I am updating the debdiff because the first submission had
trixie-security in the changelog. This has to be trixie obviously.
The Security Team asked us to go the stable release route.
diff -Nru wolfssl-5.7.2/debian/changelog wolfssl-5.7.2/debian/changelog
--- wolfssl-5.7.2/debian/changelog      2025-08-10 15:17:47.000000000 +0200
+++ wolfssl-5.7.2/debian/changelog      2026-07-05 23:43:31.000000000 +0200
@@ -1,3 +1,30 @@
+wolfssl (5.7.2-0.1+deb13u2) trixie; urgency=high
+
+  * Backport upstream security fixes. (See #1140765, #1140815)
+  * CVE-2026-5194: require certificate signature OID to match issuer key
+    OID.
+  * CVE-2026-55960: validate negotiated certificate type for raw public
+    keys.
+  * CVE-2026-55961: reject degenerate certs-only PKCS#7 in PKCS7_verify.
+  * CVE-2026-55962: require client cert on outstanding TLS 1.3 post-
+    handshake auth.
+  * CVE-2026-55967: reject AES-GCM cumulative size overflow in streaming
+    update.
+  * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path.
+  * CVE-2026-6094: bound encrypted content size in PKCS7 EnvelopedData.
+  * CVE-2026-6325: bound index in SetSuitesHashSigAlgo to prevent OOB
+    write.
+  * CVE-2026-6329: reject PKCS#12 MAC length mismatch.
+  * CVE-2026-6331: require exact HMAC tag length in
+    EVP_DigestVerifyFinal.
+  * CVE-2026-6450: reject CRLs with unrecognized critical extensions.
+  * CVE-2026-6678: fix integer underflow in wc_PKCS7_DecryptOri.
+  * CVE-2026-6681: respect caller output buffer size in PKCS7 decode.
+  * CVE-2026-6731: apply DNS name constraints to Subject CN when no SAN.
+  * CVE-2026-7511: report the verifying cert as the PKCS#7 signer.
+
+ -- Jacob Barthelmeh <[email protected]>  Sun, 05 Jul 2026 15:43:31 -0600
+
 wolfssl (5.7.2-0.1+deb13u1) trixie; urgency=medium
 
   * Fix CVE-2025-7394: weak/predictable random numbers. (Closes: #1109549)
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch       
1970-01-01 01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch       
2026-07-05 23:43:31.000000000 +0200
@@ -0,0 +1,382 @@
+Description: CVE-2026-5194 - enforce minimum/maximum digest sizes in signature 
ops
+ Companion to CVE-2026-5194.patch (asn.c signature-OID match). Backports the
+ wolfcrypt-level digest-size enforcement half of upstream commit abce5be9: adds
+ WC_MIN_DIGEST_SIZE (hash.h) and rejects too-small/too-large hash inputs in the
+ ECC and DSA sign/verify primitives, the Ed25519ph/Ed448ph prehash length,
+ wc_SignatureVerifyHash and the PKCS7 ECDSA verify path. The upstream 
internal.c
+ EccVerify guard is omitted: it is redundant (EccVerify calls the now-guarded
+ wc_ecc_verify_hash) and its context mis-binds to Ed25519Sign on 5.7.2. The
+ enum->define header refactor, kernel module port, dilithium (not built) and
+ test-only hunks are likewise omitted.
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/abce5be989ccd0665e2b9445abb856886975dfd1
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-5194
+Author: wolfSSL
+Forwarded: not-needed
+Index: wolfssl-5.7.2/wolfcrypt/src/dsa.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/dsa.c
++++ wolfssl-5.7.2/wolfcrypt/src/dsa.c
+@@ -34,6 +34,7 @@
+ #include <wolfssl/wolfcrypt/logging.h>
+ #include <wolfssl/wolfcrypt/sha.h>
+ #include <wolfssl/wolfcrypt/dsa.h>
++#include <wolfssl/wolfcrypt/hash.h>
+ 
+ #ifdef NO_INLINE
+     #include <wolfssl/wolfcrypt/misc.h>
+@@ -680,6 +681,12 @@ int wc_DsaSign_ex(const byte* digest, wo
+     if (digest == NULL || out == NULL || key == NULL || rng == NULL)
+         return BAD_FUNC_ARG;
+ 
++    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
++        (digestSz < WC_MIN_DIGEST_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
++
+     SAVE_VECTOR_REGISTERS(return _svr_ret;);
+ 
+     do {
+@@ -1013,6 +1020,16 @@ int wc_DsaVerify_ex(const byte* digest,
+     if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
+         return BAD_FUNC_ARG;
+ 
++    /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
++     * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as
++     * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.
++     */
++    if ((digestSz > WC_MAX_DIGEST_SIZE) ||
++        (digestSz < WC_SHA_DIGEST_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
++
+     do {
+ #ifdef WOLFSSL_SMALL_STACK
+         w = (mp_int *)XMALLOC(sizeof *w, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+Index: wolfssl-5.7.2/wolfcrypt/src/ecc.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/ecc.c
++++ wolfssl-5.7.2/wolfcrypt/src/ecc.c
+@@ -6726,6 +6726,11 @@ int wc_ecc_sign_hash(const byte* in, wor
+     if (in == NULL || out == NULL || outlen == NULL || key == NULL) {
+         return ECC_BAD_ARG_E;
+     }
++    if ((inlen > WC_MAX_DIGEST_SIZE) ||
++        (inlen < WC_MIN_DIGEST_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
+ 
+ #ifdef WOLF_CRYPTO_CB
+     #ifndef WOLF_CRYPTO_CB_FIND
+@@ -7224,6 +7229,11 @@ int wc_ecc_sign_hash_ex(const byte* in,
+    if (in == NULL || r == NULL || s == NULL || key == NULL || rng == NULL) {
+        return ECC_BAD_ARG_E;
+    }
++   if ((inlen > WC_MAX_DIGEST_SIZE) ||
++       (inlen < WC_MIN_DIGEST_SIZE))
++   {
++       return BAD_LENGTH_E;
++   }
+ 
+    /* is this a private key? */
+    if (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY) {
+@@ -8466,6 +8476,12 @@ int wc_ecc_verify_hash(const byte* sig,
+         return ECC_BAD_ARG_E;
+     }
+ 
++    /* Check hash length */
++    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
++        (hashlen < WC_MIN_DIGEST_SIZE)) {
++        return BAD_LENGTH_E;
++    }
++
+ #ifdef WOLF_CRYPTO_CB
+     #ifndef WOLF_CRYPTO_CB_FIND
+     if (key->devId != INVALID_DEVID)
+@@ -9073,6 +9089,12 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_
+    if (r == NULL || s == NULL || hash == NULL || res == NULL || key == NULL)
+        return ECC_BAD_ARG_E;
+ 
++    /* Check hash length */
++    if ((hashlen > WC_MAX_DIGEST_SIZE) ||
++        (hashlen < WC_MIN_DIGEST_SIZE)) {
++        return BAD_LENGTH_E;
++    }
++
+    /* default to invalid signature */
+    *res = 0;
+ 
+Index: wolfssl-5.7.2/wolfcrypt/src/ed25519.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/ed25519.c
++++ wolfssl-5.7.2/wolfcrypt/src/ed25519.c
+@@ -396,6 +396,12 @@ int wc_ed25519_sign_msg_ex(const byte* i
+         return BAD_FUNC_ARG;
+     }
+ 
++    if ((type == Ed25519ph) &&
++        (inLen != WC_SHA512_DIGEST_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
++
+ #ifdef WOLF_CRYPTO_CB
+     if (key->devId != INVALID_DEVID) {
+         ret = wc_CryptoCb_Ed25519Sign(in, inLen, out, outLen, key, type,
+@@ -854,6 +860,12 @@ int wc_ed25519_verify_msg_ex(const byte*
+                                          (context == NULL && contextLen != 0))
+         return BAD_FUNC_ARG;
+ 
++    if ((type == Ed25519ph) &&
++        (msgLen != WC_SHA512_DIGEST_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
++
+ #ifdef WOLF_CRYPTO_CB
+     if (key->devId != INVALID_DEVID) {
+         ret = wc_CryptoCb_Ed25519Verify(sig, sigLen, msg, msgLen, res, key,
+Index: wolfssl-5.7.2/wolfcrypt/src/ed448.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/ed448.c
++++ wolfssl-5.7.2/wolfcrypt/src/ed448.c
+@@ -374,6 +374,11 @@ int wc_ed448_sign_msg_ex(const byte* in,
+         ret = BAD_FUNC_ARG;
+     }
+ 
++    if ((ret == 0) && (type == Ed448ph) && (inLen != ED448_PREHASH_SIZE))
++    {
++        ret = BAD_LENGTH_E;
++    }
++
+     /* check and set up out length */
+     if ((ret == 0) && (*outLen < ED448_SIG_SIZE)) {
+         *outLen = ED448_SIG_SIZE;
+@@ -799,6 +804,12 @@ int wc_ed448_verify_msg_ex(const byte* s
+     if (key == NULL)
+         return BAD_FUNC_ARG;
+ 
++    if ((type == Ed448ph) &&
++        (msgLen != ED448_PREHASH_SIZE))
++    {
++        return BAD_LENGTH_E;
++    }
++
+ #ifdef WOLFSSL_ED448_PERSISTENT_SHA
+     sha = &key->sha;
+ #else
+Index: wolfssl-5.7.2/wolfcrypt/src/hash.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/hash.c
++++ wolfssl-5.7.2/wolfcrypt/src/hash.c
+@@ -405,6 +405,12 @@ int wc_HashGetDigestSize(enum wc_HashTyp
+         #endif
+             break;
+         case WC_HASH_TYPE_BLAKE2B:
++        #if defined(HAVE_BLAKE2B)
++            dig_size = BLAKE2B_OUTBYTES;
++        #else
++            dig_size = HASH_TYPE_E;
++        #endif
++            break;
+         case WC_HASH_TYPE_BLAKE2S:
+         #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+             dig_size = BLAKE2S_OUTBYTES;
+@@ -524,6 +530,12 @@ int wc_HashGetBlockSize(enum wc_HashType
+         #endif
+             break;
+         case WC_HASH_TYPE_BLAKE2B:
++        #if defined(HAVE_BLAKE2B)
++            block_size = BLAKE2B_BLOCKBYTES;
++        #else
++            block_size = HASH_TYPE_E;
++        #endif
++            break;
+         case WC_HASH_TYPE_BLAKE2S:
+         #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S)
+             block_size = BLAKE2S_BLOCKBYTES;
+Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c
++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+@@ -4107,6 +4107,12 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* p
+     if (pkcs7 == NULL || sig == NULL)
+         return BAD_FUNC_ARG;
+ 
++    /* Check hash length */
++    if ((hashSz > WC_MAX_DIGEST_SIZE) ||
++        (hashSz < WC_MIN_DIGEST_SIZE)) {
++        return BAD_LENGTH_E;
++    }
++
+ #ifdef WOLFSSL_SMALL_STACK
+     digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap,
+                             DYNAMIC_TYPE_TMP_BUFFER);
+Index: wolfssl-5.7.2/wolfcrypt/src/signature.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/signature.c
++++ wolfssl-5.7.2/wolfcrypt/src/signature.c
+@@ -151,6 +151,35 @@ int wc_SignatureVerifyHash(
+         WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len");
+         return ret;
+     }
++
++#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
++    /* For WC_SIGNATURE_TYPE_RSA_W_ENC, we need to extract the actual size of
++     * the ASN.1-encoded hash.
++     */
++    if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) {
++        int hash_dec_len;
++        word32 idx = 0;
++        if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0)
++            return ASN_PARSE_E;
++        /* skip the AlgorithmIdentifier */
++        if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0)
++            return ASN_PARSE_E;
++        idx += (word32)hash_dec_len;
++        /* now sitting at the OCTET STRING containing the digest */
++        if (GetOctetString(hash_data, &idx, &hash_dec_len, hash_len) < 0)
++            return ASN_PARSE_E;
++        if (hash_dec_len != ret)
++            return BAD_LENGTH_E;
++    }
++    else
++#endif
++    {
++        if (hash_len != (word32)ret) {
++            WOLFSSL_MSG("wc_SignatureVerify: Invalid hash size");
++            return BAD_LENGTH_E;
++        }
++    }
++
+     ret = 0;
+ 
+     /* Verify signature using hash */
+Index: wolfssl-5.7.2/wolfssl/wolfcrypt/hash.h
+===================================================================
+--- wolfssl-5.7.2.orig/wolfssl/wolfcrypt/hash.h
++++ wolfssl-5.7.2/wolfssl/wolfcrypt/hash.h
+@@ -156,6 +156,87 @@ typedef union {
+     #define WC_MAX_BLOCK_SIZE  128
+ #endif
+ 
++#if defined(WC_HASH_CUSTOM_MAX_DIGEST_SIZE) && \
++    defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE)
++    #if WC_HASH_CUSTOM_MAX_DIGEST_SIZE < \
++        WC_HASH_CUSTOM_MIN_DIGEST_SIZE
++        #error HASH_CUSTOM_MAX_DIGEST_SIZE < WC_HASH_CUSTOM_MIN_DIGEST_SIZE
++    #endif
++#endif
++#ifdef WC_HASH_CUSTOM_MAX_DIGEST_SIZE
++    #undef WC_MAX_DIGEST_SIZE
++    #define WC_MAX_DIGEST_SIZE WC_HASH_CUSTOM_MAX_DIGEST_SIZE
++#endif
++#ifdef WC_HASH_CUSTOM_MAX_BLOCK_SIZE
++    #undef WC_MAX_BLOCK_SIZE
++    #define WC_MAX_BLOCK_SIZE WC_HASH_CUSTOM_MAX_BLOCK_SIZE
++#endif
++
++/* wolfssl 5.7.2 md2.h/md4.h predate the WC_-prefixed digest-size names used 
by
++ * the cascade below (they define only MD2_DIGEST_SIZE/MD4_DIGEST_SIZE). 
Provide
++ * the WC_-prefixed aliases so the upstream enforcement compiles unchanged. */
++#if defined(WOLFSSL_MD2) && !defined(WC_MD2_DIGEST_SIZE)
++    #define WC_MD2_DIGEST_SIZE 16
++#endif
++#if !defined(NO_MD4) && !defined(WC_MD4_DIGEST_SIZE)
++    #define WC_MD4_DIGEST_SIZE 16
++#endif
++#if defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE)
++    #if defined(WC_FIPS_186_5_PLUS) && \
++            (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 224 / 8)
++        #error FIPS 186-5 requires a minimum hash size >= SHA-224.
++    #elif defined(WC_FIPS_186_4) && \
++            (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 160 / 8)
++        #error FIPS 186-4 requires a minimum hash size >= SHA-1.
++    #elif (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 128 / 8)
++        #error WC_HASH_CUSTOM_MIN_DIGEST_SIZE is too small.
++    #endif
++    /* Let the user override the minimum digest size */
++    #define WC_MIN_DIGEST_SIZE WC_HASH_CUSTOM_MIN_DIGEST_SIZE
++#elif defined(WOLFSSL_MD2) && !defined(WC_FIPS_186_4_PLUS)
++    #define WC_MIN_DIGEST_SIZE WC_MD2_DIGEST_SIZE /* 16 */
++#elif !defined(NO_MD4) && !defined(WC_FIPS_186_4_PLUS)
++    #define WC_MIN_DIGEST_SIZE WC_MD4_DIGEST_SIZE /* 16 */
++#elif !defined(NO_MD5) && !defined(WC_FIPS_186_4_PLUS)
++    #define WC_MIN_DIGEST_SIZE WC_MD5_DIGEST_SIZE /* 16 */
++#elif !defined(NO_SHA) && !defined(WC_FIPS_186_5_PLUS)
++    #define WC_MIN_DIGEST_SIZE WC_SHA_DIGEST_SIZE /* 20 */
++#elif defined(WOLFSSL_SHA224)
++    #define WC_MIN_DIGEST_SIZE WC_SHA224_DIGEST_SIZE
++#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
++    defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224)
++    #define WC_MIN_DIGEST_SIZE WC_SHA512_224_DIGEST_SIZE
++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
++    #define WC_MIN_DIGEST_SIZE WC_SHA3_224_DIGEST_SIZE
++#elif !defined(NO_SHA256)
++    #define WC_MIN_DIGEST_SIZE WC_SHA256_DIGEST_SIZE
++#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
++    defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256)
++    #define WC_MIN_DIGEST_SIZE WC_SHA512_256_DIGEST_SIZE
++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
++    #define WC_MIN_DIGEST_SIZE WC_SHA3_256_DIGEST_SIZE
++#elif defined(HAVE_BLAKE2S)
++    #define WC_MIN_DIGEST_SIZE BLAKE2S_OUTBYTES /* 32 */
++#elif defined(WOLFSSL_SM3)
++    #define WC_MIN_DIGEST_SIZE WC_SM3_DIGEST_SIZE /* 32 */
++#elif defined(WOLFSSL_SHA384)
++    #define WC_MIN_DIGEST_SIZE WC_SHA384_DIGEST_SIZE
++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
++    #define WC_MIN_DIGEST_SIZE WC_SHA3_384_DIGEST_SIZE
++#elif defined(WOLFSSL_SHA512)
++    #define WC_MIN_DIGEST_SIZE WC_SHA512_DIGEST_SIZE
++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
++    #define WC_MIN_DIGEST_SIZE WC_SHA3_512_DIGEST_SIZE
++#elif defined(HAVE_BLAKE2B)
++    #define WC_MIN_DIGEST_SIZE BLAKE2B_OUTBYTES /* 64 */
++#elif defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256)
++    #error SHAKE enabled without SHA-3.
++    #define WC_MIN_DIGEST_SIZE 64
++#else
++    #error No builtin hashes enabled and no WC_HASH_CUSTOM_MIN_DIGEST_SIZE.
++    #define WC_MIN_DIGEST_SIZE 64
++#endif
++
+ #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC)
+ WOLFSSL_API int wc_HashGetOID(enum wc_HashType hash_type);
+ WOLFSSL_API enum wc_HashType wc_OidGetHash(int oid);
+Index: wolfssl-5.7.2/wolfssl/wolfcrypt/settings.h
+===================================================================
+--- wolfssl-5.7.2.orig/wolfssl/wolfcrypt/settings.h
++++ wolfssl-5.7.2/wolfssl/wolfcrypt/settings.h
+@@ -460,6 +460,29 @@
+     #define SIZEOF_LONG_LONG 8
+ #endif
+ 
++#if defined(HAVE_FIPS) && !defined(WC_FIPS_186_5) && !defined(WC_FIPS_186_4)
++    #if FIPS_VERSION3_GE(7,0,0)
++        #ifndef WC_FIPS_186_5
++            #define WC_FIPS_186_5
++        #endif
++    #else
++        #ifndef WC_FIPS_186_4
++            #define WC_FIPS_186_4
++        #endif
++    #endif
++#endif
++#if defined(WC_FIPS_186_4) && defined(WC_FIPS_186_5)
++    #error Conflicting FIPS 186 settings.
++#endif
++#if (defined(WC_FIPS_186_4) || defined(WC_FIPS_186_5)) && \
++        !defined(WC_FIPS_186_4_PLUS)
++    #define WC_FIPS_186_4_PLUS
++#endif
++#if defined(WC_FIPS_186_5) && !defined(WC_FIPS_186_5_PLUS)
++    #define WC_FIPS_186_5_PLUS
++#endif
++
++
+ #ifdef HAVE_NETX
+     #ifdef NEED_THREADX_TYPES
+         #include <types.h>
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch    2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,142 @@
+Description: CVE-2026-5194 - require certificate signature OID to match issuer 
key OID
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/abce5be989ccd0665e2b9445abb856886975dfd1
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-5194
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/asn.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c
++++ wolfssl-5.7.2/wolfcrypt/src/asn.c
+@@ -16545,6 +16545,118 @@ static int HashForSignature(const byte*
+ }
+ #endif /* !NO_ASN_CRYPT && !NO_HASH_WRAPPER */
+ 
++/* The certificate's signatureAlgorithm (sigOID) must match the issuer's
++ * key type (keyOID). sigOID picks the pre-hash; keyOID picks the
++ * verifier. They need to agree or the verifier gets the wrong input. */
++static int SigOidMatchesKeyOid(word32 sigOID, word32 keyOID)
++{
++    switch (keyOID) {
++    #ifndef NO_RSA
++        case RSAk:
++            switch (sigOID) {
++                case CTC_MD2wRSA:
++                case CTC_MD5wRSA:
++                case CTC_SHAwRSA:
++                case CTC_SHA224wRSA:
++                case CTC_SHA256wRSA:
++                case CTC_SHA384wRSA:
++                case CTC_SHA512wRSA:
++                case CTC_SHA3_224wRSA:
++                case CTC_SHA3_256wRSA:
++                case CTC_SHA3_384wRSA:
++                case CTC_SHA3_512wRSA:
++                case CTC_RSASSAPSS:
++                    return 1;
++            }
++            return 0;
++        #ifdef WC_RSA_PSS
++        case RSAPSSk:
++            return (sigOID == CTC_RSASSAPSS);
++        #endif
++    #endif
++    #if !defined(NO_DSA) && !defined(HAVE_SELFTEST)
++        case DSAk:
++            switch (sigOID) {
++                case CTC_SHAwDSA:
++                case CTC_SHA256wDSA:
++                    return 1;
++            }
++            return 0;
++    #endif
++    #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
++        case ECDSAk:
++        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
++        case SM2k:
++        #endif
++            switch (sigOID) {
++                case CTC_SHAwECDSA:
++                case CTC_SHA224wECDSA:
++                case CTC_SHA256wECDSA:
++                case CTC_SHA384wECDSA:
++                case CTC_SHA512wECDSA:
++                case CTC_SHA3_224wECDSA:
++                case CTC_SHA3_256wECDSA:
++                case CTC_SHA3_384wECDSA:
++                case CTC_SHA3_512wECDSA:
++            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
++                case CTC_SM3wSM2:
++            #endif
++                    return 1;
++            }
++            return 0;
++    #endif
++    #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
++        case ED25519k:
++            return (sigOID == CTC_ED25519);
++    #endif
++    #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
++        case ED448k:
++            return (sigOID == CTC_ED448);
++    #endif
++    #if defined(HAVE_FALCON)
++        case FALCON_LEVEL1k:
++            return (sigOID == CTC_FALCON_LEVEL1);
++        case FALCON_LEVEL5k:
++            return (sigOID == CTC_FALCON_LEVEL5);
++    #endif
++    #if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \
++        !defined(WOLFSSL_DILITHIUM_NO_ASN1)
++        #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
++        case DILITHIUM_LEVEL2k:
++            return (sigOID == CTC_DILITHIUM_LEVEL2);
++        case DILITHIUM_LEVEL3k:
++            return (sigOID == CTC_DILITHIUM_LEVEL3);
++        case DILITHIUM_LEVEL5k:
++            return (sigOID == CTC_DILITHIUM_LEVEL5);
++        #endif
++        case ML_DSA_LEVEL2k:
++            return (sigOID == CTC_ML_DSA_LEVEL2);
++        case ML_DSA_LEVEL3k:
++            return (sigOID == CTC_ML_DSA_LEVEL3);
++        case ML_DSA_LEVEL5k:
++            return (sigOID == CTC_ML_DSA_LEVEL5);
++    #endif
++    #if defined(HAVE_SPHINCS)
++        case SPHINCS_FAST_LEVEL1k:
++            return (sigOID == CTC_SPHINCS_FAST_LEVEL1);
++        case SPHINCS_FAST_LEVEL3k:
++            return (sigOID == CTC_SPHINCS_FAST_LEVEL3);
++        case SPHINCS_FAST_LEVEL5k:
++            return (sigOID == CTC_SPHINCS_FAST_LEVEL5);
++        case SPHINCS_SMALL_LEVEL1k:
++            return (sigOID == CTC_SPHINCS_SMALL_LEVEL1);
++        case SPHINCS_SMALL_LEVEL3k:
++            return (sigOID == CTC_SPHINCS_SMALL_LEVEL3);
++        case SPHINCS_SMALL_LEVEL5k:
++            return (sigOID == CTC_SPHINCS_SMALL_LEVEL5);
++    #endif
++    }
++
++    /* Default to reject unknown key types */
++    (void)sigOID;
++    return 0;
++}
++
+ /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
+ static int ConfirmSignature(SignatureCtx* sigCtx,
+     const byte* buf, word32 bufSz,
+@@ -16610,6 +16722,11 @@ static int ConfirmSignature(SignatureCtx
+ 
+         case SIG_STATE_HASH:
+         {
++            if (!SigOidMatchesKeyOid(sigOID, keyOID)) {
++                WOLFSSL_MSG("sigOID incompatible with issuer keyOID");
++                ERROR_OUT(ASN_SIG_OID_E, exit_cs);
++            }
++
+         #if !defined(NO_RSA) && defined(WC_RSA_PSS)
+             if (sigOID == RSAPSSk) {
+                 word32 fakeSigOID = 0;
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch   1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch   2026-07-05 
23:40:41.000000000 +0200
@@ -0,0 +1,61 @@
+Description: CVE-2026-55960 - validate negotiated certificate type for raw 
public keys
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/c929798460656431bdeeffbf701a74521f403f36
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55960
+Author: wolfSSL
+Forwarded: not-needed
+---
+Index: wolfssl-5.7.2/src/internal.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/internal.c
++++ wolfssl-5.7.2/src/internal.c
+@@ -14146,31 +14146,29 @@ PRAGMA_GCC_DIAG_POP
+     ret = ParseCertRelative(args->dCert, certType, verify, SSL_CM(ssl), 
extraSigners);
+ 
+ #if defined(HAVE_RPK)
+-    /* if cert type has negotiated with peer, confirm the cert received has
+-     * the same type.
+-     */
+-    if (ret == 0 ) {
+-        if (ssl->options.side ==  WOLFSSL_CLIENT_END) {
+-            if (ssl->options.rpkState.received_ServerCertTypeCnt == 1) {
++    /* Confirm the received certificate's form (X.509 vs raw public key) 
matches
++     * the type negotiated with the peer. A raw public key (RFC 7250) has no
++     * chain, so ParseCertRelative() accepts it without any trust 
verification;
++     * it must only be accepted when RPK was negotiated for this peer. When no
++     * type was negotiated the default is X.509 (RFC 7250/8446), so an
++     * un-negotiated bare key is rejected. The negotiated type is the received
++     * server cert type (client) or the selected client cert type (server). */
++    if (ret == 0) {
++        cType = WOLFSSL_CERT_TYPE_X509;
++        if (ssl->options.side == WOLFSSL_CLIENT_END) {
++            if (ssl->options.rpkState.received_ServerCertTypeCnt == 1)
+                 cType = ssl->options.rpkState.received_ServerCertTypes[0];
+-                if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) ||
+-                    (cType == WOLFSSL_CERT_TYPE_X509 && args->dCert->isRPK)) {
+-                    /* cert type mismatch */
+-                    WOLFSSL_MSG("unsupported certificate type received");
+-                    ret = UNSUPPORTED_CERTIFICATE;
+-                }
+-            }
+         }
+         else if (ssl->options.side == WOLFSSL_SERVER_END) {
+-            if (ssl->options.rpkState.received_ClientCertTypeCnt == 1) {
++            if (ssl->options.rpkState.sending_ClientCertTypeCnt == 1)
+                 cType = ssl->options.rpkState.sending_ClientCertTypes[0];
+-                if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) ||
+-                    (cType == WOLFSSL_CERT_TYPE_X509 && args->dCert->isRPK)) {
+-                    /* cert type mismatch */
+-                    WOLFSSL_MSG("unsupported certificate type received");
+-                    ret = UNSUPPORTED_CERTIFICATE;
+-                }
+-            }
++        }
++
++        if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) ||
++            (cType != WOLFSSL_CERT_TYPE_RPK && args->dCert->isRPK)) {
++            /* cert type mismatch - includes an un-negotiated raw public key 
*/
++            WOLFSSL_MSG("unsupported certificate type received");
++            ret = UNSUPPORTED_CERTIFICATE;
+         }
+     }
+ #endif /* HAVE_RPK */
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch   1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch   2026-07-05 
23:37:14.000000000 +0200
@@ -0,0 +1,31 @@
+Description: CVE-2026-55961 - reject degenerate certs-only PKCS#7 in 
wolfSSL_PKCS7_verify
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/d382439c7c63c07294cf4fcece0aa56a35399d15
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55961
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/src/ssl_p7p12.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/ssl_p7p12.c
++++ wolfssl-5.7.2/src/ssl_p7p12.c
+@@ -806,6 +806,19 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, W
+     if (ret != 0)
+         return WOLFSSL_FAILURE;
+ 
++    /* Reject a degenerate (certs-only) PKCS#7 with no verified signer. Such 
an
++     * object has empty signerInfos, so wc_PKCS7_VerifySignedData() succeeds
++     * without authenticating the content. pkcs7.verifyCert is only set once a
++     * signer's signature has actually been verified, so a NULL value here 
means
++     * the content carries no valid signature and must not be reported as
++     * verified - regardless of PKCS7_NOVERIFY, which only suppresses signer
++     * certificate chain validation, not the requirement that a signature 
exist.
++     */
++    if (p7->pkcs7.verifyCert == NULL) {
++        WOLFSSL_MSG("PKCS7 has no verified signer (degenerate/certs-only)");
++        return WOLFSSL_FAILURE;
++    }
++
+     if ((flags & PKCS7_NOVERIFY) != PKCS7_NOVERIFY) {
+         /* Verify signer certificates */
+         if (store == NULL || store->cm == NULL) {
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch   1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch   2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,44 @@
+Description: CVE-2026-55962 - require client cert on outstanding TLS1.3 
post-handshake auth
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/f23544f09476d420becdfabd781eec0dd1a9c597
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55962
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/src/tls13.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/tls13.c
++++ wolfssl-5.7.2/src/tls13.c
+@@ -10649,7 +10649,10 @@ int DoTls13Finished(WOLFSSL* ssl, const
+ #endif
+         if (
+         #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
+-            !ssl->options.verifyPostHandshake &&
++            /* Exempt only the initial handshake; a pending post-handshake
++             * CertificateRequest (certReqCtx != NULL) still requires a peer
++             * certificate and a valid CertificateVerify. */
++            (!ssl->options.verifyPostHandshake || ssl->certReqCtx != NULL) &&
+         #endif
+             (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) {
+             ret = NO_PEER_CERT; /* NO_PEER_VERIFY */
+@@ -12228,7 +12231,19 @@ static int SanityCheckTls13MsgReceived(W
+                  */
+                 if (ssl->options.verifyPeer &&
+                 #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
+-                    !ssl->options.verifyPostHandshake &&
++                    /* The post-handshake-auth exemption is only valid during
++                     * the initial handshake. On the server, once a
++                     * post-handshake CertificateRequest is outstanding
++                     * (certReqCtx != NULL), a Certificate is required again.
++                     * Scoped to the server: certReqCtx means something
++                     * different on the client (a received request) and the
++                     * client does not process an inbound Finished in that
++                     * state. Whether an empty Certificate is then accepted
++                     * follows the verify mode (FAIL_IF_NO_PEER_CERT), exactly
++                     * as for first-handshake client authentication. */
++                    (!ssl->options.verifyPostHandshake ||
++                     (ssl->options.side == WOLFSSL_SERVER_END &&
++                      ssl->certReqCtx != NULL)) &&
+                 #endif
+                                            
!ssl->msgsReceived.got_certificate) {
+                     WOLFSSL_MSG("Finished received out of order - "
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch   1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch   2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,49 @@
+Description: CVE-2026-55967 - reject AES-GCM cumulative size overflow in 
streaming update
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/5def276e07e23b7b3b5842afbe526b4d3703ce13
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55967
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/aes.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/aes.c
++++ wolfssl-5.7.2/wolfcrypt/src/aes.c
+@@ -10001,6 +10001,18 @@ int wc_AesGcmEncryptUpdate(Aes* aes, byt
+         ret = MISSING_IV;
+     }
+ 
++    /* Prevent overflow of aes->cSz and ->aSz.  Per NIST SP 800-38D section
++     * 5.2.1.1, the maximum allowed ciphertext limit is 2^32 - 2 blocks, but 
we
++     * currently pass around the cunulative sizes in bytes as word32s, so we
++     * can't currently support the maximum allowed.
++     */
++    if ((ret == 0) &&
++        (((aes->cSz > 0xffffffff - sz)) ||
++         ((aes->aSz > 0xffffffff - authInSz))))
++    {
++        ret = AES_GCM_OVERFLOW_E;
++    }
++
+     if ((ret == 0) && aes->ctrSet && (aes->aSz == 0) && (aes->cSz == 0)) {
+         aes->invokeCtr[0]++;
+         if (aes->invokeCtr[0] == 0) {
+@@ -10147,6 +10159,18 @@ int wc_AesGcmDecryptUpdate(Aes* aes, byt
+         ret = MISSING_IV;
+     }
+ 
++    /* Prevent overflow of aes->cSz and ->aSz.  Per NIST SP 800-38D section
++     * 5.2.1.1, the maximum allowed ciphertext limit is 2^32 - 2 blocks, but 
we
++     * currently pass around the cunulative sizes in bytes as word32s, so we
++     * can't currently support the maximum allowed.
++     */
++    if ((ret == 0) &&
++        (((aes->cSz > 0xffffffff - sz)) ||
++         ((aes->aSz > 0xffffffff - authInSz))))
++    {
++        ret = AES_GCM_OVERFLOW_E;
++    }
++
+     if (ret == 0) {
+         /* Decrypt with AAD and/or cipher text. */
+     #ifdef WOLFSSL_AESNI
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch    2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,39 @@
+Description: CVE-2026-6092 - enforce Encrypt-then-MAC on TLS resumption path
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/af5369636a938faf4a79d1f550d3b206c51fafec
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6092
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/src/internal.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/internal.c
++++ wolfssl-5.7.2/src/internal.c
+@@ -37052,13 +37052,21 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ 
+ #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
+     !defined(WOLFSSL_AEAD_ONLY)
+-            if (ssl->options.encThenMac && ssl->specs.cipher_type == block) {
+-                ret = TLSX_EncryptThenMac_Respond(ssl);
+-                if (ret != 0)
+-                    goto out;
++            /* Only respond to ETM here when resumption actually succeeded;
++             * HandleTlsResumption populates ssl->specs via SetCipherSpecs 
only
++             * on the success path. If resumption failed, resuming has been
++             * cleared and ssl->specs.cipher_type is still zero-initialized,
++             * so we must defer the ETM decision until after MatchSuite. */
++            if (ssl->options.resuming) {
++                if (ssl->options.encThenMac &&
++                                          ssl->specs.cipher_type == block) {
++                    ret = TLSX_EncryptThenMac_Respond(ssl);
++                    if (ret != 0)
++                        goto out;
++                }
++                else
++                    ssl->options.encThenMac = 0;
+             }
+-            else
+-                ssl->options.encThenMac = 0;
+ #endif
+             if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
+                 WOLFSSL_LEAVE("DoClientHello", ret);
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch    2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2026-6094 - bound encrypted content size in PKCS7 
EnvelopedData
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/1397268aa12e2cf3f80c3acfa9b6036b809c08ef
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6094
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c
++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+@@ -12393,6 +12393,11 @@ WOLFSSL_API int wc_PKCS7_DecodeEnveloped
+                 }
+ 
+             } else {
++                if ((idx + (word32)encryptedContentTotalSz) > pkiMsgSz) {
++                    ret = BUFFER_E;
++                    break;
++                }
++
+                 /* cache encrypted content, no OCTET STRING */
+                 ret = PKCS7_CacheEncryptedContent(pkcs7, &pkiMsg[idx],
+                                                   
(word32)encryptedContentTotalSz);
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch    2026-07-05 
23:34:07.000000000 +0200
@@ -0,0 +1,28 @@
+Description: CVE-2026-6325 - bound index in SetSuitesHashSigAlgo to prevent 
OOB write
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/f540bb3ddfef89db637809392522247ce3e8200c
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6325
+Author: wolfSSL
+Forwarded: not-needed
+---
+Index: wolfssl-5.7.2/src/internal.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/internal.c
++++ wolfssl-5.7.2/src/internal.c
+@@ -27378,6 +27378,17 @@ int SetSuitesHashSigAlgo(Suites* suites,
+                     break;
+                 }
+             }
++            {
++                word32 needed = 2;
++#if defined(WC_RSA_PSS) && defined(WOLFSSL_TLS13)
++                if (sig_alg == rsa_pss_sa_algo)
++                    needed = 4;
++#endif
++                if ((word32)idx + needed > WOLFSSL_MAX_SIGALGO) {
++                    ret = 0;
++                    break;
++                }
++            }
+             AddSuiteHashSigAlgo(suites->hashSigAlgo, mac_alg, sig_alg, 0, 
&idx);
+             sig_alg = 0;
+             mac_alg = no_mac;
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch    2026-07-05 
23:33:37.000000000 +0200
@@ -0,0 +1,24 @@
+Description: CVE-2026-6329 - reject PKCS#12 MAC length mismatch
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/9c304bdc099140ad2fdc41ef2f2602af9768c8a1
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6329
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/pkcs12.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs12.c
++++ wolfssl-5.7.2/wolfcrypt/src/pkcs12.c
+@@ -652,6 +652,12 @@ static int wc_PKCS12_verify(WC_PKCS12* p
+         return ret;
+     }
+ 
++    if ((word32)ret != mac->digestSz) {
++        WOLFSSL_MSG("PKCS12 MAC digest size mismatch");
++        ForceZero(digest, sizeof(digest));
++        return MAC_CMP_FAILED_E;
++    }
++
+ #ifdef WOLFSSL_DEBUG_PKCS12
+     {
+         byte* p;
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch    2026-07-05 
23:33:38.000000000 +0200
@@ -0,0 +1,26 @@
+Description: CVE-2026-6331 - require exact HMAC tag length in 
EVP_DigestVerifyFinal
+ A zero-length or truncated tag passed to wolfSSL_EVP_DigestVerifyFinal() was
+ accepted, because the length check only rejected oversized tags and an
+ XMEMCMP() of length zero returns a match. Require the supplied tag length to
+ equal the MAC length exactly.
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/0749f20c33516897d8c5e2ab083b855e2d17d665
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6331
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/evp.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/evp.c
++++ wolfssl-5.7.2/wolfcrypt/src/evp.c
+@@ -4636,9 +4636,8 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSS
+ 
+         hashLen = wolfssl_mac_len(ctx->hash.hmac.macType);
+ 
+-        if (siglen > hashLen)
++        if (hashLen == 0 || siglen != hashLen)
+             return WOLFSSL_FAILURE;
+-        /* May be a truncated signature. */
+     }
+ 
+     if (wolfssl_evp_digest_pk_final(ctx, digest, &hashLen) <= 0)
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch    2026-07-05 
23:39:35.000000000 +0200
@@ -0,0 +1,29 @@
+Description: CVE-2026-6450 - reject CRLs with unrecognized critical extensions
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/857141da35b67a14a580fb26ec57af1efa68a1d9
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6450
+Author: wolfSSL
+Forwarded: not-needed
+Index: wolfssl-5.7.2/wolfcrypt/src/asn.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c
++++ wolfssl-5.7.2/wolfcrypt/src/asn.c
+@@ -38426,14 +38426,17 @@ static int ParseCRL_Extensions(DecodedCR
+                 }
+             #endif
+             }
++            else if (critical) {
++                WOLFSSL_MSG("Unknown critical CRL extension");
++                ret = ASN_CRIT_EXT_E;
++            }
+             /* TODO: Parse CRL Number extension */
+-            /* TODO: check criticality */
+             /* Move index on to next extension. */
+             idx += (word32)length;
+         }
+     }
+ 
+-    if (ret < 0) {
++    if (ret < 0 && ret != ASN_CRIT_EXT_E) {
+         ret = ASN_PARSE_E;
+     }
+ 
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch    2026-07-05 
23:33:38.000000000 +0200
@@ -0,0 +1,34 @@
+Description: CVE-2026-6678 - fix integer underflow in wc_PKCS7_DecryptOri
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/84fb0f694cfaac4187c0beba4298a4a8a7995235
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6678
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c
++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+@@ -10861,9 +10861,21 @@ static int wc_PKCS7_DecryptOri(PKCS7* pk
+             XMEMCPY(oriOID, pkiMsg + *idx, oriOIDSz);
+             *idx += oriOIDSz;
+ 
++            /* Validate OID did not consume more than the SEQUENCE declared */
++            if ((*idx - tmpIdx) > (word32)seqSz) {
++                WOLFSSL_MSG("ORI oriType OID exceeds SEQUENCE boundary");
++                return ASN_PARSE_E;
++            }
++
+             /* get oriValue, increment idx */
+             oriValue = pkiMsg + *idx;
+-            oriValueSz = seqSz - (*idx - tmpIdx);
++            oriValueSz = (word32)seqSz - (*idx - tmpIdx);
++
++            /* Validate oriValue region is within input buffer */
++            if (*idx > pkiMsgSz || oriValueSz > pkiMsgSz - *idx) {
++                WOLFSSL_MSG("ORI oriValue exceeds input buffer");
++                return ASN_PARSE_E;
++            }
+             *idx += oriValueSz;
+ 
+             /* pass oriOID and oriValue to user callback, expect back
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch    2026-07-05 
23:33:38.000000000 +0200
@@ -0,0 +1,34 @@
+Description: CVE-2026-6681 - respect caller output buffer size in PKCS7 decode
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/1de4020fe4f3f911641ac0477227249d4dda2157
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6681
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c
++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c
+@@ -13632,6 +13632,10 @@ authenv_atrbend:
+             }
+ 
+             /* copy plaintext to output */
++            if ((word32)encryptedContentSz > outputSz) {
++                ret = BUFFER_E;
++                break;
++            }
+             XMEMCPY(output, encryptedContent, encryptedContentSz);
+ 
+             /* free memory, zero out keys */
+@@ -14284,6 +14288,11 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7*
+                 }
+ 
+                 /* copy plaintext to output */
++                if ((word32)(encryptedContentSz - padLen) > outputSz) {
++                    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
++                    ret = BUFFER_E;
++                    break;
++                }
+                 XMEMCPY(output, encryptedContent, encryptedContentSz - 
padLen);
+ 
+                 /* get implicit[1] unprotected attributes, optional */
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch    2026-07-05 
23:33:38.000000000 +0200
@@ -0,0 +1,30 @@
+Description: CVE-2026-6731 - apply DNS name constraints to Subject CN when no 
SAN
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/e7b7fddacb4cc794e5dfc7693586d87a539f5aad
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6731
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/wolfcrypt/src/asn.c
+===================================================================
+--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c
++++ wolfssl-5.7.2/wolfcrypt/src/asn.c
+@@ -18017,9 +18017,16 @@ static int ConfirmNameConstraints(Signer
+         XMEMSET(&subjectDnsName, 0, sizeof(DNS_entry));
+         switch (nameType) {
+             case ASN_DNS_TYPE:
+-                /* Should it also consider CN in subject? It could use
+-                 * subjectDnsName too */
+                 name = cert->altNames;
++
++                /* When no SAN is present, apply DNS name constraints to the
++                 * Subject CN. */
++                if (cert->subjectCN != NULL && cert->altNames == NULL) {
++                    subjectDnsName.next = NULL;
++                    subjectDnsName.type = ASN_DNS_TYPE;
++                    subjectDnsName.len  = cert->subjectCNLen;
++                    subjectDnsName.name = cert->subjectCN;
++                }
+                 break;
+             case ASN_RFC822_TYPE:
+                 /* Shouldn't it validate E= in subject as well? */
diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch 
wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch
--- wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch    1970-01-01 
01:00:00.000000000 +0100
+++ wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch    2026-07-05 
23:37:14.000000000 +0200
@@ -0,0 +1,59 @@
+Description: CVE-2026-7511 - report the verifying cert as the PKCS#7 signer
+Origin: upstream, 
https://github.com/wolfSSL/wolfssl/commit/b7f6e77a95bfeda306b22dd34394e49c0a6c8a8c
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-7511
+Forwarded: not-needed
+Author: wolfSSL
+Last-Update: 2026-06-29
+
+Index: wolfssl-5.7.2/src/ssl_p7p12.c
+===================================================================
+--- wolfssl-5.7.2.orig/src/ssl_p7p12.c
++++ wolfssl-5.7.2/src/ssl_p7p12.c
+@@ -273,24 +273,42 @@ WOLFSSL_STACK* wolfSSL_PKCS7_get0_signer
+     WOLFSSL_X509* x509 = NULL;
+     WOLFSSL_STACK* signers = NULL;
+     WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7;
++    byte* signerCert;
++    word32 signerCertSz;
+ 
+     if (p7 == NULL)
+         return NULL;
+ 
+-    /* Only PKCS#7 messages with a single cert that is the verifying 
certificate
+-     * is supported.
+-     */
+     if (flags & PKCS7_NOINTERN) {
+         WOLFSSL_MSG("PKCS7_NOINTERN flag not supported");
+         return NULL;
+     }
+ 
++    /* Prefer the certificate that actually verified the signature. Falling
++     * back to singleCert (cert[0]) would let an attacker that bundles a
++     * trusted cert ahead of their own attacker cert have the trusted cert
++     * reported as the signer even though it did not produce the signature.
++     *
++     * Copy the chosen pointer into a local before passing its address to
++     * wolfSSL_d2i_X509; d2i_X509 advances *in by the DER length, and if
++     * we handed it the address of the struct field directly it would
++     * permanently corrupt the field, producing a heap-OOB read on the
++     * next use (pointer advanced, singleCertSz unchanged). */
++    if (p7->pkcs7.verifyCert != NULL && p7->pkcs7.verifyCertSz > 0) {
++        signerCert   = p7->pkcs7.verifyCert;
++        signerCertSz = p7->pkcs7.verifyCertSz;
++    }
++    else {
++        signerCert   = p7->pkcs7.singleCert;
++        signerCertSz = p7->pkcs7.singleCertSz;
++    }
++
+     signers = wolfSSL_sk_X509_new_null();
+     if (signers == NULL)
+         return NULL;
+ 
+-    if (wolfSSL_d2i_X509(&x509, (const byte**)&p7->pkcs7.singleCert,
+-                         p7->pkcs7.singleCertSz) == NULL) {
++    if (wolfSSL_d2i_X509(&x509, (const byte**)&signerCert,
++                         signerCertSz) == NULL) {
+         wolfSSL_sk_X509_pop_free(signers, NULL);
+         return NULL;
+     }
diff -Nru wolfssl-5.7.2/debian/patches/series 
wolfssl-5.7.2/debian/patches/series
--- wolfssl-5.7.2/debian/patches/series 2025-08-10 15:17:47.000000000 +0200
+++ wolfssl-5.7.2/debian/patches/series 2026-07-05 23:43:31.000000000 +0200
@@ -5,3 +5,19 @@
 disable-crl-monitor.patch
 disable-jobserver.patch
 handle-debian-files.diff
+CVE-2026-5194.patch
+CVE-2026-55962.patch
+CVE-2026-55967.patch
+CVE-2026-6092.patch
+CVE-2026-6094.patch
+CVE-2026-6329.patch
+CVE-2026-6331.patch
+CVE-2026-6678.patch
+CVE-2026-6681.patch
+CVE-2026-6731.patch
+CVE-2026-6325.patch
+CVE-2026-55961.patch
+CVE-2026-7511.patch
+CVE-2026-6450.patch
+CVE-2026-55960.patch
+CVE-2026-5194-digest-sizes.patch

Reply via email to