Debian Patches

Status for openssl/3.0.20-1~deb12u2

Patch Description Author Forwarded Bugs Origin Last update
Match-the-local-q-DHX-parameter-against-the-peer-s-q.patch Match the local q DHX parameter against the peer's q
As FFC/DH peer public key validation uses the peer's q value instead
of checking against the local q, we must also check that these
q values match when setting the peer's public key.

Fixes CVE-2026-42770		 Norbert Pocs <norbertp@openssl.org> no 2026-05-12
Apply-the-buffered-IV-on-the-AES-OCB-EVP_Cipher-path.patch Apply the buffered IV on the AES-OCB EVP_Cipher() path
aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot,
processed input without flushing the buffered IV into the OCB
context. Effective nonce was 0 regardless of the caller's IV;
EVP_*Final_ex() then emitted a tag depending only on (key, iv).
This gave (key, nonce) reuse and single-query universal forgery on
the EVP_Cipher() path.

Apply update_iv() at the head of aes_ocb_cipher() to mirror the
streaming handler. The matching GCM one-shot does this already.

Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and
ChaCha20-Poly1305 in test/evp_extra_test.c. Each cipher is
exercised with and without AAD; the no-AAD case is needed because
any prior EVP_CipherUpdate(NULL, aad, ...) routes through the
streaming handler and applies the IV itself, masking the bug.

Fixes CVE-2026-45445		 Viktor Dukhovni <viktor@openssl.org> no 2026-05-18
Fix-handling-of-empty-ciphertext-messages-in-AES-SIV.patch Fix handling of empty-ciphertext messages in AES-SIV
Messages on context reuse.

Fixes CVE-2026-45446		 Dmitry Belyavskiy <beldmit@gmail.com> no 2026-05-13
Fix-possible-use-after-free-in-OpenSSL-PKCS7_verify.patch Fix possible use-after-free in OpenSSL PKCS7_verify()
Fixes CVE-2026-45447		 Igor Ustinov <igus@openssl.foundation> no 2026-05-16
Test-for-CVE-2026-45447-UAF-in-PKCS7_verify.patch Test for CVE-2026-45447 (UAF in PKCS7_verify)
The test data were created with a tool developed by
Thai Duong <thai@calif.io>.		 Igor Ustinov <igus@openssl.foundation> no 2026-05-16
debian-targets.patch debian-targets Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> no 2017-11-05
man-section.patch man-section Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> no 2017-11-05
no-symbolic.patch no-symbolic Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> no 2017-11-05
pic.patch pic Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> no 2017-11-05
c_rehash-compat.patch also create old hash for compatibility Ludwig Nussel <ludwig.nussel@suse.de> no 2010-04-21
Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch Configure: allow to enable ktls if target does not start with Linux
The Debian build system uses a `debian' target which sets CFLAGS and
then we have for instance debian-amd64 which inherits from
linux-x86_64 and debian. So far so good.

Since the target name does not start with `linux', the build system does not
enable ktls. So in order to get enabled, I
added a
`enable => [ "ktls" ],'
to the generic linux config which sets it explicit). Having this set, we can
check for it instead matching the target name.

This commit is based on changes for afalgeng in commit
9e381e8a01859 ("Configure: allow to enable afalgeng if target does not start with Linux")		 Sebastian Andrzej Siewior <sebastian@breakpoint.cc> no 2021-04-01
Remove-the-provider-section.patch Remove the provider section.
The provider section breaks libssl1.1 users. Remove it for now.		 Sebastian Andrzej Siewior <sebastian@breakpoint.cc> no 2022-06-08
conf-Serialize-allocation-free-of-ssl_names.patch conf: Serialize allocation/free of ssl_names.
The access to `ssl_names' is not fully serialized. With multiple threads
it is possible that more than one thread starts to clean up `ssl_names'.
This leads to occasional segfaults if more than one terminates and
performs the clean up.		 Sebastian Andrzej Siewior <sebastian@breakpoint.cc> no 2022-09-19
Fix-tests-for-new-default-security-level.patch Fix tests for new default security level
Fix tests that were expecting a default security level of 1 to work with
the new default of 2.

(Merged from https://github.com/openssl/openssl/pull/16760)		 Matt Caswell <matt@openssl.org> no 2021-10-05
Reject-oversized-inputs-in-ASN1_mbstring_ncopy.patch Reject oversized inputs in ASN1_mbstring_ncopy()
In ASN1_mbstring_ncopy() the destination size for BMPSTRING and
UNIVERSALSTRING output was computed by a signed left shift on an
int:

outlen = nchar << 1; /* MBSTRING_BMP */
outlen = nchar << 2; /* MBSTRING_UNIV */

For nchar large enough the result is not representable in int. In
the worst case (nchar == 0x40000000) nchar << 2 wraps to zero,
OPENSSL_malloc(1) is called, and traverse_string() then writes
4*nchar bytes into the one-byte allocation: a heap buffer
overflow. The MBSTRING_UTF8 path computes outlen by summing
per-character byte counts in out_utf8(), and that sum can overflow
the same int under similarly large inputs.

Neither path is reachable from code that processes X.509
certificates through the DIRSTRING_TYPE mask used by
ASN1_STRING_set_by_NID(): UNIVERSALSTRING is absent from that
mask, and the UTF-8 sum requires inputs on the order of half a
gigabyte. Reaching them needs an application that calls
ASN1_mbstring_copy()/ASN1_mbstring_ncopy() directly, or registers
a custom NID via ASN1_STRING_TABLE_add(), with an oversized
attacker-controlled input.

Add range checks before each shift and in out_utf8(), raising
ASN1_R_STRING_TOO_LONG at the point of detection. Move the
existing ASN1_R_INVALID_UTF8STRING raise into out_utf8() too so
the two failure modes report distinct codes; the MBSTRING_UTF8
caller is left with cleanup only and now frees dest on error,
matching the BMP/UNIV branches.

Fixes CVE-2026-7383		 Viktor Dukhovni <viktor@openssl.org> no 2026-04-29
cms-kek_unwrap_key-Fix-out-of-bounds-read-in-check-byte-v.patch cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation
the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6]
unconditionally, so the decrypted buffer must hold at least seven
octets. The pre-decryption size check enforces inlen >= 2 * blocklen,
which yields the required seven octets only when blocklen >= 4. For
a KEK cipher with a smaller block size, inlen can be as small as
2 * blocklen and the check-byte read overruns the inlen-sized tmp
allocation.

Reject blocklen < 4 in the early sanity check. All block ciphers
appropriate for CMS PasswordRecipientInfo key wrapping have a block
size of at least 8 octets (DES/3DES = 8, AES = 16), so this only
forbids ciphers that would not be valid KEK choices anyway, and the
existing inlen >= 2 * blocklen check then guarantees the seven-octet
lower bound the check-byte test relies on.

Fixes CVE-2026-9076		 Nikola Pajkovsky <nikolap@openssl.org> no 2026-05-21
cms-kek_unwrap_key-test-for-fix-out-of-bounds-read-in-che.patch cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation

added EnvelopedData blob with a PasswordRecipientInfo using
id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher. CFB's 1-byte
effective block size let the inlen >= 2 * blocklen guard in
kek_unwrap_key() accept a wrapped key shorter than the seven octets
the check-byte test reads from tmp[1..6]; the encryptedKey OCTET
STRING here is only two bytes.		 Nikola Pajkovsky <nikolap@openssl.org> no 2026-05-21
Avoid-length-truncation-in-ASN1_STRING_set.patch Avoid length truncation in ASN1_STRING_set
The ASN1_STRING_set() function takes an `int` length, make sure the
argument is not inadvertently truncated when it is called from
asn1_ex_c2i().

Fixes CVE-2026-34180		 Viktor Dukhovni <viktor@openssl.org> no 2026-05-15
CMS-Produce-error-when-AEAD-algorithms-are-used-in-envelo.patch CMS: Produce error when AEAD algorithms are used in enveloped data
Fixes GH-21414

(Merged from https://github.com/openssl/openssl/pull/27772)		 Jakub Zelenka <jakub.openssl@gmail.com> no 2025-05-22
Reject-potentially-forged-encrypted-CMS-AuthEnvelopedData.patch Reject potentially forged encrypted CMS AuthEnvelopedData messages
1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD
ciphers.

If a forged CMS message with AuthEnvelopedData is received with
a non-AEAD cipher specified, we silently accept that and decrypt
the message, skipping any authentication, which violates RFC 5083.

We also add checks to ensure we fail if we try to encrypt
AuthEnvelopedData without using an AEAD cipher.

2. Ensure that tag lengths on cms AEAD data is the recommended size.

RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM
and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not
algorith-specific we add a check for a minimal size and just use the
lower limit which is sufficient to prevent this attack.

Without this check, its possible to set the tag length to 1 and within
256 guesses, forge a CMS message.

Fixes CVE-2026-34182		 Neil Horman <nhorman@openssl.org> no 2026-04-17
Add-tests-for-CVE-2026-34182.patch Add tests for CVE-2026-34182
Test to ensure that for a given CMS message:

1) We do not allow the creation of a CMS message containing
AuthEnvelopedData with a non-AEAD cipher.
2) We do not accept a message containing AuthEnvelopedData with a
non-AEAD cipher specified in the AlgorithmIdentifier.
3) We do not allow tag lengths less that 4 bytes.		 Neil Horman <nhorman@openssl.org> no 2026-05-05
Fix-potential-NULL-dereference-processing-CMS-PasswordRec.patch Fix potential NULL dereference processing CMS PasswordRecipientInfo
Avoid NULL dereferencing when keyDerivationAlgorithm is absent
in CMS PasswordRecipientInfo.

Fixes CVE-2026-42766		 Igor Ustinov <igus@openssl.foundation> no 2026-05-21
Test-for-CVE-2026-42766.patch Test for CVE-2026-42766
The script make_missing_kdf_der.py was developed by Mayank Jangid
and Kushal Khemka.		 Igor Ustinov <igus@openssl.foundation> no 2026-05-20

All known versions for source package 'openssl'

Links