-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Jul 2026 15:43:31 -0600 Source: wolfssl Binary: libwolfssl-dev libwolfssl42t64 Architecture: riscv64 Version: 5.7.2-0.1+deb13u2 Distribution: trixie Urgency: high Maintainer: riscv64 Build Daemon (rv-manda-03) Changed-By: Jacob Barthelmeh Description: libwolfssl-dev - Development files for the wolfSSL encryption library libwolfssl42t64 - wolfSSL encryption library Changes: wolfssl (5.7.2-0.1+deb13u2) trixie; urgency=high . * Backport upstream security fixes. (See #1140765, #1140815) * CVE-2026-5194: require certificate signature OID to match issuer key OID. * CVE-2026-55960: validate negotiated certificate type for raw public keys. * CVE-2026-55961: reject degenerate certs-only PKCS#7 in PKCS7_verify. * CVE-2026-55962: require client cert on outstanding TLS 1.3 post- handshake auth. * CVE-2026-55967: reject AES-GCM cumulative size overflow in streaming update. * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path. * CVE-2026-6094: bound encrypted content size in PKCS7 EnvelopedData. * CVE-2026-6325: bound index in SetSuitesHashSigAlgo to prevent OOB write. * CVE-2026-6329: reject PKCS#12 MAC length mismatch. * CVE-2026-6331: require exact HMAC tag length in EVP_DigestVerifyFinal. * CVE-2026-6450: reject CRLs with unrecognized critical extensions. * CVE-2026-6678: fix integer underflow in wc_PKCS7_DecryptOri. * CVE-2026-6681: respect caller output buffer size in PKCS7 decode. * CVE-2026-6731: apply DNS name constraints to Subject CN when no SAN. * CVE-2026-7511: report the verifying cert as the PKCS#7 signer. Checksums-Sha1: 9ab4bb9ed28da8d630a05391effc62d532b9acc0 2816660 libwolfssl-dev_5.7.2-0.1+deb13u2_riscv64.deb 91dc5e3a4b5b2eac9da4628fc23d9b0f644231f8 1030448 libwolfssl42t64_5.7.2-0.1+deb13u2_riscv64.deb 6026ac76863bebae035e2a2d38cd6036b0d9ee1d 6194 wolfssl_5.7.2-0.1+deb13u2_riscv64-buildd.buildinfo Checksums-Sha256: b36f8f5f734ab689f00f9d300bfb72be9679aeaed1a87c4702c3317af38dbce7 2816660 libwolfssl-dev_5.7.2-0.1+deb13u2_riscv64.deb 27c2b5665ddd8f1a7ec8b78bb450d287721d1830ae224046ebd62c6aaea79b6e 1030448 libwolfssl42t64_5.7.2-0.1+deb13u2_riscv64.deb f37fe5e1c05b79441cb8c0a20854cb94be88e79cdd479c7251b8716d2d428c30 6194 wolfssl_5.7.2-0.1+deb13u2_riscv64-buildd.buildinfo Files: d565a157059e8f3c0052b757beda8aed 2816660 libdevel optional libwolfssl-dev_5.7.2-0.1+deb13u2_riscv64.deb 9ead8f135b2e7ba2904d93af8566bc8c 1030448 libs optional libwolfssl42t64_5.7.2-0.1+deb13u2_riscv64.deb 196b75c4a9cf46adae1761492aac2506 6194 libs optional wolfssl_5.7.2-0.1+deb13u2_riscv64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXZ9jHPkg/vETgMJZlJNduPxUf2oFAmpaEP8ACgkQlJNduPxU f2qitA/+LUjaOhpv7dOYotTl7zCYMwNzqXSKjAAeD5XclbNXeFhCgmja0/klIXMG mJNNM1k7yBu1BDueISOT8e2DyGz9qULKdNPa9DhvmUPX7H2KR1XnFXQHC+SkLJSP G6fzFlQGSSvHXmIvsw+EIUrPbIYPbtMsqplmXYsvsmedS1sjGMIXc9atyvin/bWy vsUFfH42zLTLiRjTGVvlkv9DkuBDQeJ+6OnOpKY8xrwr5KaeLbdDpN1QQQOxVzol eFhDBDFXndH/7mdLJAdJcVDHo7XiXpepC3H3HpRzZArdryAK1ydKuNS2QsFnK8Gc Br4Q3QJqpV08h+/18Ob1QmvjYOBkrGNq+YYhOVeI8EWCRAIepciDvHhafXmOWuBh kH3un5YsHoTDKhP0g8kWnElqrbIYaIRYVGvM5iGBny7tYfFCVb9ertb1Fvc2t6qj SenLNyKfCwN6O/bS4t8w3gJidCjRyggoWNkX7n7WYdagg/q9LL0BwpZUwDa2juEM GN5nMOJ2nYlR9rkAXbodLQkTSY/B6dHOB7h+jK97MXvr5bMtOIWxpf+o9w2Z5g7w 8FaA0jWpJUg2RvYIWemDXvy6kJ5mJZNYkyRM0CiDahj2Eo10AhzRoi8iZpnQjU1f uvjkftxHuXGCvKtfljip6nCySLoIPd4i63o3huXSJmhbsew15/c= =GZ/Y -----END PGP SIGNATURE-----