Re: [ptxdist] [APPLIED] openssl: version bump 3.5.6 -> 3.5.7

[Michael Olbrich <m.olbrich@pengutronix.de>]

Thanks, applied as 84f2395da708981aa88759fd9585edbc814b8ac9.

Michael

[sent from post-receive hook]

On Thu, 25 Jun 2026 21:23:27 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> Security update.  Forward patchset, minor line relocations.
> 
>  CVEs fixed in 3.5.7:
> 
>     CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function
>     CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged Messages
>     CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
>     CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet Handling
>     CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path
>     CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion
>     CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption
>     CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing
>     CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
>     CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS Decryption
>     CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue Decryption
>     CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
>     CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
>     CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q
>     CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
> 
> Link: https://openssl-library.org/news/openssl-3.5-notes/
> Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
> Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20260611120134.3640221-1-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch b/patches/openssl-3.5.7/0001-debian-targets.patch
> similarity index 100%
> rename from patches/openssl-3.5.6/0001-debian-targets.patch
> rename to patches/openssl-3.5.7/0001-debian-targets.patch
> diff --git a/patches/openssl-3.5.6/0002-pic.patch b/patches/openssl-3.5.7/0002-pic.patch
> similarity index 100%
> rename from patches/openssl-3.5.6/0002-pic.patch
> rename to patches/openssl-3.5.7/0002-pic.patch
> diff --git a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> similarity index 92%
> rename from patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> rename to patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> index bf5b10a4e60f..4ed616e24d02 100644
> --- a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> +++ b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
> @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   2 files changed, 2 insertions(+), 2 deletions(-)
>  
>  diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
> -index cba57b41273f..7fa3eeae412f 100644
> +index 692eccbfa1dc..225b1ea7032f 100644
>  --- a/Configurations/10-main.conf
>  +++ b/Configurations/10-main.conf
> -@@ -693,7 +693,7 @@ my %targets = (
> +@@ -694,7 +694,7 @@ my %targets = (
>           shared_target    => "linux-shared",
>           shared_cflag     => "-fPIC",
>           shared_ldflag    => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
> @@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644
>       "linux-latomic" => {
>           inherit_from     => [ "linux-generic32" ],
>  diff --git a/Configure b/Configure
> -index 499585438a16..98c0bcb92a79 100755
> +index 1b020faadb01..e8321ba49219 100755
>  --- a/Configure
>  +++ b/Configure
> -@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) {
> +@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) {
>   unless ($disabled{ktls}) {
>       $config{ktls}="";
>       my $cc = $config{CROSS_COMPILE}.$config{CC};
> diff --git a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> similarity index 100%
> rename from patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> rename to patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
> diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series
> similarity index 100%
> rename from patches/openssl-3.5.6/series
> rename to patches/openssl-3.5.7/series
> diff --git a/rules/openssl.make b/rules/openssl.make
> index d50b67658907..fb8355dbd363 100644
> --- a/rules/openssl.make
> +++ b/rules/openssl.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
>  #
>  # Paths and names
>  #
> -OPENSSL_VERSION		:= 3.5.6
> -OPENSSL_SHA256		:= deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736
> +OPENSSL_VERSION		:= 3.5.7
> +OPENSSL_SHA256		:= a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8
>  OPENSSL			:= openssl-$(OPENSSL_VERSION)
>  OPENSSL_SUFFIX		:= tar.gz
>  OPENSSL_URL		:= \