Version in base suite: 1.4.0-4

Base version: rust-ntp-proto_1.4.0-4
Target version: rust-ntp-proto_1.4.0-4+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rust-ntp-proto/rust-ntp-proto_1.4.0-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rust-ntp-proto/rust-ntp-proto_1.4.0-4+deb13u1.dsc

 changelog                    |    7 +++++++
 patches/CVE-2026-26076.patch |   43 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 51 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4_600dry/rust-ntp-proto_1.4.0-4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4_600dry/rust-ntp-proto_1.4.0-4+deb13u1.dsc: no acceptable signature found
diff -Nru rust-ntp-proto-1.4.0/debian/changelog rust-ntp-proto-1.4.0/debian/changelog
--- rust-ntp-proto-1.4.0/debian/changelog	2025-03-08 15:38:51.000000000 +0000
+++ rust-ntp-proto-1.4.0/debian/changelog	2026-02-14 18:39:13.000000000 +0000
@@ -1,3 +1,10 @@
+rust-ntp-proto (1.4.0-4+deb13u1) trixie; urgency=high
+
+  * Fix CVE-2026-26076 - increased load while processing malformed NTS packets
+    (Closes: #1127929)
+
+ -- Fabian Grünbichler <debian@fabian.gruenbichler.email>  Sat, 14 Feb 2026 19:39:13 +0100
+
 rust-ntp-proto (1.4.0-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch
--- rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch	1970-01-01 00:00:00.000000000 +0000
+++ rust-ntp-proto-1.4.0/debian/patches/CVE-2026-26076.patch	2026-02-14 18:39:13.000000000 +0000
@@ -0,0 +1,43 @@
+From fa73af14d17b666b1142b9fee3ba22c18a841d24 Mon Sep 17 00:00:00 2001
+From: David Venhoek <david@tweedegolf.com>
+Date: Thu, 12 Feb 2026 09:40:04 +0100
+Subject: [PATCH] Fix excessive generation of cookies.
+
+---
+ ntp-proto/src/packet/mod.rs | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/src/packet/mod.rs
++++ b/src/packet/mod.rs
+@@ -4,6 +4,7 @@
+ use serde::{Deserialize, Serialize};
+ 
+ use crate::{
++    MAX_COOKIES,
+     clock::NtpClock,
+     identifiers::ReferenceId,
+     io::NonBlockingWrite,
+@@ -718,6 +719,7 @@
+             })
+     }
+ 
++    #[allow(clippy::too_many_lines)]
+     pub fn nts_timestamp_response<C: NtpClock>(
+         system: &SystemSnapshot,
+         input: Self,
+@@ -741,6 +743,7 @@
+                         .authenticated
+                         .iter()
+                         .chain(input.efdata.encrypted.iter())
++                        .take(MAX_COOKIES)
+                         .filter_map(|f| match f {
+                             ExtensionField::NtsCookiePlaceholder { cookie_length } => {
+                                 let new_cookie = keyset.encode_cookie(cookie);
+@@ -786,6 +789,7 @@
+                         .authenticated
+                         .iter()
+                         .chain(input.efdata.encrypted.iter())
++                        .take(MAX_COOKIES)
+                         .filter_map(|f| match f {
+                             ExtensionField::NtsCookiePlaceholder { cookie_length } => {
+                                 let new_cookie = keyset.encode_cookie(cookie);
diff -Nru rust-ntp-proto-1.4.0/debian/patches/series rust-ntp-proto-1.4.0/debian/patches/series
--- rust-ntp-proto-1.4.0/debian/patches/series	2025-03-08 15:38:51.000000000 +0000
+++ rust-ntp-proto-1.4.0/debian/patches/series	2026-02-14 18:38:22.000000000 +0000
@@ -2,3 +2,4 @@
 relax-serde-test.diff
 rustls-native-certs-0.6.diff
 disable-other-rustls.diff
+CVE-2026-26076.patch