Review: openssl 4.0.0-1
New Package Report
.changes
| Version | 4.0.0-1 |
|---|---|
| Changed-By | Sebastian Andrzej Siewior |
| Architecture | source amd64 all |
| Distribution | experimental |
| Date | Thu, 16 Apr 2026 20:31:23 +0200 |
| Source | openssl |
Changelog
openssl (4.0.0-1) experimental; urgency=medium
.
* Import 4.0.0
- CVE-2026-2673 ("OpenSSL TLS 1.3 server may choose unexpected key agreement
group") (Closes: #1130650).
- CVE-2026-28387 ("Potential use-after-free in DANE client code")
- CVE-2026-28389 ("Possible NULL dereference when processing CMS
KeyAgreeRecipientInfo")
- CVE-2026-28390 ("Possible NULL dereference when processing CMS
KeyTransportRecipient Info")
- CVE-2026-31789 ("Heap buffer overflow in hexadecimal conversion")
- CVE-2026-31790 ("Incorrect failure handling in RSA KEM RSASVE
encapsulation")
- CVE-2026-28386 ("Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512
Support")
- CVE-2026-28388 ("NULL Pointer Dereference When Processing a Delta CRL").dsc
| Priority | optional |
|---|---|
| Component | main |
| Package-List | libcrypto4-udeb udeb debian-installer optional arch=any profile=!noudeb profile:v1=!noudeb libssl-dev deb libdevel optional arch=any libssl-doc deb doc optional arch=all libssl4 deb libs optional arch=any libssl4-udeb udeb debian-installer optional arch=any profile=!noudeb profile:v1=!noudeb openssl deb utils optional arch=any openssl-provider-fips deb utils optional arch=any openssl-provider-legacy deb utils optional arch=any |
| Section | debian-installer |
debian/copyright
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: OpenSSL Source: https://www.openssl.org Files: * Copyright: 1995-2026, The OpenSSL Project Authors License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html . On Debian systems, the complete text of the Apache 2.0 License can be found in `/usr/share/common-licenses/Apache-2.0' Files: debian/* Copyright: Christoph Martin, Kurt Roeckx, Sebastian Andrzej Siewior License: Apache-2.0 Files: external/perl/Text-Template-1.56/* Copyright: 2013, Mark Jason Dominus <mjd@cpan.org>. License: Artistic or GPL-1+ License: Artistic This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License, which comes with Perl. . On Debian systems, the complete text of the Artistic License can be found in `/usr/share/common-licenses/Artistic'. License: GPL-1+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. . On Debian systems, the complete text of version 1 of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-1'.
Review Information
accepted — allocated to mechtilde 13 days ago, started 13 days ago, completed 13 days ago.
Final Comment
Auto-accepted (binary NEW): Alredy reviewed