From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 11 Jun 2026 14:02:00 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wXe6i-004gx9-0e for lore@lore.pengutronix.de; Thu, 11 Jun 2026 14:02:00 +0200 Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wXe6i-0005Gq-2u; Thu, 11 Jun 2026 14:02:00 +0200 Received: from mail.thorsis.com ([217.92.40.78]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wXe6O-0005GM-Um for ptxdist@pengutronix.de; Thu, 11 Jun 2026 14:01:41 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9EEEE14890C8 for ; Thu, 11 Jun 2026 14:01:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thorsis.com; s=dkim; t=1781179304; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding; bh=fam5I1nEArATgGdfJI60mOBIZ83DkhZLMH60yy9b8vA=; b=VBxaGcb0B9SjtJuG24J0/yIZV3TYr/q4kI2LAVgMmS30pwUxszJK8/co5jKJ4CxAOQJ1Qn j3VA9C39WRjIQCBn0RH7B21pxTsvoqfvfSP1pdShNNJXfFpguE6v22JMJtonctKXWS2KpL 51g81kCfi7zslrY7B+Q68M7ei9OHNIt8Ns/V8tGLd5LVew0ojqswEdPzwSSvqX0GnQlG6y VcCVWB6mV7vEzKrs/1oMWXhmtXUKcsoYbePn239VLiNLzKp7rVexK6kiTCIt/ON6fh9nNQ 9BJhVh/1eNgrbWWlWndoFgNmCmT4VHAF4+dX/IfbGhhpgpLyZBJpXySwusckdw== To: ptxdist@pengutronix.de Date: Thu, 11 Jun 2026 14:01:34 +0200 Message-ID: <20260611120134.3640221-1-ada@thorsis.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Last-TLS-Session-Version: TLSv1.3 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-3.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH] openssl: version bump 3.5.6 -> 3.5.7 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Alexander Dahl via ptxdist Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Security update. Forward patchset, minor line relocations. CVEs fixed in 3.5.7: CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged Messages CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet Handling CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS Decryption CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue Decryption CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes Link: https://openssl-library.org/news/openssl-3.5-notes/ Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7 Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0 Signed-off-by: Alexander Dahl --- .../0001-debian-targets.patch | 0 patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch | 0 ...igure-allow-to-enable-ktls-if-target-does-not-st.patch | 8 ++++---- ...0004-conf-Serialize-allocation-free-of-ssl_names.patch | 0 patches/{openssl-3.5.6 => openssl-3.5.7}/series | 0 rules/openssl.make | 4 ++-- 6 files changed, 6 insertions(+), 6 deletions(-) rename patches/{openssl-3.5.6 => openssl-3.5.7}/0001-debian-targets.patch (100%) rename patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch (100%) rename patches/{openssl-3.5.6 => openssl-3.5.7}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (92%) rename patches/{openssl-3.5.6 => openssl-3.5.7}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%) rename patches/{openssl-3.5.6 => openssl-3.5.7}/series (100%) diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch b/patches/openssl-3.5.7/0001-debian-targets.patch similarity index 100% rename from patches/openssl-3.5.6/0001-debian-targets.patch rename to patches/openssl-3.5.7/0001-debian-targets.patch diff --git a/patches/openssl-3.5.6/0002-pic.patch b/patches/openssl-3.5.7/0002-pic.patch similarity index 100% rename from patches/openssl-3.5.6/0002-pic.patch rename to patches/openssl-3.5.7/0002-pic.patch diff --git a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch similarity index 92% rename from patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch rename to patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch index bf5b10a4e..4ed616e24 100644 --- a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch +++ b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index cba57b41273f..7fa3eeae412f 100644 +index 692eccbfa1dc..225b1ea7032f 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -693,7 +693,7 @@ my %targets = ( +@@ -694,7 +694,7 @@ my %targets = ( shared_target => "linux-shared", shared_cflag => "-fPIC", shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" }, @@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644 "linux-latomic" => { inherit_from => [ "linux-generic32" ], diff --git a/Configure b/Configure -index 499585438a16..98c0bcb92a79 100755 +index 1b020faadb01..e8321ba49219 100755 --- a/Configure +++ b/Configure -@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) { +@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) { unless ($disabled{ktls}) { $config{ktls}=""; my $cc = $config{CROSS_COMPILE}.$config{CC}; diff --git a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch similarity index 100% rename from patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch rename to patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series similarity index 100% rename from patches/openssl-3.5.6/series rename to patches/openssl-3.5.7/series diff --git a/rules/openssl.make b/rules/openssl.make index d50b67658..fb8355dbd 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # # Paths and names # -OPENSSL_VERSION := 3.5.6 -OPENSSL_SHA256 := deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 +OPENSSL_VERSION := 3.5.7 +OPENSSL_SHA256 := a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 OPENSSL := openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL := \ base-commit: 3d185e7c01807e7a2f58a89fe811ed572d267099 -- 2.47.3