On Sat, Jan 03, 2026 at 12:24:04AM +0200, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: mbedtls@packages.debian.org, security@debian.org > Control: affects -1 + src:mbedtls > User: release.debian.org@packages.debian.org > Usertags: pu > > * New upstream release. > - CVE-2025-54764: Side channel in RSA key generation and operations > (Closes: #1118750) > - CVE-2025-59438: Padding oracle through timing of cipher error reporting > (Closes: #1118752) > > This is ~deb13u1 of the package that I've NMUed in sid by updating > to a new upstream version. Despite how the diffstat looks, this is a > release on an LTS branch with few other changes: > https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.5 > > 3.6.5-0.1 is in sid since mid-November, without any regressions > in autopkgtests during migration or reported in the BTS. > > As agreed with the security team, I am submitting this to pu > instead of a DSA. >... Retrying sending to debian-release, with compressed debdiff. cu Adrian
Attachment:
debdiff-mbedtls_3.6.5-0.1~deb13u1.xz
Description: application/xz