Your message dated Sat, 16 May 2026 15:35:13 +0000
with message-id <[email protected]>
and subject line Bug#1136787: fixed in rust-openssl 0.10.79-1
has caused the Debian Bug report #1136787,
regarding rust-openssl: CVE-2026-42327
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136787: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136787
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-openssl
Version: 0.10.78-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-openssl.
CVE-2026-42327[0]:
| rust-openssl provides OpenSSL bindings for the Rust programming
| language. From 0.9.7 to before 0.10.79, X509Ref::ocsp_responders
| returns OCSP responder URLs from a certificate's AIA extension as
| OpensslString, whose Deref<Target = str> wraps the raw bytes with
| str::from_utf8_unchecked. OpenSSL does not enforce that the
| underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes
| in its OCSP accessLocation causes safe Rust code to construct a &str
| that violates the UTF-8 invariant — resulting in undefined behavior.
| This vulnerability is fixed in 0.10.79.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42327
https://www.cve.org/CVERecord?id=CVE-2026-42327
[1]
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-openssl
Source-Version: 0.10.79-1
Done: Peter Michael Green <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <[email protected]> (supplier of updated rust-openssl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 16 May 2026 14:31:41 +0000
Source: rust-openssl
Architecture: source
Version: 0.10.79-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Peter Michael Green <[email protected]>
Closes: 1136787 1136788
Changes:
rust-openssl (0.10.79-1) unstable; urgency=medium
.
* Team upload.
* Package openssl 0.10.79 from crates.io using debcargo 2.8.2
+ New upstream fixes CVE-2026-42327 and CVE-2026-44662 (Closes: #1136787,
#1136788)
Checksums-Sha1:
3095e902f421687d6581aee4f1034d7458c29454 2596 rust-openssl_0.10.79-1.dsc
56e9063d977926fb40c82f0389f7dbe67d8102d9 307119
rust-openssl_0.10.79.orig.tar.gz
9a3a0a71e1dcc3f20a7b7a23c844590b00f3a298 3116
rust-openssl_0.10.79-1.debian.tar.xz
67a9f2f6b867c7b57a7079f11432908bd451b7f5 9083
rust-openssl_0.10.79-1_source.buildinfo
Checksums-Sha256:
a9cfacd8a375d8435be4cea937629d7756d773b7bcb8ae9d0a5feab1236d79a7 2596
rust-openssl_0.10.79-1.dsc
bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542 307119
rust-openssl_0.10.79.orig.tar.gz
c52b05b9cce0015257d2a23e8499b828d1c9117626d7abcd0ddde2d3c21adcf0 3116
rust-openssl_0.10.79-1.debian.tar.xz
bb43e061027a46f4e69ce9fd6c79c89900db6101a9832b3a3a409775264ebca0 9083
rust-openssl_0.10.79-1_source.buildinfo
Files:
78deb6b25de0ccdeafab8912426b152e 2596 rust optional rust-openssl_0.10.79-1.dsc
897a9590d07303c9735f49e4e81e2108 307119 rust optional
rust-openssl_0.10.79.orig.tar.gz
92e23a8eca4d21f581d8bb502344a896 3116 rust optional
rust-openssl_0.10.79-1.debian.tar.xz
7047ac75fa0a03749f1ee4b79a7bd3e9 9083 rust optional
rust-openssl_0.10.79-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmoIiN0UHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XvKLBAAlvijAWhzOtgoM0pBHfFqTDeg/99q
jJkL902NSyC2+3HPjoVVZgKkturv88ug3SAbI/X+p+wkea7q05XU4TtZplhR5Zgy
88f+8ymMoOHvRPWR1EMaPtVrNEtzQD0vDCGHQY+arYDlzA3JHZjuVMo6o05URIr9
8V1zlecqy5tNhTASN4K3oueBdTR4c9rfNIXQNHGAtyxQXvkeRhWtKMytjf6eceXg
tESokx9fsuXEJobpf6keaJeaT2IosWS7ywlOm1fG7y7Dfw6DfDCiDWAj/0ttu/AJ
GvtCtRwMLajrbscRX3DCZiB5RpRUvzLLWW7oxXrCIDRfX9gv9B5dSCEIQnQNJbW2
hfmjhP1+WYxVKCT9KZreHHKYooi54OINFdJkvJouCA1rVGreiE5DcQFMqI/osb22
KMKioBU/rEXZ2QOer/hgPLidr6iMWYAIIFrZQ8Jm31fPsZUd6w+gEVL89TjEIGAK
fe0zXRwa4nVQgueiv8GOsHrOcouW6BsIMUiKxKNuSSIFktV70jtjRnbcxh91bsNG
yw4gj02B0jZbHPd8Qw/Qz9Xc4/7mDdjqLI+L5XpC+jpIUh5Pt8WURX/GS7XrxKAT
btml9sYi55veNt9SCzSoH0rI2lNv/TABs0lucuo5NY0gvyKoJeQNZcvC+m4T1xah
gsVWMP2Obs7OVhs=
=Fbdi
-----END PGP SIGNATURE-----
pgpySF1aK4ABJ.pgp
Description: PGP signature
--- End Message ---
