Your message dated Sat, 03 Jan 2026 12:02:23 +0000
with message-id <[email protected]>
and subject line Bug#1118752: fixed in mbedtls 3.6.5-0.1~deb13u1
has caused the Debian Bug report #1118752,
regarding mbedtls: CVE-2025-59438
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118752
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 3.6.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mbedtls.
CVE-2025-59438[0]:
| Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59438
https://www.cve.org/CVERecord?id=CVE-2025-59438
[1]
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 3.6.5-0.1~deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Jan 2026 23:05:58 +0200
Source: mbedtls
Architecture: source
Version: 3.6.5-0.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1118750 1118752
Changes:
mbedtls (3.6.5-0.1~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie.
.
mbedtls (3.6.5-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-54764: Side channel in RSA key generation and operations
(Closes: #1118750)
- CVE-2025-59438: Padding oracle through timing of cipher error reporting
(Closes: #1118752)
Checksums-Sha1:
a6ff3d7c7859254e36fa1ff813f27fa04cfb5763 2490 mbedtls_3.6.5-0.1~deb13u1.dsc
3d6cd31c225129741be7aea004546f081408b998 5367178 mbedtls_3.6.5.orig.tar.bz2
17e958fe318147ba77fedef3591a9c7b82059f41 18856
mbedtls_3.6.5-0.1~deb13u1.debian.tar.xz
Checksums-Sha256:
a141b94159d8eccb9e97631dad083cb531ecd034164f7428fdfc9db6a7859b5f 2490
mbedtls_3.6.5-0.1~deb13u1.dsc
4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8 5367178
mbedtls_3.6.5.orig.tar.bz2
e4c153b9685a6f3a2ad061fe0936309e7d84a6de7c320c45749912d41f3a808d 18856
mbedtls_3.6.5-0.1~deb13u1.debian.tar.xz
Files:
ec99577af12d7bc98d0eef0a1040d2d0 2490 libs optional
mbedtls_3.6.5-0.1~deb13u1.dsc
bc79602daf85f1cf35a686b53056de58 5367178 libs optional
mbedtls_3.6.5.orig.tar.bz2
182d945f2349d39edb85892f9aa4a2a6 18856 libs optional
mbedtls_3.6.5-0.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmlYR5YACgkQiNJCh6LY
mLFc/w/9GGwBOYfq2BKaM0T0q+4YdsOAprgnqQU1vjxh+WmhDICPP0kmFlrZZ/AM
SW9oYeG1hSTAvalpIWjZ/Yp8YBWSs9jhP9MewkJ1wsY96EnVjj7SzI/sst3KTAzB
gTHGPwH6CGD/LoH+t77J6McxyDy3gtFDEYrO5b9Wv7CBZTVxYLVAMBIe+M9AIt6Y
4zc/cb69WTP4vz1raWLe74JjH1SC4kH+buUhjaice5K6JASn4d54WkdtsA9wNeO/
0luP/wYuXj9IPKKt37eeWr42NcuKxagcR8SkPRc+YBuePG3tDWsAB2YmE8caBNHk
sf54zmetLbC7uskuqXRXGEEt5U2Cpkapa3NRPLU87wPfekaWYV/PMgzIKTCFCIB8
0oIFArF8Th6LLV868gHD1tl5Rl/KoiGXvvm0me4zPqwsqIpeFmQTFnftnpdmZ8DC
gSuhG4XrESy4XoB+GDotp0AKm4ZCATgpw203c7dZ8JXXXI2DKjBQIaQvIheY+3XU
cLIZSnL3SsXjZFVZvmy3oMS1cG0FTpqSUUlB8OPhFLDFgi/jRQQnunYpzN8WHyrL
6gBJDfSpckmX2aoLwYFQzmFLHo2BELQlyUwTxfEGjChsfMJ9p5Z0BDKOvC0P5rIn
SMFDVVZjPQ7f18y+h3MsdqeddzheJF+CKHn9gp+yIeK7Y4GmZKE=
=Z74d
-----END PGP SIGNATURE-----
pgptFbUdLQgza.pgp
Description: PGP signature
--- End Message ---
