-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 Jul 2026 15:43:31 -0600 Source: wolfssl Architecture: source Version: 5.7.2-0.1+deb13u2 Distribution: trixie Urgency: high Maintainer: Jacob Barthelmeh Changed-By: Jacob Barthelmeh Changes: wolfssl (5.7.2-0.1+deb13u2) trixie; urgency=high . * Backport upstream security fixes. (See #1140765, #1140815) * CVE-2026-5194: require certificate signature OID to match issuer key OID. * CVE-2026-55960: validate negotiated certificate type for raw public keys. * CVE-2026-55961: reject degenerate certs-only PKCS#7 in PKCS7_verify. * CVE-2026-55962: require client cert on outstanding TLS 1.3 post- handshake auth. * CVE-2026-55967: reject AES-GCM cumulative size overflow in streaming update. * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path. * CVE-2026-6094: bound encrypted content size in PKCS7 EnvelopedData. * CVE-2026-6325: bound index in SetSuitesHashSigAlgo to prevent OOB write. * CVE-2026-6329: reject PKCS#12 MAC length mismatch. * CVE-2026-6331: require exact HMAC tag length in EVP_DigestVerifyFinal. * CVE-2026-6450: reject CRLs with unrecognized critical extensions. * CVE-2026-6678: fix integer underflow in wc_PKCS7_DecryptOri. * CVE-2026-6681: respect caller output buffer size in PKCS7 decode. * CVE-2026-6731: apply DNS name constraints to Subject CN when no SAN. * CVE-2026-7511: report the verifying cert as the PKCS#7 signer. Checksums-Sha1: 6cfe935a7da3c0a90c2c54fcc77beadd8d540510 2040 wolfssl_5.7.2-0.1+deb13u2.dsc fda602d45b9482157c2d700abe23dad44f8535d5 44176 wolfssl_5.7.2-0.1+deb13u2.debian.tar.xz 4da75eefa59e99e661152b0ede649faf5d254186 5527 wolfssl_5.7.2-0.1+deb13u2_source.buildinfo Checksums-Sha256: b61bd9e726503a49e1d66244ff3d1aca5d15f08f489699d3f7c7b0acec72b1e8 2040 wolfssl_5.7.2-0.1+deb13u2.dsc c4c31ffaa8e05e1132cb535cc0b0cd3083e04f134883ab039154f3857d0a96d8 44176 wolfssl_5.7.2-0.1+deb13u2.debian.tar.xz 3fae64eb70b74501de3492a7823a8b3adc445864b0ec297e1284d0eb70aca789 5527 wolfssl_5.7.2-0.1+deb13u2_source.buildinfo Files: 3f84cd737ddec9fa4522c6775fd0be32 2040 libs optional wolfssl_5.7.2-0.1+deb13u2.dsc 5c88677f401510e73d034b1337b36cee 44176 libs optional wolfssl_5.7.2-0.1+deb13u2.debian.tar.xz 9644a18b7b7b7b40b6095afc8cd5843e 5527 libs optional wolfssl_5.7.2-0.1+deb13u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmpYwSwQHGJhZ2VAZGVi aWFuLm9yZwAKCRAfXHqLRVZDFOsvC/4kAa0vE2yWiuwc54tEuM0IqqZLdyWfUBSv CDhf5qEInorCigHDQMn3S+YC7MLP3TsCCWbl7PocmMfhDXiG41l/5QOHa6wy2szR C9yr73w+W4vyOuU5XfvI3ZhOu5WzED3DHcKQLtssfDtn/bY0eLQAjwkGuRM1XzDq lyzTX6cyfLtnaodBr2m8h+t8CESgqE5f1li5hkjp/gO4EYTkXR6uSadlN4ygPSuv wZPkqQXty+tCOQkhWMzVBcTr6JN5D2YcFop8ad8nucNXO9jAAyQDzrTIPxBDKNqZ zkjENnN6oC8imWWpF5JgzP87C77VqMAEd1G52Hxvy1a20AcqurDSDijc8iddOFYQ 1fPV+6pKfEMPHEVLzkpUOWp+ZroFRzQjXk+Aa9y56gg4xZxLJEk2nr773bmn0KVA SmoXcaeG7vZTETgxwC5u4voMzWMdLfngWyZYNqvlQAApX67mgQ84VYUfLQMJpCw+ fPCyWFBlaGjFsZoLBkMFyTKxjiTgIWI= =y6OJ -----END PGP SIGNATURE-----