Yadd wrote: > Help welcome here ;-) Ok, I did a debbisect and this is what I found:
bisection finished successfully last good timestamp: 20250917T143544Z first bad timestamp: 20250918T024011Z the following packages differ between the last good and first bad timestamp: libssl3t64:amd64 3.5.2-1 -> 3.5.3-1 libsystemd0:amd64 258~rc4-1 -> 258-1 libudev1:amd64 258~rc4-1 -> 258-1 openssl-provider-legacy 3.5.2-1 -> 3.5.3-1 Looks like the switch of src:openssl from 3.5.2-1 to 3.5.3-1 is what triggered this error. Maybe this paragraph is relevant: * Hardened the provider implementation of the RSA public key "encrypt" operation to add a missing check that the caller-indicated output buffer size is at least as large as the byte count of the RSA modulus. The issue was reported by Arash Ale Ebrahim from SYSPWN. This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that in fact provide a sufficiently large buffer, but fail to correctly indicate its size may now encounter unexpected errors. In applications that attempt RSA public encryption into a buffer that is too small, an out-of-bounds write is now avoided and an error is reported instead. My advice is to forward this upstream. Thanks. -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
