Debian Patches
Status for openssl/3.5.4-1~deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-targets.patch | debian-targets | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| man-section.patch | man-section | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| no-symbolic.patch | no-symbolic | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| pic.patch | pic | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| c_rehash-compat.patch | also create old hash for compatibility | Ludwig Nussel <ludwig.nussel@suse.de> | no | 2010-04-21 | ||
| Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch | Configure: allow to enable ktls if target does not start with Linux The Debian build system uses a `debian' target which sets CFLAGS and then we have for instance debian-amd64 which inherits from linux-x86_64 and debian. So far so good. Since the target name does not start with `linux', the build system does not enable ktls. So in order to get enabled, I added a `enable => [ "ktls" ],' to the generic linux config which sets it explicit). Having this set, we can check for it instead matching the target name. This commit is based on changes for afalgeng in commit 9e381e8a01859 ("Configure: allow to enable afalgeng if target does not start with Linux") |
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | no | 2021-04-01 | ||
| conf-Serialize-allocation-free-of-ssl_names.patch | conf: Serialize allocation/free of ssl_names. The access to `ssl_names' is not fully serialized. With multiple threads it is possible that more than one thread starts to clean up `ssl_names'. This leads to occasional segfaults if more than one terminates and performs the clean up. |
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | no | 2022-09-19 | ||
| pkcs12-Validate-salt-and-keylength-in-PBMAC1.patch | pkcs12: Validate salt and keylength in PBMAC1 The keylength value must be present and we accept EVP_MAX_MD_SIZE at maximum. The salt ASN.1 type must be OCTET STRING. Fixes CVE-2025-11187 Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research). Reported independently also by Hamza (Metadust). |
Tomas Mraz <tomas@openssl.org> | no | 2026-01-08 | ||
| Add-testcase-for-PKCS12-with-invalid-PBMAC1-key-length.patch | Add testcase for PKCS12 with invalid PBMAC1 key length | Tomas Mraz <tomas@openssl.org> | no | 2026-01-08 | ||
| Correct-handling-of-AEAD-encrypted-CMS-with-inadmissibly-.patch | Correct handling of AEAD-encrypted CMS with inadmissibly long IV Fixes CVE-2025-15467 |
Igor Ustinov <igus68@gmail.com> | no | 2026-01-12 | ||
| Some-comments-to-clarify-functions-usage.patch | Some comments to clarify functions usage | Igor Ustinov <igus68@gmail.com> | no | 2026-01-12 | ||
| Test-for-handling-of-AEAD-encrypted-CMS-with-inadmissibly.patch | Test for handling of AEAD-encrypted CMS with inadmissibly long IV | Igor Ustinov <igus68@gmail.com> | no | 2026-01-11 | ||
| ossl_quic_get_cipher_by_char-Add-a-NULL-guard-before-dere.patch | ossl_quic_get_cipher_by_char(): Add a NULL guard before dereferencing SSL_CIPHER Fixes CVE-2025-15468 |
Daniel Kubec <kubec@openssl.org> | no | 2026-01-09 | ||
| Report-truncation-in-oneshot-openssl-dgst-sign.patch | Report truncation in oneshot `openssl dgst -sign` Previously input was silently truncated at 16MB, now if the input is longer than limit, an error is reported. The bio_to_mem() apps helper function was changed to return 0 or 1, and return the size of the result via an output size_t pointer. Fixes CVE-2025-15469 |
Viktor Dukhovni <openssl-users@dukhovni.org> | no | 2026-01-07 | ||
| Check-the-received-uncompressed-certificate-length-to-pre.patch | Check the received uncompressed certificate length to prevent excessive pre-decompression allocation. The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research). |
Igor Ustinov <igus68@gmail.com> | no | 2026-01-08 | ||
| Fix-heap-buffer-overflow-in-BIO_f_linebuffer.patch | Fix heap buffer overflow in BIO_f_linebuffer When a FIO_f_linebuffer is part of a bio chain, and the next BIO preforms short writes, the remainder of the unwritten buffer is copied unconditionally to the internal buffer ctx->obuf, which may not be sufficiently sized to handle the remaining data, resulting in a buffer overflow. Fix it by only copying data when ctx->obuf has space, flushing to the next BIO to increase available storage if needed. Fixes CVE-2025-68160 |
Neil Horman <nhorman@openssl.org> | no | 2026-01-07 | ||
| Fix-OCB-AES-NI-HW-stream-path-unauthenticated-unencrypted.patch | Fix OCB AES-NI/HW stream path unauthenticated/unencrypted trailing bytes When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path encrypts/decrypts full blocks but does not advance in/out pointers. The tail-handling code then operates on the base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unencrypted (encryption) or using the wrong plaintext (decryption). The authentication checksum excludes the true tail. CVE-2025-69418 |
Norbert Pocs <norbertp@openssl.org> | no | 2026-01-08 | ||
| Harden-ASN1_mbstring_ncopy.patch | Harden ASN1_mbstring_ncopy Reported by Murali Aniruddhan (Merged from https://github.com/openssl/openssl/pull/29376) |
Norbert Pocs <norbertp@openssl.org> | no | 2025-12-11 | ||
| Check-return-code-of-UTF8_putc.patch | Check return code of UTF8_putc (Merged from https://github.com/openssl/openssl/pull/29376) |
Norbert Pocs <norbertp@openssl.org> | no | 2025-12-11 | ||
| Verify-ASN1-object-s-types-before-attempting-to-access-th.patch | Verify ASN1 object's types before attempting to access them as a particular type Issue was reported in ossl_ess_get_signing_cert but is also present in ossl_ess_get_signing_cert_v2. Fixes CVE-2025-69420 |
Bob Beck <beck@openssl.org> | no | 2026-01-07 | ||
| Add-NULL-check-to-PKCS12_item_decrypt_d2i_ex.patch | Add NULL check to PKCS12_item_decrypt_d2i_ex Address CVE-2025-69421 Add NULL check for oct parameter |
Andrew Dinh <andrewd@openssl.org> | no | 2026-01-08 | ||
| Ensure-ASN1-types-are-checked-before-use.patch | Ensure ASN1 types are checked before use. Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8 this fix includes the other fixes in that commit, as well as fixes for others found by a scan for a similar unvalidated access paradigm in the tree. (Merged from https://github.com/openssl/openssl/pull/29582) |
Bob Beck <beck@openssl.org> | no | 2026-01-07 |
All known versions for source package 'openssl'
- 3.6.1-1 (experimental)
- 3.5.5-1 (sid)
- 3.5.4-1 (forky)
- 3.5.4-1~deb13u2 (trixie-proposed-updates, trixie-security)
- 3.5.4-1~deb13u1 (trixie)
- 3.0.18-1~deb12u2 (bookworm-security, bookworm-proposed-updates)
- 3.0.18-1~deb12u1 (bookworm)
- 3.0.17-1~deb12u2 (bookworm-updates)
- 3.0.14-1~deb12u1 (bookworm-backports)