-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Jul 2026 15:43:31 -0600 Source: wolfssl Binary: libwolfssl-dev libwolfssl42t64 Architecture: armel Version: 5.7.2-0.1+deb13u2 Distribution: trixie Urgency: high Maintainer: armel Build Daemon (arm-ubc-04) Changed-By: Jacob Barthelmeh Description: libwolfssl-dev - Development files for the wolfSSL encryption library libwolfssl42t64 - wolfSSL encryption library Changes: wolfssl (5.7.2-0.1+deb13u2) trixie; urgency=high . * Backport upstream security fixes. (See #1140765, #1140815) * CVE-2026-5194: require certificate signature OID to match issuer key OID. * CVE-2026-55960: validate negotiated certificate type for raw public keys. * CVE-2026-55961: reject degenerate certs-only PKCS#7 in PKCS7_verify. * CVE-2026-55962: require client cert on outstanding TLS 1.3 post- handshake auth. * CVE-2026-55967: reject AES-GCM cumulative size overflow in streaming update. * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path. * CVE-2026-6094: bound encrypted content size in PKCS7 EnvelopedData. * CVE-2026-6325: bound index in SetSuitesHashSigAlgo to prevent OOB write. * CVE-2026-6329: reject PKCS#12 MAC length mismatch. * CVE-2026-6331: require exact HMAC tag length in EVP_DigestVerifyFinal. * CVE-2026-6450: reject CRLs with unrecognized critical extensions. * CVE-2026-6678: fix integer underflow in wc_PKCS7_DecryptOri. * CVE-2026-6681: respect caller output buffer size in PKCS7 decode. * CVE-2026-6731: apply DNS name constraints to Subject CN when no SAN. * CVE-2026-7511: report the verifying cert as the PKCS#7 signer. Checksums-Sha1: 293549bb39edf71e22c50907758c9a49d38a7704 1293660 libwolfssl-dev_5.7.2-0.1+deb13u2_armel.deb 7f5fa5baffb8e509533c1c0b8a5bee1a5149a32c 848236 libwolfssl42t64_5.7.2-0.1+deb13u2_armel.deb 1963e7c9d5300789ed6f4ded4126a61582937555 6099 wolfssl_5.7.2-0.1+deb13u2_armel-buildd.buildinfo Checksums-Sha256: 36c8feecd4ceaa5c7512766649d41f2a08ffea49932db2e23b4c79c3a0e770e6 1293660 libwolfssl-dev_5.7.2-0.1+deb13u2_armel.deb adf0d064729db64bd6cf041f6d86152cc1ab0f2c69bc2fd2f6e0580fa2921ff7 848236 libwolfssl42t64_5.7.2-0.1+deb13u2_armel.deb bcee690baefdb433f260721c77e2930552f9d801a29ecf6354a19d42a984d4fa 6099 wolfssl_5.7.2-0.1+deb13u2_armel-buildd.buildinfo Files: 4b2d0be8936021a3a74991ba3f4cc565 1293660 libdevel optional libwolfssl-dev_5.7.2-0.1+deb13u2_armel.deb 3bbed53fffcff04bed2591cf23135acc 848236 libs optional libwolfssl42t64_5.7.2-0.1+deb13u2_armel.deb 13794c192835e034d9732ec2f01d4b94 6099 libs optional wolfssl_5.7.2-0.1+deb13u2_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECx5fXZYVNP9tMtwlK1PZBedPspoFAmpZ/Y4ACgkQK1PZBedP spoLYA//bIGDIxtiIu+DSnAjo9J65DIdyj1D4U6QdIe5jtr5dxCILbEmwXWRpqWF MKfZYqUgodfbea8+wv1zv22VcQ0S3Bwo7RMQjSCoaTRJR6jHY0xwjON6uazFJidu xdnc0HdfDct4h/telh/Usz6JH1yTIrt2moClSe3NzKs/K6lRvaF8tqIKZD4zt1uW 9Xte14FaUZTfslWFANYh2df4w6H/CQBEb0kkeFnV23nKiB2kzn5JjSGvrBcatogt bnjxv2JN0zo/sdBOtGWW1LwCyvsw3vDiBOXulD1AHyC3xO2Fph7CjOi87A2Bz6S5 DRZRXRd8YhR+ReYnwyrREhqaYo6Sop3WLJTYjNbr2E7kJjN3ZOgPMPPqgSELeO94 XoMMrWcnwM1qO5ACK4NZoYXPWuLbRkQ8+JxeVVENbZ7BaXqI9yvAU03sQiXcnOjH vNflAhgiGqixSS5DlQNar1a/WstV6XGyRi/XbAVYFjYKW/5kE6Ht7JJu2SnD/tYZ HJ38Qune++cv22RGRH6zykqnxNjg+D21q8oZi6OnNUyJ7hbzjobz6TPJ5rcjKMEo fdF+45SVAnTICWqtFK1CTmgVy//gOkzgwTPF0Z+4GVMo0R+4QsdOkOIQKBW2m39i DPv++7eipWcLBDAgv9cJgGNCh1fiQTdeNdvNHISNmgr+QTM6WLs= =ctEv -----END PGP SIGNATURE-----