#1137236 trixie-pu: package mbedtls/3.6.6-0.1~deb13u1

#1137236#5
Date:
2026-05-21 12:58:45 UTC
From:
To:
  * New upstream release.
    - CVE-2026-25834: Signature Algorithm Injection
    - CVE-2026-25835: PSA random generator cloning
    - CVE-2026-34872: FFDH: improper input validation
    - CVE-2026-34873: Client impersonation resuming a TLS 1.3 session
    - CVE-2026-34874: Null pointer dereference setting a distinguished name
    - CVE-2026-34875: Buffer overflow in FFDH public key export
    - CVE-2026-34876: CCM multipart finish tag-length validation bypass
    (Closes: #1133841, #1132577)

This is ~deb13u1 of the package that I've NMUed in sid by updating
to a new upstream version. Similar to the previous update (#1124567),
this is a release on an LTS branch with few other changes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6

Backporting only the CVE fixes to 3.6.5 should be possible if 3.6.6
is not wanted, backporting fixes for all unfixed CVEs to the bookworm
version is outside my skill set.

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.