[ptxdist] [PATCH] openssl: version bump 3.5.6 -> 3.5.7

[Alexander Dahl via ptxdist <ptxdist@pengutronix.de>]

Security update.  Forward patchset, minor line relocations.

 CVEs fixed in 3.5.7:

    CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function
    CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged Messages
    CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
    CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet Handling
    CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path
    CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion
    CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption
    CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing
    CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
    CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS Decryption
    CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue Decryption
    CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
    CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
    CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q
    CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes

Link: https://openssl-library.org/news/openssl-3.5-notes/
Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 .../0001-debian-targets.patch                             | 0
 patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch   | 0
 ...igure-allow-to-enable-ktls-if-target-does-not-st.patch | 8 ++++----
 ...0004-conf-Serialize-allocation-free-of-ssl_names.patch | 0
 patches/{openssl-3.5.6 => openssl-3.5.7}/series           | 0
 rules/openssl.make                                        | 4 ++--
 6 files changed, 6 insertions(+), 6 deletions(-)
 rename patches/{openssl-3.5.6 => openssl-3.5.7}/0001-debian-targets.patch (100%)
 rename patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch (100%)
 rename patches/{openssl-3.5.6 => openssl-3.5.7}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (92%)
 rename patches/{openssl-3.5.6 => openssl-3.5.7}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%)
 rename patches/{openssl-3.5.6 => openssl-3.5.7}/series (100%)

diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch b/patches/openssl-3.5.7/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.5.6/0001-debian-targets.patch
rename to patches/openssl-3.5.7/0001-debian-targets.patch
diff --git a/patches/openssl-3.5.6/0002-pic.patch b/patches/openssl-3.5.7/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.5.6/0002-pic.patch
rename to patches/openssl-3.5.7/0002-pic.patch
diff --git a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 92%
rename from patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index bf5b10a4e..4ed616e24 100644
--- a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++ b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index cba57b41273f..7fa3eeae412f 100644
+index 692eccbfa1dc..225b1ea7032f 100644
 --- a/Configurations/10-main.conf
 +++ b/Configurations/10-main.conf
-@@ -693,7 +693,7 @@ my %targets = (
+@@ -694,7 +694,7 @@ my %targets = (
          shared_target    => "linux-shared",
          shared_cflag     => "-fPIC",
          shared_ldflag    => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
@@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644
      "linux-latomic" => {
          inherit_from     => [ "linux-generic32" ],
 diff --git a/Configure b/Configure
-index 499585438a16..98c0bcb92a79 100755
+index 1b020faadb01..e8321ba49219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) {
  unless ($disabled{ktls}) {
      $config{ktls}="";
      my $cc = $config{CROSS_COMPILE}.$config{CC};
diff --git a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series
similarity index 100%
rename from patches/openssl-3.5.6/series
rename to patches/openssl-3.5.7/series
diff --git a/rules/openssl.make b/rules/openssl.make
index d50b67658..fb8355dbd 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
 #
 # Paths and names
 #
-OPENSSL_VERSION		:= 3.5.6
-OPENSSL_SHA256		:= deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736
+OPENSSL_VERSION		:= 3.5.7
+OPENSSL_SHA256		:= a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8
 OPENSSL			:= openssl-$(OPENSSL_VERSION)
 OPENSSL_SUFFIX		:= tar.gz
 OPENSSL_URL		:= \

base-commit: 3d185e7c01807e7a2f58a89fe811ed572d267099
-- 
2.47.3