[scarthgap] openssl: upgrade 3.2.4 -> 3.2.5

Message ID	20250710221053.2418550-1-peter.marko@siemens.com
State	Changes Requested
Delegated to:	Steve Sakoman
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.64.228, mailfrom: fm-256628-20250710221140b2234a673fe39b9cb7-owpzo6@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.4 -> 3.2.5 Date: Fri, 11 Jul 2025 00:10:53 +0200 Message-Id: <20250710221053.2418550-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	[scarthgap] openssl: upgrade 3.2.4 -> 3.2.5 \| expand [scarthgap] openssl: upgrade 3.2.4 -> 3.2.5

Message ID

20250710221053.2418550-1-peter.marko@siemens.com

State

Changes Requested

Delegated to:

Steve Sakoman

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.4 -> 3.2.5
Date: Fri, 11 Jul 2025 00:10:53 +0200
Message-Id: <20250710221053.2418550-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

[scarthgap] openssl: upgrade 3.2.4 -> 3.2.5 | expand

Commit Message

Peter Marko July 10, 2025, 10:10 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Release information:
https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-324-and-openssl-325-1-jul-2025

Handles CVE-2025-27587.

Refresh patches.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch       | 2 +-
 .../openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb}              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb} (99%)

Comments

Steve Sakoman July 16, 2025, 9:22 p.m. UTC | #1

Unfortunately I'm getting python3 ptest failures with this patch.

Here are three examples:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1910/steps/13/logs/stdio
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/61/builds/1902/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1907/steps/12/logs/stdio

Search for "failing ptests" to quickly locate the error in the log.

Steve

On Thu, Jul 10, 2025 at 3:11 PM Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:
>
> From: Peter Marko <peter.marko@siemens.com>
>
> Release information:
> https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-324-and-openssl-325-1-jul-2025
>
> Handles CVE-2025-27587.
>
> Refresh patches.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch       | 2 +-
>  .../openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb}              | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>  rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb} (99%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> index 3f6ab97795..153bb1e843 100644
> --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
> @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
>  index 4569952..adf019b 100755
>  --- a/Configure
>  +++ b/Configure
> -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
> +@@ -1486,16 +1486,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
>           push @{$config{shared_ldflag}}, "-mno-cygwin";
>           }
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> index c4ad80e734..ca2c0d18bc 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] = "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716"
> +SRC_URI[sha256sum] = "b36347d024a0f5bd09fefcd6af7a58bb30946080eb8ce8f7be78562190d09879"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#220131): https://lists.openembedded.org/g/openembedded-core/message/220131
> Mute This Topic: https://lists.openembedded.org/mt/114091452/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Peter Marko July 18, 2025, 7:54 p.m. UTC | #2

I was a bit surprised about this as I have run python3-ptest on this update.
(from experience that openssl updates may break it)
However this looks like being flaky now (approx. 33% failure rate).

So I guess I'll have to bisect openssl commits again, not much fun...

Peter

> -----Original Message-----
> From: Steve Sakoman <steve@sakoman.com>
> Sent: Wednesday, July 16, 2025 23:22
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.4 -> 3.2.5
> 
> Unfortunately I'm getting python3 ptest failures with this patch.
> 
> Here are three examples:
> 
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1910/steps/13/lo
> gs/stdio
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/61/builds/1902/steps/12/lo
> gs/stdio
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1907/steps/12/lo
> gs/stdio
> 
> Search for "failing ptests" to quickly locate the error in the log.
> 
> Steve
> 
> On Thu, Jul 10, 2025 at 3:11 PM Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> wrote:
> >
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Release information:
> > https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-
> between-openssl-324-and-openssl-325-1-jul-2025
> >
> > Handles CVE-2025-27587.
> >
> > Refresh patches.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch       | 2 +-
> >  .../openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb}              | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >  rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb =>
> openssl_3.2.5.bb} (99%)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
> tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-
> Configure-do-not-tweak-mips-cflags.patch
> > index 3f6ab97795..153bb1e843 100644
> > --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
> mips-cflags.patch
> > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
> mips-cflags.patch
> > @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
> >  index 4569952..adf019b 100755
> >  --- a/Configure
> >  +++ b/Configure
> > -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-
> help 2>&1` =~ m/-mno-cygwin/m)
> > +@@ -1486,16 +1486,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-
> help 2>&1` =~ m/-mno-cygwin/m)
> >           push @{$config{shared_ldflag}}, "-mno-cygwin";
> >           }
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-
> connectivity/openssl/openssl_3.2.5.bb
> > similarity index 99%
> > rename from meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> > rename to meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> > index c4ad80e734..ca2c0d18bc 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> > @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
> >             file://environment.d-openssl.sh \
> >             "
> >
> > -SRC_URI[sha256sum] =
> "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716"
> > +SRC_URI[sha256sum] =
> "b36347d024a0f5bd09fefcd6af7a58bb30946080eb8ce8f7be78562190d09879"
> >
> >  inherit lib_package multilib_header multilib_script ptest perlnative manpages
> >  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#220131): https://lists.openembedded.org/g/openembedded-
> core/message/220131
> > Mute This Topic: https://lists.openembedded.org/mt/114091452/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Peter Marko July 20, 2025, 7:21 p.m. UTC | #3

I have bisected the failure to an openssl commit and created issues:
https://github.com/openssl/openssl/issues/28065
https://github.com/python/cpython/issues/136881

Reverting the commit which breaks things is not so easy, but maybe I'll have luck or we get suggestions from upstream.
Or maybe we will start backporting CVE fixes instead of doing upgrades 4 months earlier (EOL of openssl 3.2 is November 2025).

Peter
> -----Original Message-----
> From: Marko, Peter (FT D EU SK BFS1)
> Sent: Friday, July 18, 2025 21:55
> To: Steve Sakoman <steve@sakoman.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: RE: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.4 -> 3.2.5
> 
> I was a bit surprised about this as I have run python3-ptest on this update.
> (from experience that openssl updates may break it)
> However this looks like being flaky now (approx. 33% failure rate).
> 
> So I guess I'll have to bisect openssl commits again, not much fun...
> 
> Peter
> 
> > -----Original Message-----
> > From: Steve Sakoman <steve@sakoman.com>
> > Sent: Wednesday, July 16, 2025 23:22
> > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.4 -> 3.2.5
> >
> > Unfortunately I'm getting python3 ptest failures with this patch.
> >
> > Here are three examples:
> >
> >
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1910/steps/13/lo
> > gs/stdio
> >
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/61/builds/1902/steps/12/lo
> > gs/stdio
> >
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/73/builds/1907/steps/12/lo
> > gs/stdio
> >
> > Search for "failing ptests" to quickly locate the error in the log.
> >
> > Steve
> >
> > On Thu, Jul 10, 2025 at 3:11 PM Peter Marko via lists.openembedded.org
> > <peter.marko=siemens.com@lists.openembedded.org> wrote:
> > >
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Release information:
> > > https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-
> changes-
> > between-openssl-324-and-openssl-325-1-jul-2025
> > >
> > > Handles CVE-2025-27587.
> > >
> > > Refresh patches.
> > >
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > ---
> > >  .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch       | 2 +-
> > >  .../openssl/{openssl_3.2.4.bb => openssl_3.2.5.bb}              | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > >  rename meta/recipes-connectivity/openssl/{openssl_3.2.4.bb =>
> > openssl_3.2.5.bb} (99%)
> > >
> > > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
> > tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-
> > Configure-do-not-tweak-mips-cflags.patch
> > > index 3f6ab97795..153bb1e843 100644
> > > --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
> > mips-cflags.patch
> > > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
> tweak-
> > mips-cflags.patch
> > > @@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
> > >  index 4569952..adf019b 100755
> > >  --- a/Configure
> > >  +++ b/Configure
> > > -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-
> > help 2>&1` =~ m/-mno-cygwin/m)
> > > +@@ -1486,16 +1486,6 @@ if ($target =~ /^mingw/ && `$config{CC} --
> target-
> > help 2>&1` =~ m/-mno-cygwin/m)
> > >           push @{$config{shared_ldflag}}, "-mno-cygwin";
> > >           }
> > >
> > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> b/meta/recipes-
> > connectivity/openssl/openssl_3.2.5.bb
> > > similarity index 99%
> > > rename from meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> > > rename to meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> > > index c4ad80e734..ca2c0d18bc 100644
> > > --- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
> > > +++ b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
> > > @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
> > >             file://environment.d-openssl.sh \
> > >             "
> > >
> > > -SRC_URI[sha256sum] =
> > "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716"
> > > +SRC_URI[sha256sum] =
> > "b36347d024a0f5bd09fefcd6af7a58bb30946080eb8ce8f7be78562190d09879"
> > >
> > >  inherit lib_package multilib_header multilib_script ptest perlnative manpages
> > >  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#220131):
> https://lists.openembedded.org/g/openembedded-
> > core/message/220131
> > > Mute This Topic: https://lists.openembedded.org/mt/114091452/3620601
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> > [steve@sakoman.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 3f6ab97795..153bb1e843 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -20,7 +20,7 @@  diff --git a/Configure b/Configure
 index 4569952..adf019b 100755
 --- a/Configure
 +++ b/Configure
-@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1486,16 +1486,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
          push @{$config{shared_ldflag}}, "-mno-cygwin";
          }
  
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.2.4.bb
rename to meta/recipes-connectivity/openssl/openssl_3.2.5.bb
index c4ad80e734..ca2c0d18bc 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.5.bb
@@ -18,7 +18,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716"
+SRC_URI[sha256sum] = "b36347d024a0f5bd09fefcd6af7a58bb30946080eb8ce8f7be78562190d09879"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

[scarthgap] openssl: upgrade 3.2.4 -> 3.2.5

Commit Message

Comments

Patch