[ptxdist] [PATCH] openssl: Version bump. 3.5.4 -> 3.5.5

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

* [ptxdist] [PATCH] openssl: Version bump. 3.5.4 -> 3.5.5
@ 2026-02-01 19:21 Christian Melki
  2026-02-13 10:02 ` [ptxdist] [APPLIED] " Michael Olbrich
  0 siblings, 1 reply; 2+ messages in thread
From: Christian Melki @ 2026-02-01 19:21 UTC (permalink / raw)
  To: ptxdist

Security bump.
https://github.com/openssl/openssl/releases/tag/openssl-3.5.5

Plugs CVEs:
CVE-2025-11187: Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
CVE-2025-15467: Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
CVE-2025-15468: Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
CVE-2025-15469: Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
CVE-2025-66199: Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
CVE-2025-68160: Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
CVE-2025-69418: Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls.
CVE-2025-69419: Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
CVE-2025-69420: Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
CVE-2025-69421: Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
CVE-2026-22795: Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
CVE-2026-22796: Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function.

* Forward patchset, adjusted offsets, applies cleanly.

Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
 .../0001-debian-targets.patch                             | 2 +-
 patches/{openssl-3.5.4 => openssl-3.5.5}/0002-pic.patch   | 0
 ...igure-allow-to-enable-ktls-if-target-does-not-st.patch | 0
 ...0004-conf-Serialize-allocation-free-of-ssl_names.patch | 8 ++++----
 patches/{openssl-3.5.4 => openssl-3.5.5}/series           | 2 +-
 rules/openssl.make                                        | 4 ++--
 6 files changed, 8 insertions(+), 8 deletions(-)
 rename patches/{openssl-3.5.4 => openssl-3.5.5}/0001-debian-targets.patch (99%)
 rename patches/{openssl-3.5.4 => openssl-3.5.5}/0002-pic.patch (100%)
 rename patches/{openssl-3.5.4 => openssl-3.5.5}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (100%)
 rename patches/{openssl-3.5.4 => openssl-3.5.5}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (94%)
 rename patches/{openssl-3.5.4 => openssl-3.5.5}/series (82%)

diff --git a/patches/openssl-3.5.4/0001-debian-targets.patch b/patches/openssl-3.5.5/0001-debian-targets.patch
similarity index 99%
rename from patches/openssl-3.5.4/0001-debian-targets.patch
rename to patches/openssl-3.5.5/0001-debian-targets.patch
index 8b3a60e4d..ad7bfa4af 100644
--- a/patches/openssl-3.5.4/0001-debian-targets.patch
+++ b/patches/openssl-3.5.5/0001-debian-targets.patch
@@ -6,7 +6,7 @@ Imported from openssl_3.5.2-1.debian.tar.xz
 
 Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
 ---
- Configurations/20-debian.conf | 163 ++++++++++++++++++++++++++++++++++
+ Configurations/20-debian.conf | 163 ++++++++++++++++++++++++++++++++++++++++++
  1 file changed, 163 insertions(+)
  create mode 100644 Configurations/20-debian.conf
 
diff --git a/patches/openssl-3.5.4/0002-pic.patch b/patches/openssl-3.5.5/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.5.4/0002-pic.patch
rename to patches/openssl-3.5.5/0002-pic.patch
diff --git a/patches/openssl-3.5.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.5/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 100%
rename from patches/openssl-3.5.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.5.5/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
diff --git a/patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 94%
rename from patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
index 870bc1305..eb39b4458 100644
--- a/patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
+++ b/patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
@@ -19,7 +19,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  1 file changed, 32 insertions(+), 3 deletions(-)
 
 diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c
-index 84c5b2afe581..d6596e60c3b5 100644
+index c8796715c00e..2e152a1c0c2c 100644
 --- a/crypto/conf/conf_ssl.c
 +++ b/crypto/conf/conf_ssl.c
 @@ -12,6 +12,7 @@
@@ -85,7 +85,7 @@ index 84c5b2afe581..d6596e60c3b5 100644
      ssl_conf_section = CONF_imodule_get_value(md);
      cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
      if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
-@@ -77,7 +105,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+@@ -76,7 +104,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
          goto err;
      }
      cnt = sk_CONF_VALUE_num(cmd_lists);
@@ -94,9 +94,9 @@ index 84c5b2afe581..d6596e60c3b5 100644
      ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
      if (ssl_names == NULL)
          goto err;
-@@ -126,7 +154,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
+@@ -123,7 +151,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
      rv = 1;
-  err:
+ err:
      if (rv == 0)
 -        ssl_module_free(md);
 +        ssl_module_free_unlocked(md);
diff --git a/patches/openssl-3.5.4/series b/patches/openssl-3.5.5/series
similarity index 82%
rename from patches/openssl-3.5.4/series
rename to patches/openssl-3.5.5/series
index d9889f0bb..43d793018 100644
--- a/patches/openssl-3.5.4/series
+++ b/patches/openssl-3.5.5/series
@@ -6,4 +6,4 @@
 0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
 0004-conf-Serialize-allocation-free-of-ssl_names.patch
 #tag:upstream --start-number 100
-# ab24a399a1a602376760e385c08ab320  - git-ptx-patches magic
+# 737c785d3b0f99ce20c6c5dd18240f8a  - git-ptx-patches magic
diff --git a/rules/openssl.make b/rules/openssl.make
index 239a2436e..988ff36e6 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION		:= 3.5.4
-OPENSSL_MD5		:= 570a7ab371147b6ba72c6d0fed93131f
+OPENSSL_VERSION		:= 3.5.5
+OPENSSL_MD5		:= 9c86d929c3d1067e2c88239d7d1ce81b
 OPENSSL			:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX		:= tar.gz
 OPENSSL_URL		:= \
-- 
2.43.0




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [ptxdist] [APPLIED] openssl: Version bump. 3.5.4 -> 3.5.5
  2026-02-01 19:21 [ptxdist] [PATCH] openssl: Version bump. 3.5.4 -> 3.5.5 Christian Melki
@ 2026-02-13 10:02 ` Michael Olbrich
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Olbrich @ 2026-02-13 10:02 UTC (permalink / raw)
  To: ptxdist; +Cc: Christian Melki

Thanks, applied as 80bf2ab774e199ad9569d35418d01a619f65e6c8.

Michael

[sent from post-receive hook]

On Fri, 13 Feb 2026 11:02:56 +0100, Christian Melki <christian.melki@t2data.com> wrote:
> Security bump.
> https://github.com/openssl/openssl/releases/tag/openssl-3.5.5
> 
> Plugs CVEs:
> CVE-2025-11187: Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
> CVE-2025-15467: Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
> CVE-2025-15468: Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
> CVE-2025-15469: Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
> CVE-2025-66199: Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
> CVE-2025-68160: Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
> CVE-2025-69418: Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls.
> CVE-2025-69419: Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
> CVE-2025-69420: Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
> CVE-2025-69421: Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
> CVE-2026-22795: Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
> CVE-2026-22796: Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function.
> 
> * Forward patchset, adjusted offsets, applies cleanly.
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20260201192143.3583956-1-christian.melki@t2data.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssl-3.5.4/0001-debian-targets.patch b/patches/openssl-3.5.5/0001-debian-targets.patch
> similarity index 99%
> rename from patches/openssl-3.5.4/0001-debian-targets.patch
> rename to patches/openssl-3.5.5/0001-debian-targets.patch
> index 8b3a60e4de2d..ad7bfa4af669 100644
> --- a/patches/openssl-3.5.4/0001-debian-targets.patch
> +++ b/patches/openssl-3.5.5/0001-debian-targets.patch
> @@ -6,7 +6,7 @@ Imported from openssl_3.5.2-1.debian.tar.xz
>  
>  Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>  ---
> - Configurations/20-debian.conf | 163 ++++++++++++++++++++++++++++++++++
> + Configurations/20-debian.conf | 163 ++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 163 insertions(+)
>   create mode 100644 Configurations/20-debian.conf
>  
> diff --git a/patches/openssl-3.5.4/0002-pic.patch b/patches/openssl-3.5.5/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.5.4/0002-pic.patch
> rename to patches/openssl-3.5.5/0002-pic.patch
> diff --git a/patches/openssl-3.5.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.5/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 100%
> rename from patches/openssl-3.5.4/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.5.5/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> diff --git a/patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 94%
> rename from patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> index 870bc13057af..eb39b4458b72 100644
> --- a/patches/openssl-3.5.4/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> +++ b/patches/openssl-3.5.5/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> @@ -19,7 +19,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   1 file changed, 32 insertions(+), 3 deletions(-)
>  
>  diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c
> -index 84c5b2afe581..d6596e60c3b5 100644
> +index c8796715c00e..2e152a1c0c2c 100644
>  --- a/crypto/conf/conf_ssl.c
>  +++ b/crypto/conf/conf_ssl.c
>  @@ -12,6 +12,7 @@
> @@ -85,7 +85,7 @@ index 84c5b2afe581..d6596e60c3b5 100644
>       ssl_conf_section = CONF_imodule_get_value(md);
>       cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
>       if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
> -@@ -77,7 +105,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
> +@@ -76,7 +104,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
>           goto err;
>       }
>       cnt = sk_CONF_VALUE_num(cmd_lists);
> @@ -94,9 +94,9 @@ index 84c5b2afe581..d6596e60c3b5 100644
>       ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
>       if (ssl_names == NULL)
>           goto err;
> -@@ -126,7 +154,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
> +@@ -123,7 +151,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
>       rv = 1;
> -  err:
> + err:
>       if (rv == 0)
>  -        ssl_module_free(md);
>  +        ssl_module_free_unlocked(md);
> diff --git a/patches/openssl-3.5.4/series b/patches/openssl-3.5.5/series
> similarity index 82%
> rename from patches/openssl-3.5.4/series
> rename to patches/openssl-3.5.5/series
> index d9889f0bb825..43d793018a2e 100644
> --- a/patches/openssl-3.5.4/series
> +++ b/patches/openssl-3.5.5/series
> @@ -6,4 +6,4 @@
>  0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
>  0004-conf-Serialize-allocation-free-of-ssl_names.patch
>  #tag:upstream --start-number 100
> -# ab24a399a1a602376760e385c08ab320  - git-ptx-patches magic
> +# 737c785d3b0f99ce20c6c5dd18240f8a  - git-ptx-patches magic
> diff --git a/rules/openssl.make b/rules/openssl.make
> index 239a2436ec60..988ff36e6188 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
>  #
>  # Paths and names
>  #
> -OPENSSL_VERSION		:= 3.5.4
> -OPENSSL_MD5		:= 570a7ab371147b6ba72c6d0fed93131f
> +OPENSSL_VERSION		:= 3.5.5
> +OPENSSL_MD5		:= 9c86d929c3d1067e2c88239d7d1ce81b
>  OPENSSL			:= openssl-$(OPENSSL_VERSION)
>  OPENSSL_SUFFIX		:= tar.gz
>  OPENSSL_URL		:= \



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-13 10:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-01 19:21 [ptxdist] [PATCH] openssl: Version bump. 3.5.4 -> 3.5.5 Christian Melki
2026-02-13 10:02 ` [ptxdist] [APPLIED] " Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox