Version in base suite: 3.2.7+dfsg-1+deb13u1

Base version: freeradius_3.2.7+dfsg-1+deb13u1
Target version: freeradius_3.2.7+dfsg-1+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/freeradius/freeradius_3.2.7+dfsg-1+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/freeradius/freeradius_3.2.7+dfsg-1+deb13u2.dsc

 changelog                                              |   11 ++
 gbp.conf                                               |    2 
 patches/series                                         |    1 
 patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch |   63 +++++++++++++++++
 salsa-ci.yml                                           |    2 
 5 files changed, 78 insertions(+), 1 deletion(-)

diff -Nru freeradius-3.2.7+dfsg/debian/changelog freeradius-3.2.7+dfsg/debian/changelog
--- freeradius-3.2.7+dfsg/debian/changelog	2025-10-01 17:36:38.000000000 +0000
+++ freeradius-3.2.7+dfsg/debian/changelog	2025-12-06 20:56:45.000000000 +0000
@@ -1,3 +1,14 @@
+freeradius (3.2.7+dfsg-1+deb13u2) trixie; urgency=medium
+
+  [ Didier Raboud ]
+  * Backport patch to fix segfaults on TLS connections with more than one
+    intermediate certificate (Closes: #1120927)
+
+  [ Bernhard Schmidt ]
+  * Add d/gbp.conf for Trixie branch
+
+ -- Bernhard Schmidt <berni@debian.org>  Sat, 06 Dec 2025 21:56:45 +0100
+
 freeradius (3.2.7+dfsg-1+deb13u1) trixie; urgency=medium
 
   * Non-maintainer upload.
diff -Nru freeradius-3.2.7+dfsg/debian/gbp.conf freeradius-3.2.7+dfsg/debian/gbp.conf
--- freeradius-3.2.7+dfsg/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-3.2.7+dfsg/debian/gbp.conf	2025-12-06 20:56:45.000000000 +0000
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/trixie
diff -Nru freeradius-3.2.7+dfsg/debian/patches/series freeradius-3.2.7+dfsg/debian/patches/series
--- freeradius-3.2.7+dfsg/debian/patches/series	2025-10-01 17:31:39.000000000 +0000
+++ freeradius-3.2.7+dfsg/debian/patches/series	2025-12-06 20:56:45.000000000 +0000
@@ -6,3 +6,4 @@
 dont-install-tests.diff
 snakeoil-certs.diff
 fips.patch
+wrap-crl_dp-checks-in-if-certs--lookup-=.patch
diff -Nru freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch
--- freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-3.2.7+dfsg/debian/patches/wrap-crl_dp-checks-in-if-certs--lookup-=.patch	2025-12-06 20:56:45.000000000 +0000
@@ -0,0 +1,63 @@
+From: Alan T. DeKok <aland@freeradius.org>
+Date: Wed, 12 Feb 2025 07:03:13 -0500
+X-Dgit-Generated: 3.2.7+dfsg-1+deb13u1+OdyX0 05125f178649b7af17a1dc81642b91c937f4d93a
+Subject: wrap crl_dp checks in if (certs && (lookup <= 1). Fixes #5515
+
+
+---
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 2e97940..2821b93 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3077,30 +3077,33 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ 	/*
+ 	 *	Get the Certificate Distribution points
+ 	 */
+-	crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+-	if (crl_dp) {
+-		DIST_POINT *dp;
+-		const char *url_ptr;
++	if (certs && (lookup <= 1)) {
++		crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+ 
+-		for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+-			size_t len;
+-			char cdp[1024];
++		if (crl_dp) {
++			DIST_POINT *dp;
++			const char *url_ptr;
+ 
+-			dp = sk_DIST_POINT_value(crl_dp, i);
+-			if (!dp) continue;
++			for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
++				size_t len;
++				char cdp[1024];
+ 
+-			url_ptr = get_cdp_url(dp);
+-			if (!url_ptr) continue;
++				dp = sk_DIST_POINT_value(crl_dp, i);
++				if (!dp) continue;
+ 
+-			len = strlen(url_ptr);
+-			if (len >= sizeof(cdp)) continue;
++				url_ptr = get_cdp_url(dp);
++				if (!url_ptr) continue;
+ 
+-			memcpy(cdp, url_ptr, len + 1);
++				len = strlen(url_ptr);
++				if (len >= sizeof(cdp)) continue;
+ 
+-			vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+-			rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++				memcpy(cdp, url_ptr, len + 1);
++
++				vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
++				rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
++			}
++			sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 		}
+-		sk_DIST_POINT_pop_free(crl_dp, DIST_POINT_free);
+ 	}
+ 
+ 	/*
diff -Nru freeradius-3.2.7+dfsg/debian/salsa-ci.yml freeradius-3.2.7+dfsg/debian/salsa-ci.yml
--- freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-02-10 21:50:22.000000000 +0000
+++ freeradius-3.2.7+dfsg/debian/salsa-ci.yml	2025-12-06 20:56:45.000000000 +0000
@@ -3,7 +3,7 @@
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
-  RELEASE: 'unstable'
+  RELEASE: 'trixie'
 
 # mark currently failing tests as allowed to fail
 blhc: