DFSG, Licensing & New Packages Team

openssl (4.0.1-1) experimental; urgency=medium
 .
   * Import 4.0.1
    - CVE-2026-7383 ("Possible Heap Buffer Overflow in ASN.1 Multibyte String
      Conversion")
    - CVE-2026-9076 ("Out-of-Bounds Read in CMS Password-Based Decryption")
    - CVE-2026-34180 ("Heap Buffer Over-read in ASN.1 Content Parsing")
    - CVE-2026-34181 ("PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC
      Keys")
    - CVE-2026-34182 ("CMS AuthEnvelopedData Processing May Accept Forged
      Messages")
    - CVE-2026-34183 ("Unbounded Memory Growth in the QUIC PATH_CHALLENGE
      Handler")
    - CVE-2026-35188 ("Double-free When Checking OCSP Stapled Response")
    - CVE-2026-42764 ("NULL pointer dereference in QUIC server initial packet
      handling")
    - CVE-2026-42765 ("NULL Dereference in Certificate Verification with OCSP
      Checking")
    - CVE-2026-42766 ("Possible NULL Dereference in Password-Based CMS
      Decryption")
    - CVE-2026-42767 ("NULL Pointer Dereference in CRMF EncryptedValue
      Decryption")
    - CVE-2026-42768 ("Multi-RecipientInfo Bleichenbacher Oracle in
      CMS_decrypt() and PKCS7_decrypt()")
    - CVE-2026-42769 ("Trust-Anchor Substitution via cert/issuer Typo in CMP
      rootCaKeyUpdate")
    - CVE-2026-42770 ("FFC-DH Peer Validation Uses Attacker-Supplied q")
    - CVE-2026-42771 ("Possible Out of Bounds Read in
      X509_VERIFY_PARAM_set1_email()")
    - CVE-2026-45445 ("AES-OCB IV Ignored on EVP_Cipher() Path")
    - CVE-2026-45446 ("Incorrect Tag Processing for Empty Messages in
      AES-GCM-SIV and AES-SIV modes")
    - CVE-2026-45447 ("Heap Use-After-Free in OpenSSL PKCS7_verify()")

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: OpenSSL
Source: https://www.openssl.org

Files: *
Copyright: 1995-2026, The OpenSSL Project Authors
License: Apache-2.0

License: Apache-2.0
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at
 https://www.openssl.org/source/license.html
 .
 On Debian systems, the complete text of the Apache 2.0 License
 can be found in `/usr/share/common-licenses/Apache-2.0'

Files: debian/*
Copyright: Christoph Martin, Kurt Roeckx, Sebastian Andrzej Siewior
License: Apache-2.0

Files: external/perl/Text-Template-1.56/*
Copyright: 2013, Mark Jason Dominus <mjd@cpan.org>.
License: Artistic or GPL-1+

License: Artistic
 This program is free software; you can redistribute it and/or modify
 it under the terms of the Artistic License, which comes with Perl.
 .
 On Debian systems, the complete text of the Artistic License can be
 found in `/usr/share/common-licenses/Artistic'.

License: GPL-1+
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 1, or (at your option)
 any later version.
 .
 On Debian systems, the complete text of version 1 of the GNU General
 Public License can be found in `/usr/share/common-licenses/GPL-1'.