From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 25 Jun 2026 21:23:38 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wcpfm-009ohB-11 for lore@lore.pengutronix.de; Thu, 25 Jun 2026 21:23:38 +0200 Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wcpfm-0007j5-2w; Thu, 25 Jun 2026 21:23:38 +0200 Received: from mx1.white.stw.pengutronix.de ([185.203.200.13]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wcpfb-0007Dv-J8 for ptxdist@pengutronix.de; Thu, 25 Jun 2026 21:23:28 +0200 Received: from drehscheibe.grey.stw.pengutronix.de (drehscheibe.grey.stw.pengutronix.de [IPv6:2a0a:edc0:0:c01:1d::a2]) (Authenticated sender: relay-from-drehscheibe.grey.stw.pengutronix.de) by mx1.white.stw.pengutronix.de (Postfix) with ESMTPSA id 6D63F2002FE; Thu, 25 Jun 2026 21:23:27 +0200 (CEST) Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54]) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wcpfb-004dYm-13; Thu, 25 Jun 2026 21:23:27 +0200 Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.98.2) (envelope-from ) id 1wcpfb-00000003UV0-1A34; Thu, 25 Jun 2026 21:23:27 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Thu, 25 Jun 2026 21:23:27 +0200 Message-ID: <20260625192327.832215-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260611120134.3640221-1-ada@thorsis.com> References: <20260611120134.3640221-1-ada@thorsis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-3.7 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [APPLIED] openssl: version bump 3.5.6 -> 3.5.7 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as 84f2395da708981aa88759fd9585edbc814b8ac9. Michael [sent from post-receive hook] On Thu, 25 Jun 2026 21:23:27 +0200, Alexander Dahl wrote: > Security update. Forward patchset, minor line relocations. > > CVEs fixed in 3.5.7: > > CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function > CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged Messages > CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler > CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet Handling > CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path > CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion > CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption > CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing > CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys > CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS Decryption > CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue Decryption > CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() > CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate > CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q > CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes > > Link: https://openssl-library.org/news/openssl-3.5-notes/ > Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7 > Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0 > Signed-off-by: Alexander Dahl > Message-Id: <20260611120134.3640221-1-ada@thorsis.com> > Signed-off-by: Michael Olbrich > > diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch b/patches/openssl-3.5.7/0001-debian-targets.patch > similarity index 100% > rename from patches/openssl-3.5.6/0001-debian-targets.patch > rename to patches/openssl-3.5.7/0001-debian-targets.patch > diff --git a/patches/openssl-3.5.6/0002-pic.patch b/patches/openssl-3.5.7/0002-pic.patch > similarity index 100% > rename from patches/openssl-3.5.6/0002-pic.patch > rename to patches/openssl-3.5.7/0002-pic.patch > diff --git a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > similarity index 92% > rename from patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > rename to patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > index bf5b10a4e60f..4ed616e24d02 100644 > --- a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > +++ b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf > -index cba57b41273f..7fa3eeae412f 100644 > +index 692eccbfa1dc..225b1ea7032f 100644 > --- a/Configurations/10-main.conf > +++ b/Configurations/10-main.conf > -@@ -693,7 +693,7 @@ my %targets = ( > +@@ -694,7 +694,7 @@ my %targets = ( > shared_target => "linux-shared", > shared_cflag => "-fPIC", > shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" }, > @@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644 > "linux-latomic" => { > inherit_from => [ "linux-generic32" ], > diff --git a/Configure b/Configure > -index 499585438a16..98c0bcb92a79 100755 > +index 1b020faadb01..e8321ba49219 100755 > --- a/Configure > +++ b/Configure > -@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) { > +@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) { > unless ($disabled{ktls}) { > $config{ktls}=""; > my $cc = $config{CROSS_COMPILE}.$config{CC}; > diff --git a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch > similarity index 100% > rename from patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch > rename to patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch > diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series > similarity index 100% > rename from patches/openssl-3.5.6/series > rename to patches/openssl-3.5.7/series > diff --git a/rules/openssl.make b/rules/openssl.make > index d50b67658907..fb8355dbd363 100644 > --- a/rules/openssl.make > +++ b/rules/openssl.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl > # > # Paths and names > # > -OPENSSL_VERSION := 3.5.6 > -OPENSSL_SHA256 := deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 > +OPENSSL_VERSION := 3.5.7 > +OPENSSL_SHA256 := a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 > OPENSSL := openssl-$(OPENSSL_VERSION) > OPENSSL_SUFFIX := tar.gz > OPENSSL_URL := \