Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 1dd1f902 by Salvatore Bonaccorso at 2026-06-09T20:41:05+02:00 Add new issues in openssl - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,74 @@ +CVE-2026-45446 [Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42771 [Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email()] + - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42770 [FFC-DH Peer Validation Uses Attacker-Supplied q] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42769 [Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate] + - openssl <unfixed> + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42768 [Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()] + - openssl <unfixed> + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42767 [NULL Pointer Dereference in CRMF EncryptedValue Decryption] + - openssl <unfixed> + [bookworm] - openssl <no-dsa> (Minor issue; can be fixed in next update) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42766 [Possible NULL Dereference in Password-Based CMS Decryption] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42765 [NULL Dereference in Certificate Verification with OCSP Checking] + - openssl <unfixed> + [trixie] - openssl <not-affected> (Vulnerable code not present) + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-34181 [PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys] + - openssl <unfixed> + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-34180 [Heap Buffer Over-read in ASN.1 Content Parsing] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-9076 [Out-of-Bounds Read in CMS Password-Based Decryption] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-7383 [Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-45445 [AES-OCB IV Ignored on EVP_Cipher() Path] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-42764 [NULL Pointer Dereference in QUIC Server Initial Packet Handling] + - openssl <unfixed> + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-35188 [Double-free When Checking OCSP Stapled Response] + - openssl <unfixed> + [trixie] - openssl <not-affected> (Vulnerable code not present) + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-34183 [Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler] + - openssl <unfixed> + [bookworm] - openssl <not-affected> (Vulnerable code not present) + [bullseye] - openssl <not-affected> (Vulnerable code not present) + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-34182 [CMS AuthEnvelopedData Processing May Accept Forged Messages] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt +CVE-2026-45447 [Heap Use-After-Free in the PKCS7_verify() Function] + - openssl <unfixed> + NOTE: https://openssl-library.org/news/secadv/20260609.txt CVE-2026-42488 - xen <unfixed> NOTE: https://xenbits.xen.org/xsa/advisory-494.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd1f90278d0b7c43e6822bd45df72b18c1d5521 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dd1f90278d0b7c43e6822bd45df72b18c1d5521 You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
