Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9d0e869d by Salvatore Bonaccorso at 2026-01-27T20:34:27+01:00
Reserve DSA number for openssl update
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,5 +1,6 @@
CVE-2025-11187 [Improper validation of PBMAC1 parameters in PKCS#12 MAC
verification]
- openssl <unfixed>
+ [trixie] - openssl 3.5.4-1~deb13u2
[bookworm] - openssl <not-affected> (Vulnerable code introduced later)
[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
NOTE: https://openssl-library.org/news/secadv/20260127.txt
@@ -18,18 +19,21 @@ CVE-2025-15467 [Stack buffer overflow in CMS
AuthEnvelopedData parsing]
NOTE: Test:
https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
(openssl-3.0.19)
CVE-2025-15468 [NULL dereference in SSL_CIPHER_find() function on unknown
cipher ID]
- openssl <unfixed>
+ [trixie] - openssl 3.5.4-1~deb13u2
[bookworm] - openssl <not-affected> (Vulnerable code introduced later)
[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
NOTE: https://openssl-library.org/news/secadv/20260127.txt
NOTE: Fixed by:
https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65
(openssl-3.5.5)
CVE-2025-15469 ["openssl dgst" one-shot codepath silently truncates inputs
>16MB]
- openssl <unfixed>
+ [trixie] - openssl 3.5.4-1~deb13u2
[bookworm] - openssl <not-affected> (Vulnerable code introduced later)
[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
NOTE: https://openssl-library.org/news/secadv/20260127.txt
NOTE: Fixed by:
https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61
(openssl-3.5.5)
CVE-2025-66199 [TLS 1.3 CompressedCertificate excessive memory allocation]
- openssl <unfixed>
+ [trixie] - openssl 3.5.4-1~deb13u2
[bookworm] - openssl <not-affected> (Vulnerable code introduced later)
[bullseye] - openssl <not-affected> (Vulnerable code introduced later)
NOTE: https://openssl-library.org/news/secadv/20260127.txt
=====================================
data/DSA/list
=====================================
@@ -1,3 +1,7 @@
+[27 Jan 2026] DSA-6113-1 openssl - security update
+ {CVE-2025-15467 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419
CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796}
+ [bookworm] - openssl 3.0.18-1~deb12u2
+ [trixie] - openssl 3.5.4-1~deb13u2
[27 Jan 2026] DSA-6112-1 openjdk-21 - security update
{CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945}
[trixie] - openjdk-21 21.0.10+7-1~deb13u1
=====================================
data/dsa-needed.txt
=====================================
@@ -55,8 +55,6 @@ openjdk-25/stable (jmm)
opennds/oldstable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
-openssl (carnil)
---
pdfminer
Required followup for CVE-2025-64512 as original fix was incomplete.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d0e869de0c27888cbfd973ee0a7bdfc4d0788eb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d0e869de0c27888cbfd973ee0a7bdfc4d0788eb
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
