Debian Patches
Status for openssl/3.5.6-1~deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-targets.patch | debian-targets | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| man-section.patch | man-section | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| no-symbolic.patch | no-symbolic | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| pic.patch | pic | Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> | no | 2017-11-05 | ||
| c_rehash-compat.patch | also create old hash for compatibility | Ludwig Nussel <ludwig.nussel@suse.de> | no | 2010-04-21 | ||
| Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch | Configure: allow to enable ktls if target does not start with Linux The Debian build system uses a `debian' target which sets CFLAGS and then we have for instance debian-amd64 which inherits from linux-x86_64 and debian. So far so good. Since the target name does not start with `linux', the build system does not enable ktls. So in order to get enabled, I added a `enable => [ "ktls" ],' to the generic linux config which sets it explicit). Having this set, we can check for it instead matching the target name. This commit is based on changes for afalgeng in commit 9e381e8a01859 ("Configure: allow to enable afalgeng if target does not start with Linux") |
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | no | 2021-04-01 | ||
| conf-Serialize-allocation-free-of-ssl_names.patch | conf: Serialize allocation/free of ssl_names. The access to `ssl_names' is not fully serialized. With multiple threads it is possible that more than one thread starts to clean up `ssl_names'. This leads to occasional segfaults if more than one terminates and performs the clean up. |
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | no | 2022-09-19 | ||
| Reject-oversized-inputs-in-ASN1_mbstring_ncopy.patch | Reject oversized inputs in ASN1_mbstring_ncopy() In ASN1_mbstring_ncopy() the destination size for BMPSTRING and UNIVERSALSTRING output was computed by a signed left shift on an int: outlen = nchar << 1; /* MBSTRING_BMP */ outlen = nchar << 2; /* MBSTRING_UNIV */ For nchar large enough the result is not representable in int. In the worst case (nchar == 0x40000000) nchar << 2 wraps to zero, OPENSSL_malloc(1) is called, and traverse_string() then writes 4*nchar bytes into the one-byte allocation: a heap buffer overflow. The MBSTRING_UTF8 path computes outlen by summing per-character byte counts in out_utf8(), and that sum can overflow the same int under similarly large inputs. Neither path is reachable from code that processes X.509 certificates through the DIRSTRING_TYPE mask used by ASN1_STRING_set_by_NID(): UNIVERSALSTRING is absent from that mask, and the UTF-8 sum requires inputs on the order of half a gigabyte. Reaching them needs an application that calls ASN1_mbstring_copy()/ASN1_mbstring_ncopy() directly, or registers a custom NID via ASN1_STRING_TABLE_add(), with an oversized attacker-controlled input. Add range checks before each shift and in out_utf8(), raising ASN1_R_STRING_TOO_LONG at the point of detection. Move the existing ASN1_R_INVALID_UTF8STRING raise into out_utf8() too so the two failure modes report distinct codes; the MBSTRING_UTF8 caller is left with cleanup only and now frees dest on error, matching the BMP/UNIV branches. Fixes CVE-2026-7383 |
Viktor Dukhovni <viktor@openssl.org> | no | 2026-04-29 | ||
| cms-kek_unwrap_key-Fix-out-of-bounds-read-in-check-byte-v.patch | cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6] unconditionally, so the decrypted buffer must hold at least seven octets. The pre-decryption size check enforces inlen >= 2 * blocklen, which yields the required seven octets only when blocklen >= 4. For a KEK cipher with a smaller block size, inlen can be as small as 2 * blocklen and the check-byte read overruns the inlen-sized tmp allocation. Reject blocklen < 4 in the early sanity check. All block ciphers appropriate for CMS PasswordRecipientInfo key wrapping have a block size of at least 8 octets (DES/3DES = 8, AES = 16), so this only forbids ciphers that would not be valid KEK choices anyway, and the existing inlen >= 2 * blocklen check then guarantees the seven-octet lower bound the check-byte test relies on. Fixes CVE-2026-9076 |
Nikola Pajkovsky <nikolap@openssl.org> | no | 2026-05-21 | ||
| cms-kek_unwrap_key-test-for-fix-out-of-bounds-read-in-che.patch | cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation added EnvelopedData blob with a PasswordRecipientInfo using id-alg-PWRI-KEK and an AES-128-CFB key encryption cipher. CFB's 1-byte effective block size let the inlen >= 2 * blocklen guard in kek_unwrap_key() accept a wrapped key shorter than the seven octets the check-byte test reads from tmp[1..6]; the encryptedKey OCTET STRING here is only two bytes. |
Nikola Pajkovsky <nikolap@openssl.org> | no | 2026-05-21 | ||
| Avoid-length-truncation-in-ASN1_STRING_set.patch | Avoid length truncation in ASN1_STRING_set The ASN1_STRING_set() function takes an `int` length, make sure the argument is not inadvertently truncated when it is called from asn1_ex_c2i(). Fixes CVE-2026-34180 |
Viktor Dukhovni <openssl-users@dukhovni.org> | no | 2026-04-07 | ||
| pkcs12-verify-that-the-pbmac1-key-length-is-safe.patch | pkcs12: verify that the pbmac1 key length is safe Short mac keys (as short as 1 byte) can be used to probe the system under attack to accept a PKCS#12 file created by an attacker even if the attacker doesn't know the password used for MAC protection. Fixes CVE-2026-34181 (also update the reference to the PBMAC1 PKCS#12 RFC) |
Alicja Kario <hkario@redhat.com> | no | 2026-04-29 | ||
| Reject-potentially-forged-encrypted-CMS-AuthEnvelopedData.patch | Reject potentially forged encrypted CMS AuthEnvelopedData messages 1. Adjust ossl_cms_EncryptedContent_init_bio to not accept non-AEAD ciphers. If a forged CMS message with AuthEnvelopedData is received with a non-AEAD cipher specified, we silently accept that and decrypt the message, skipping any authentication, which violates RFC 5083. We also add checks to ensure we fail if we try to encrypt AuthEnvelopedData without using an AEAD cipher. 2. Ensure that tag lengths on cms AEAD data is the recommended size. RFC 5084 recommends that mac tags be at least 12 bytes for AES-GCM and 4 bytes for AES-CCM on AuthEnvelopedData. As this code is not algorith-specific we add a check for a minimal size and just use the lower limit which is sufficient to prevent this attack. Without this check, its possible to set the tag length to 1 and within 256 guesses, forge a CMS message. Fixes CVE-2026-34182 |
Neil Horman <nhorman@openssl.org> | no | 2026-04-17 | ||
| Add-tests-for-CVE-2026-34182.patch | Add tests for CVE-2026-34182 Test to ensure that for a given CMS message: 1) We do not allow the creation of a CMS message containing AuthEnvelopedData with a non-AEAD cipher. 2) We do not accept a message containing AuthEnvelopedData with a non-AEAD cipher specified in the AlgorithmIdentifier. 3) We do not allow tag lengths less that 4 bytes. |
Neil Horman <nhorman@openssl.org> | no | 2026-05-05 | ||
| QUIC-stack-must-limit-the-number-of-PATH_CHALLENGE-frames.patch | QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX Currently local QUIC stack allocates PATH_RESPONSE frame for every PATH_CHALLENGE frame it receives in single packet from its remote peer. The memory with PATH_RESPONSE frame is released after local QUIC stack receives an ACK which confirms reception of PATH_RESPONSE by remote peer. This gives remote peer too much control over memory resources local QUIC stack may consume. Quoting RFC 9000 section 9.2.1: ...an endpoint SHOULD NOT send multiple PATH_CHALLENGE frames in a single packet. Limiting the number of PATCH_CHALLENGE frames to 1 per QUIC packet received helps to reduce heap memory overhead required to process PATH_CHALLENGE frame. Currently QUIC ACKM (ACK-manager) keeps all frames in retransmission buffer until ACK is received. It can be changed such frames which don't need to be ACKed don't need to be kept in retrans buffer, those can be released right after transmission. Fixes CVE-2026-34183 |
Alexandr Nedvedicky <sashan@openssl.org> | no | 2026-03-26 | ||
| Add-test-for-path-challenge-flood-mitigation.patch | Add test for path challenge flood mitigation Client injects 16 path challenge frames. Those are received by server. Only one challenge frame of 16 received triggers path challenge response. Remaining challenge frames are discrded/ignored. Test introduces two counters to channel object: - path_challenge_rx which is bumped for every patch challenge frame received - path_response_tx which is bumped for every path response frame transmitted Succesuful test verifies server receives 16 path challenge frames, but sends just one path response frmae as response. |
Alexandr Nedvedicky <sashan@openssl.org> | no | 2026-04-21 | ||
| Fix-NULL-dereference-in-QUIC-address-validation.patch | Fix NULL dereference in QUIC address validation QUIC server crashes when address validation (RFC 9000, Section 8.1) is disabled and client sends initial packet with invalid token. Issue reported and fix submitted by Sunwoo Lee (KENTECH), Hyuk Lim (KENTECH) and Seunghyun Yoon (KENTECH) Fixes CVE-2026-42764 |
Alexandr Nedvedicky <sashan@openssl.org> | no | 2026-05-12 | ||
| Fix-potential-NULL-dereference-processing-CMS-PasswordRec.patch | Fix potential NULL dereference processing CMS PasswordRecipientInfo Avoid NULL dereferencing when keyDerivationAlgorithm is absent in CMS PasswordRecipientInfo. Fixes CVE-2026-42766 |
Igor Ustinov <igus@openssl.foundation> | no | 2026-05-21 | ||
| Test-for-CVE-2026-42766.patch | Test for CVE-2026-42766 The script make_missing_kdf_der.py was developed by Mayank Jangid and Kushal Khemka. |
Igor Ustinov <igus@openssl.foundation> | no | 2026-05-20 | ||
| Fix-potential-NULL-dereference-in-OSSL_CRMF_ENCRYPTEDVALU.patch | Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt() Check that 'parameter' != NULL before dereferencing in OSSL_CRMF_ENCRYPTEDVALUE_decrypt(). Fixes CVE-2026-42767 |
Igor Ustinov <igus@openssl.foundation> | no | 2026-05-11 | ||
| Enforce-implicit-rejection-for-CMS-PKCS-7-decryption.patch | Enforce implicit rejection for CMS/PKCS#7 decryption Drop the disablement of the implicit rejection for RSA PKCS#1 v1.5 decryption. Fixes CVE-2026-42768 |
Dmitry Belyavskiy <beldmit@gmail.com> | no | 2026-05-15 | ||
| Use-the-correct-issuer-when-validating-rootCAKeyUpdate.patch | Use the correct issuer when validating rootCAKeyUpdate This correctly uses the existing root, and not the same certificate as the root of the chain to validate. While we are here, we also turn on self signed certificate signature checking as this case is actually bringing in trust anchors as self signed certs, and fix a possible NULL deref. Fixes CVE-2026-42769 |
Bob Beck <beck@openssl.org> | no | 2026-04-17 | ||
| Match-the-local-q-DHX-parameter-against-the-peer-s-q.patch | Match the local q DHX parameter against the peer's q As FFC/DH peer public key validation uses the peer's q value instead of checking against the local q, we must also check that these q values match when setting the peer's public key. Fixes CVE-2026-42770 |
Norbert Pocs <norbertp@openssl.org> | no | 2026-05-12 | ||
| Apply-the-buffered-IV-on-the-AES-OCB-EVP_Cipher-path.patch | Apply the buffered IV on the AES-OCB EVP_Cipher() path aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot, processed input without flushing the buffered IV into the OCB context. Effective nonce was 0 regardless of the caller's IV; EVP_*Final_ex() then emitted a tag depending only on (key, iv). This gave (key, nonce) reuse and single-query universal forgery on the EVP_Cipher() path. Apply update_iv() at the head of aes_ocb_cipher() to mirror the streaming handler. The matching GCM one-shot does this already. Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and ChaCha20-Poly1305 in test/evp_extra_test.c. Each cipher is exercised with and without AAD; the no-AAD case is needed because any prior EVP_CipherUpdate(NULL, aad, ...) routes through the streaming handler and applies the IV itself, masking the bug. Fixes CVE-2026-45445 |
Viktor Dukhovni <viktor@openssl.org> | no | 2026-05-18 | ||
| Fix-handling-of-empty-ciphertext-messages-in-AES-GCM-SIV-.patch | Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Messages. Messages on context reuse. Fixes CVE-2026-45446 |
Dmitry Belyavskiy <beldmit@gmail.com> | no | 2026-05-13 | ||
| Fix-possible-use-after-free-in-OpenSSL-PKCS7_verify.patch | Fix possible use-after-free in OpenSSL PKCS7_verify() Fixes CVE-2026-45447 |
Igor Ustinov <igus@openssl.foundation> | no | 2026-05-16 | ||
| Test-for-CVE-2026-45447-UAF-in-PKCS7_verify.patch | Test for CVE-2026-45447 (UAF in PKCS7_verify) The test data were created with a tool developed by Thai Duong <thai@calif.io>. |
Igor Ustinov <igus@openssl.foundation> | no | 2026-05-16 |
All known versions for source package 'openssl'
- 4.0.1-1 (experimental)
- 3.6.3-1 (forky, sid)
- 3.5.6-1~deb13u2 (trixie-proposed-updates, trixie-security)
- 3.5.6-1~deb13u1 (trixie)
- 3.0.20-1~deb12u2 (bookworm-security, bookworm-proposed-updates)
- 3.0.20-1~deb12u1 (bookworm)
- 3.0.17-1~deb12u2 (bookworm-updates)
- 3.0.14-1~deb12u1 (bookworm-backports)