Your message dated Sat, 03 Jan 2026 00:41:11 +0000
with message-id <[email protected]>
and subject line Bug#1124557: fixed in libtpms 0.10.2-1
has caused the Debian Bug report #1124557,
regarding libtpms: CVE-2026-21444: Return of wrong initialization vector when
certain symmetric ciphers are used
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124557
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libtpms
Version: 0.10.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/stefanberger/libtpms/issues/541
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libtpms.
CVE-2026-21444[0]:
| libtpms, a library that provides software emulation of a Trusted
| Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The
| commonly used integration of libtpms with OpenSSL 3.x contained a
| vulnerability related to the returned IV (initialization vector)
| when certain symmetric ciphers were used. Instead of returning the
| last IV it returned the initial IV to the caller, thus weakening the
| subsequent encryption and decryption steps. The highest threat from
| this vulnerability is to data confidentiality. Version 0.10.2 fixes
| the issue. No known workarounds are available.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21444
https://www.cve.org/CVERecord?id=CVE-2026-21444
[1] https://github.com/stefanberger/libtpms/issues/541
[2]
https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libtpms
Source-Version: 0.10.2-1
Done: Luca Boccassi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libtpms, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Boccassi <[email protected]> (supplier of updated libtpms package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Jan 2026 00:39:07 +0100
Source: libtpms
Architecture: source
Version: 0.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Luca Boccassi <[email protected]>
Changed-By: Luca Boccassi <[email protected]>
Closes: 1124557
Changes:
libtpms (0.10.2-1) unstable; urgency=medium
.
* New upstream version 0.10.2 (Closes: #1124557) (CVE-2026-21444)
* Drop priority from d/control, now defaults to optional
* Bump Standards-version to 4.7.3
Checksums-Sha1:
88900b946da580a3c17366be8845344a02401569 2075 libtpms_0.10.2-1.dsc
0d25f93f60ed13add31c60b21da831a769d912b2 1399529 libtpms_0.10.2.orig.tar.gz
e527d25a65e493ea816212e1ec91a48549ecff0f 10284 libtpms_0.10.2-1.debian.tar.xz
3d3953291dfa3049b021e95c4ef40c55bcc05fb2 6470 libtpms_0.10.2-1_source.buildinfo
Checksums-Sha256:
c2cbb36bcb7707c7b2cdea6dbfabb3db0e7f5562edc4996c21c13e656a3024d2 2075
libtpms_0.10.2-1.dsc
edac03680f8a4a1c5c1d609a10e3f41e1a129e38ff5158f0c8deaedc719fb127 1399529
libtpms_0.10.2.orig.tar.gz
70bb163dc6f4a073c5d628dbe76a1be513b09de5896869ec36d79bab91427ee0 10284
libtpms_0.10.2-1.debian.tar.xz
0555722b59ab9728e4989e5ba1184751dec35d1d1ca6cacf320460f7cda56be3 6470
libtpms_0.10.2-1_source.buildinfo
Files:
6c594213caf6676dbf2a7eb39b197b3d 2075 libs optional libtpms_0.10.2-1.dsc
3c9a244d72738578166c7ed91141fab1 1399529 libs optional
libtpms_0.10.2.orig.tar.gz
d524fbfbf773e69d0d7042446e62f4c9 10284 libs optional
libtpms_0.10.2-1.debian.tar.xz
cb9f93f3feef026e1093d773ae23c05a 6470 libs optional
libtpms_0.10.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmlYWmURHGJsdWNhQGRl
Ymlhbi5vcmcACgkQKGv37813JB4xZQ//VQhqFHiP8sogXMp0mxpnLgZhJK0I3r57
AL25zKPHtdpiS+wmh1Hyx/W7TfcuQxDaYnUnfTvhgPi6Euu1uLnPuKNrE+jvHrwj
Gm+6B3C0H39eiOk+bgRZdak0KqT9mxCj75CIDzaYCyXUeDQHHmkAcSKAt2yUPpTj
sHIQkBDq15d2JPc0H1lnev3q6JAv3e6tV+dMg6BJsjJPjtUAi6pbJz+4aVCsm/6W
t+nqg9ZWo2TyCphLe9Px5gR0rnC1d/XWVJFJ4NMWpq4oEOIUiKAyu06zMnLM+ruw
Fyz3ON9KRPQySimjtR/eHEDvZhMK9NPD66IlE8yM2QQRh6PghnB3WTrQiUJwFgC3
Xfr5yB6wLUZ54f2EZtX69WJbTdBOsKjCZCCY4QRM9iNGTFaE/tmSHwpqnHf204Yc
GzusfWSM1sptbom3iJU78BN8Lub5KBWWmzCa6Q9AclDs5Q9NQAABz8gzhC5B8WqS
l8oID6EttOfTpF6qiRNEP/IrWVbeUKiLAlW5f4fc4PvG0tHp/pwD+tpUMvo3ZZId
+h6uF8aKMTfjg5sZwwjBhNbFOUPUiaZ2uqSIUE9noXf7MnSzeQtUlfYpJHo6XFzd
Tu31CUpHT30aOrkzIYLONVj81REttE51leP6RF9UYiR9RFklwx9jIqHIJGjRbLFa
dU+swvZ735I=
=ymoG
-----END PGP SIGNATURE-----
pgp5lquylaprF.pgp
Description: PGP signature
--- End Message ---
