Your message dated Fri, 15 May 2026 17:48:50 +0000
with message-id <[email protected]>
and subject line Bug#1133841: fixed in mbedtls 3.6.6-0.1
has caused the Debian Bug report #1133841,
regarding mbedtls: CVE-2026-25833 CVE-2026-25834 CVE-2026-25835
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133841
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 3.6.5-0.1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for mbedtls.
CVE-2026-25833[0]:
| Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer
| overflow in the x509_inet_pton_ipv6() function
CVE-2026-25834[1]:
| Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.
CVE-2026-25835[2]:
| Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in
| a Pseudo-Random Number Generator (PRNG).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25833
https://www.cve.org/CVERecord?id=CVE-2026-25833
[1] https://security-tracker.debian.org/tracker/CVE-2026-25834
https://www.cve.org/CVERecord?id=CVE-2026-25834
[2] https://security-tracker.debian.org/tracker/CVE-2026-25835
https://www.cve.org/CVERecord?id=CVE-2026-25835
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 3.6.6-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Apr 2026 15:38:39 +0300
Source: mbedtls
Architecture: source
Version: 3.6.6-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1132577 1133841
Changes:
mbedtls (3.6.6-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2026-25834: Signature Algorithm Injection
- CVE-2026-25835: PSA random generator cloning
- CVE-2026-34872: FFDH: improper input validation
- CVE-2026-34873: Client impersonation resuming a TLS 1.3 session
- CVE-2026-34874: Null pointer dereference setting a distinguished name
- CVE-2026-34875: Buffer overflow in FFDH public key export
- CVE-2026-34876: CCM multipart finish tag-length validation bypass
(Closes: #1133841, #1132577)
Checksums-Sha1:
a874b9a95ac96434584f7dc5afd71143997edfd5 2456 mbedtls_3.6.6-0.1.dsc
71dd91cc76e77a0dcf0d8020377523ed7e703d8e 5508045 mbedtls_3.6.6.orig.tar.bz2
d13733695145ca25276cd740d4753a536e65085e 19060 mbedtls_3.6.6-0.1.debian.tar.xz
Checksums-Sha256:
cb5fe6f6b65667f993092eb7359b98155ceb8e67fa978afdf06256c75efe0bb4 2456
mbedtls_3.6.6-0.1.dsc
8fb65fae8dcae5840f793c0a334860a411f884cc537ea290ce1c52bb64ca007a 5508045
mbedtls_3.6.6.orig.tar.bz2
223d5b247d60c8954cd14a6c685a9fbaf68578dc19c8f7b70b29a29cc5aa48aa 19060
mbedtls_3.6.6-0.1.debian.tar.xz
Files:
30c4ca31518e43e0d230d1e58af35bb2 2456 libs optional mbedtls_3.6.6-0.1.dsc
8147a63a1ce289ebc0fb2190a5cce03f 5508045 libs optional
mbedtls_3.6.6.orig.tar.bz2
2de996e1eaeafb07437fc64a3a3c8d89 19060 libs optional
mbedtls_3.6.6-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmnzh3EACgkQiNJCh6LY
mLHFbBAAwas+HcuktlyDLsAO18i1skoPIHWz9/rooR/yAN2i69ykhN5D8nel4rIT
30nb4clQzFftZojiLbCsLH0+vEIyDvbd6VJQgBqXGOQZf/JdDcRGdEBPoDVupPdY
2STexUbGcCfshgixj8DYiPbEU4ulFT6gI6AO39P9zwjfs1LVXGXtITCR4d1lJY0i
Z2jlJmg9BVXzy8CEfmLSUCiuJeRBEt3/85+LPUc22tQ4hfbF/XfcjVo88STKY+gG
1y0nfkZgex4p+YTvAOOgmufstqHKdPx1bFRNTezdAQwtHfCnvR70VCAWihqZiQHx
4tkyBnUiHAEISx7orYYlO5TugrEbE8EHdcF1pq7Mhf33OQgNo9XQlK+uiWpuaB0N
Ad8fkGfC4DBzK0dnYwXvePo9uJ9ysyebfjFrBbhQnGzDzcAKF8mdFmD01+tidlQH
4/0f1+PqSttNOsg0awfxnv73mxJpuDFt4hbhxNzs9EgIzTJkjaYUxh9fYxU4tAZm
+dt+3bBI4mJsg5KwLeyd6qLbUFM7FdiXAnCiWNTcjcELonMRKZNn2H2k9drRDi1Q
zx+/YfWgs7YBPLUp5AxEGxrYTaEAwyLTJ15n2ElouLnexLHWoX6j6cunX4igjbNG
AEZIibOJPNSpPGIVhql/wS7YiCdoda2pzNaorQTXyi1tJ2VOj4A=
=kXe0
-----END PGP SIGNATURE-----
pgpp9i0sOHJ0T.pgp
Description: PGP signature
--- End Message ---
