-2026-6450 CVE-2026-6678 CVE-2026-6731 CVE-2026-7511 
CVE-2026-7531 CVE-2026-7532 CVE-2026-8720
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140815: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140815
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wolfssl
Version: 5.9.1-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for wolfssl.

CVE-2026-55958[0]:
| Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript buffer.
| In tsip_StoreMessage() the capacity check guarding the fixed message
| bag (MSGBAG_SIZE) sets an error code but fails to return, so
| execution falls through to an XMEMCPY that writes past the end of
| the buffer once the accumulated TLS 1.3 handshake transcript exceeds
| MSGBAG_SIZE (8 KB), corrupting adjacent heap state and potentially
| causing a remote denial of service crash. The bag is sized to hold a
| normal handshake, so this is reached only by an unusually large but
| valid certificate chain, or by a malicious or man-in-the-middle
| server sending an oversized handshake message to a client that does
| not strictly verify the chain. This only affects builds using the
| Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a TLS 1.3 client
| on Renesas MCUs with TSIP hardware enabled, and is rated High within
| those builds. All other configurations are unaffected.


CVE-2026-55960[1]:
| Un-negotiated Raw Public Key (RFC 7250) accepted in place of an
| X.509 certificate, bypassing chain validation. A raw public key has
| no chain, so ParseCertRelative() accepts it without performing any
| trust verification; it must therefore only be accepted when RPK was
| actually negotiated for that peer. The check now defaults the
| expected type to X.509 (per RFC 7250/8446) when no type was
| negotiated, comparing against the received server certificate type
| on the client and the selected client certificate type on the
| server, and rejects any mismatch, including an un-negotiated raw
| public key, with UNSUPPORTED_CERTIFICATE. Only affects builds with
| Raw Public Key support (HAVE_RPK) enabled - disabled by default in a
| standalone build, but included in --enable-all.


CVE-2026-55962[2]:
| TLS 1.3 post-handshake authentication (PHA) issue where a server
| could accept a client's Finished message without the client having
| sent a Certificate and CertificateVerify. The post-handshake-auth
| exemption that allows an empty/absent peer certificate was only
| intended for the initial handshake, but it was also being applied
| while a post-handshake CertificateRequest was still outstanding. The
| check is now scoped to the initial handshake only: on the server,
| once a post-handshake CertificateRequest has been sent (certReqCtx
| is set), a peer certificate and a valid CertificateVerify are
| required again before the Finished is accepted, with empty-
| certificate handling following the configured verify mode
| (FAIL_IF_NO_PEER_CERT) just as during first-handshake client
| authentication. Only affects TLS 1.3 servers built with post-
| handshake authentication support (WOLFSSL_POST_HANDSHAKE_AUTH /
| --enable-postauth, included in --enable-all) that enable
| WOLFSSL_VERIFY_POST_HANDSHAKE and request a client certificate after
| the handshake via wolfSSL_request_certificate(). Clients, and
| servers that do not use post-handshake authentication, are
| unaffected.


CVE-2026-55964[3]:
| Chain intermediate CA:TRUE without keyCertSign accepted as a signing
| CA. Intermediate CA certificates are required to have the
| keyCertSign key usage when a Key Usage extension is present, but
| chain-supplied temporary CAs (WOLFSSL_TEMP_CA) added while building
| a certificate path were previously exempted from this check, so an
| intermediate asserting CA:TRUE but lacking keyCertSign was accepted
| as a signing CA. The check now applies to chain-supplied temporary
| CAs as well; only operator-loaded root certificates
| (WOLFSSL_USER_CA) and self-signed roots remain exempt. Per RFC 5280
| an absent Key Usage extension implies all usages, so the requirement
| is enforced only when the extension is actually present
| (extKeyUsageSet). Affects the OpenSSL-compatibility certificate-
| path-building path (X509_verify_cert / X509_STORE,
| OPENSSL_EXTRA/OPENSSL_ALL), where untrusted chain intermediates are
| added as temporary CAs; native (non-OpenSSL-compat) certificate
| verification does not create temporary CAs and is unaffected. Within
| those builds, the check applies unless ALLOW_INVALID_CERTSIGN is
| defined.


CVE-2026-6092[4]:
| When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could
| fall back to MAC-then-Encrypt rather than enforcing Encrypt-then-
| MAC.


CVE-2026-6325[5]:
| Out-of-bounds write in SetSuitesHashSigAlgo when processing an
| oversized signature algorithms list, allowing a write past the
| bounds of the destination buffer.


CVE-2026-6329[6]:
| PKCS#12 MAC verification uses an attacker-controlled comparison
| length, weakening the integrity check on the MAC and allowing a
| mismatched MAC to be accepted. The PKCS#12 verify path compared the
| locally computed HMAC against the MAC parsed from the PKCS#12
| structure using a length taken directly from the attacker-supplied
| input, without first verifying that it equals the length of the
| digest actually produced by the configured algorithm. A truncated or
| zero-length stored MAC could therefore be accepted, defeating the
| integrity protection of the MAC.


CVE-2026-6330[7]:
| The ML-KEM ARM64 NEON ciphertext comparison only compares half of
| the input, breaking the Fujisaki-Okamoto transform's implicit
| rejection and weakening IND-CCA2 security on that code path. The
| constant-time comparison effectively ignored part of the re-
| encrypted ciphertext, so a decapsulating party could fail to detect
| a manipulated ciphertext and proceed without the standard's required
| implicit rejection.


CVE-2026-6331[8]:
| HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-
| length tag could be accepted as valid during HMAC verification. In
| the OpenSSL-compatibility HMAC verify path the supplied signature
| length was only checked as not exceeding the MAC length, so a zero-
| length or otherwise truncated tag could pass verification. The fix
| requires the supplied tag length to exactly equal the MAC length and
| rejects a zero-length MAC, so a forged short or empty tag is no
| longer accepted.


CVE-2026-6412[9]:
| Certificate policy and RFC 8446 compliance concerns regarding the
| continued acceptance of SHA-1/MD5 in certificate processing.


CVE-2026-6450[10]:
| A CRL critical extension bypass exists in ParseCRL_Extensions where
| critical extensions are not properly enforced, allowing a crafted
| CRL with an unhandled critical extension to be accepted. This only
| affects builds with CRL support enabled and where a crafted CRL had
| a trusted signature when parsed.


CVE-2026-6678[11]:
| Integer underflow in wc_PKCS7_DecryptOri when handling crafted Other
| Recipient Info, leading to incorrect length handling during
| decryption.


CVE-2026-6731[12]:
| X.509 name constraint bypass via the Subject Common Name when
| treated as a DNS-type name. A certificate whose Subject CN violates
| an issuing CA's DNS name constraints could be accepted.


CVE-2026-7511[13]:
| PKCS7_verify signer confusion allows forged signatures, where the
| signer associated with a signature is not correctly bound,
| permitting a forged signature to be accepted.


CVE-2026-7531[14]:
| Use-after-free in PQC hybrid key-share handling. This is an
| incomplete-fix follow-up to CVE-2026-5460 (released in 5.9.1): a
| malicious TLS 1.3 server sending a truncated PQC hybrid KeyShare can
| still trigger the error cleanup path to operate on freed memory.


CVE-2026-7532[15]:
| iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not
| defined. IP address name constraints are not enforced in that
| configuration, allowing a certificate to bypass an issuing CA's IP
| address constraints.


CVE-2026-8720[16]:
| wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when
| the key length exceeds the block size, producing a MAC that is
| independent of the input. When the supplied key is longer than the
| BLAKE2 block size the key-hashing branch reinitialized the running
| hash state, discarding the accumulated message data, so the
| resulting MAC depended only on the key and not on the message being
| authenticated. This bug is specific to the HMAC-BLAKE2 APIs that
| were added in wolfSSL version 5.9.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-55958
    https://www.cve.org/CVERecord?id=CVE-2026-55958
[1] https://security-tracker.debian.org/tracker/CVE-2026-55960
    https://www.cve.org/CVERecord?id=CVE-2026-55960
[2] https://security-tracker.debian.org/tracker/CVE-2026-55962
    https://www.cve.org/CVERecord?id=CVE-2026-55962
[3] https://security-tracker.debian.org/tracker/CVE-2026-55964
    https://www.cve.org/CVERecord?id=CVE-2026-55964
[4] https://security-tracker.debian.org/tracker/CVE-2026-6092
    https://www.cve.org/CVERecord?id=CVE-2026-6092
[5] https://security-tracker.debian.org/tracker/CVE-2026-6325
    https://www.cve.org/CVERecord?id=CVE-2026-6325
[6] https://security-tracker.debian.org/tracker/CVE-2026-6329
    https://www.cve.org/CVERecord?id=CVE-2026-6329
[7] https://security-tracker.debian.org/tracker/CVE-2026-6330
    https://www.cve.org/CVERecord?id=CVE-2026-6330
[8] https://security-tracker.debian.org/tracker/CVE-2026-6331
    https://www.cve.org/CVERecord?id=CVE-2026-6331
[9] https://security-tracker.debian.org/tracker/CVE-2026-6412
    https://www.cve.org/CVERecord?id=CVE-2026-6412
[10] https://security-tracker.debian.org/tracker/CVE-2026-6450
    https://www.cve.org/CVERecord?id=CVE-2026-6450
[11] https://security-tracker.debian.org/tracker/CVE-2026-6678
    https://www.cve.org/CVERecord?id=CVE-2026-6678
[12] https://security-tracker.debian.org/tracker/CVE-2026-6731
    https://www.cve.org/CVERecord?id=CVE-2026-6731
[13] https://security-tracker.debian.org/tracker/CVE-2026-7511
    https://www.cve.org/CVERecord?id=CVE-2026-7511
[14] https://security-tracker.debian.org/tracker/CVE-2026-7531
    https://www.cve.org/CVERecord?id=CVE-2026-7531
[15] https://security-tracker.debian.org/tracker/CVE-2026-7532
    https://www.cve.org/CVERecord?id=CVE-2026-7532
[16] https://security-tracker.debian.org/tracker/CVE-2026-8720
    https://www.cve.org/CVERecord?id=CVE-2026-8720

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: wolfssl
Source-Version: 5.9.2-1
Done: Jacob Barthelmeh <[email protected]>

We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jacob Barthelmeh <[email protected]> (supplier of updated wolfssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jun 2026 15:34:18 -0600
Source: wolfssl
Binary: libwolfssl-dev libwolfssl45 libwolfssl45-dbgsym
Architecture: source amd64
Version: 5.9.2-1
Distribution: unstable
Urgency: medium
Maintainer: Jacob Barthelmeh <[email protected]>
Changed-By: Jacob Barthelmeh <[email protected]>
Description:
 libwolfssl-dev - Development files for the wolfSSL encryption library
 libwolfssl45 - wolfSSL encryption library
Closes: 1140765 1140815
Changes:
 wolfssl (5.9.2-1) unstable; urgency=medium
 .
   * New upstream release.
   * Fix for CVE-2026-11310, CVE-2026-11999, CVE-2026-6679, CVE-2026-55958,
     CVE-2026-55960, CVE-2026-55961, CVE-2026-6731, CVE-2026-6091,
     CVE-2026-6094, CVE-2026-6329, CVE-2026-6330, CVE-2026-8720,
     CVE-2026-10097, CVE-2026-10098, CVE-2026-10592, CVE-2026-7532,
     CVE-2026-6291, CVE-2026-7511, CVE-2026-11703, CVE-2026-55962,
     CVE-2026-55964, CVE-2026-6092, CVE-2026-6331, CVE-2026-6681,
     CVE-2026-10512, CVE-2026-6678, CVE-2026-7531, CVE-2026-6325,
     CVE-2026-6412, CVE-2026-6450, CVE-2026-12340, CVE-2026-55967
     (Closes: #1140765, #1140815)
 .
   [ Bastian Germann ]
   * Revert "Fix PKCS#7 verification" (no longer needed for Debian packages)
Checksums-Sha1:
 ed12848294b88ffd13f051ecb9a6e22ec0ae925f 1994 wolfssl_5.9.2-1.dsc
 ed37005e913f819adaee5878e25d6a460a60fd87 28078586 wolfssl_5.9.2.orig.tar.gz
 89688bd0ad635df17893491ca302e79c849f5d88 488 wolfssl_5.9.2.orig.tar.gz.asc
 fb83c5c62619bfc7c28dff234df85745daa6fb13 33580 wolfssl_5.9.2-1.debian.tar.xz
 7bbefc45cfb88d563541e0b0cc6043967125110e 1787908 
libwolfssl-dev_5.9.2-1_amd64.deb
 65e16ac5a661c37ca7a8eb33ade4adcf80bdc674 3305460 
libwolfssl45-dbgsym_5.9.2-1_amd64.deb
 86b516b373755e21146c12363aedd7028bd3fc7c 1189528 libwolfssl45_5.9.2-1_amd64.deb
 640c3971f522bc90aaf5366a939fb2186cfbaf79 6749 wolfssl_5.9.2-1_amd64.buildinfo
Checksums-Sha256:
 6fc35cea9c1685d1450ef775a8e70c3d446d5081b7988e98f9a6c58e592fe42f 1994 
wolfssl_5.9.2-1.dsc
 2f4ef3d4fd387a9b3191d36a6316d69116c46ff69bb9583b6c82b36d7b8ca114 28078586 
wolfssl_5.9.2.orig.tar.gz
 952b64ced70d37420b6d2d8aea2696001209488bb1269ff6bd8af30bf1dc8ef3 488 
wolfssl_5.9.2.orig.tar.gz.asc
 da13ab631f59b6eeea2633e799e6b19766ddcf4aa887bd3c8b7c037b2e2ae9ef 33580 
wolfssl_5.9.2-1.debian.tar.xz
 b0d280c9f27642857cf352ee4d1422e7fdf7abb5571555bb176cb635f88c3a10 1787908 
libwolfssl-dev_5.9.2-1_amd64.deb
 6ee6a5bf45e7846c75f4987ca2e2caab62a313d499556f006c618b938c41a12c 3305460 
libwolfssl45-dbgsym_5.9.2-1_amd64.deb
 03aaa66e7edf41807edd5b318bc789cf5dbd3885de8f046b613d1ab26e233fbe 1189528 
libwolfssl45_5.9.2-1_amd64.deb
 8662cd5f537d7c09e043a6e7e903c5b1a9373fd39943e116267d40b3a5aee9bc 6749 
wolfssl_5.9.2-1_amd64.buildinfo
Files:
 999398f4dc0a14f6955d747d79162d5a 1994 libs optional wolfssl_5.9.2-1.dsc
 880765fbb83c8dbcd78bdeffdc8bcbe5 28078586 libs optional 
wolfssl_5.9.2.orig.tar.gz
 2e0dddc7f12e26f24e7d5f0d9f738414 488 libs optional 
wolfssl_5.9.2.orig.tar.gz.asc
 e825f01203c0f684a7ba3f97817a66b5 33580 libs optional 
wolfssl_5.9.2-1.debian.tar.xz
 727281a32d5247a92bb008e9e42b1779 1787908 libdevel optional 
libwolfssl-dev_5.9.2-1_amd64.deb
 c36a40c0b3ad7ee723550e70762d2440 3305460 debug optional 
libwolfssl45-dbgsym_5.9.2-1_amd64.deb
 936d6e4888585d01285366a174a72969 1189528 libs optional 
libwolfssl45_5.9.2-1_amd64.deb
 9704b83b01961c15ed9fe986aa31babb 6749 libs optional 
wolfssl_5.9.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmpCok0QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFLfGC/9d3qpu90JpgVSD2pKzyybdB1gXB767OTs1
eFZ5H8XTsWRjxu4zb6sqwHOO1RhWskEW2QQepKcLt9cvLP/TjW9GIHmAEaZn5PGw
3BHli5MXu+o27EAdWZLn9QC8rr+vh9vYkp6qHuKOLom0LHASXBtyNhnwWWAZz59F
oC6o1Z2yibODqhYO5h8xJU3ipE9N7+U3wxO9K+94XJbWuNHhZfKPZAP4TPT0kXMB
S7oEpzxcWVZ1UD95y5TInQb1h1MhD9ZBy5MBx1NuzzR8S2raqOncmaY+mgssG0m9
uXg+hKZmrBZZiX39NvMuDrSoUAOBR6Qh5w9S1AmLryEVcs2ASHzcrFW6rc9/cWdS
jEsA7X+zSbbMeM5bO5Zi2gxZPjS8SGU2lOprFEMZGbMM1TrEsW8dW6GRCUEQEcUx
DRIFzGKrnYoZp7hk+TTGt+YbQx648+loTJYI3Dbhgwl0qcmhgE2qgznr9PRxkr1s
DIbyaFnG+qyHR6kEER9bnDn+QmGT/uU=
=/XAQ
-----END PGP SIGNATURE-----

Attachment: pgpZrtkrzQzl2.pgp
Description: PGP signature


--- End Message ---

Reply via email to