diff mbox series

[kirkstone,1/1] openssl: upgrade 3.0.17 -> 3.0.18

Message ID 20251006081341.3653614-1-archana.polampalli@windriver.com
State Under Review
Delegated to: Steve Sakoman
Headers show
Series [kirkstone,1/1] openssl: upgrade 3.0.17 -> 3.0.18 | expand

Commit Message

Polampalli, Archana Oct. 6, 2025, 8:13 a.m. UTC
From: Archana Polampalli <archana.polampalli@windriver.com>

This release incorporates the following bug fixes and mitigations:
Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)

Changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.18/NEWS.md#openssl-30

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb} (99%)

Comments

Marko, Peter Oct. 6, 2025, 9:52 a.m. UTC | #1
I have sent out another patch which also refreshed patches.
Here I'd like to ask the maintainers regarding patch refresh policy.
Should I be doing it also when the do_patch does not report any fuzz, only when some line numbers moved a bit?

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Polampalli, Archana via
> lists.openembedded.org
> Sent: Monday, October 6, 2025 10:14
> To: openembedded-core@lists.openembedded.org
> Subject: [oe-core][kirkstone][PATCH 1/1] openssl: upgrade 3.0.17 -> 3.0.18
> 
> From: Archana Polampalli <archana.polampalli@windriver.com>
> 
> This release incorporates the following bug fixes and mitigations:
> Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
> Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)
> 
> Changelog:
> https://github.com/openssl/openssl/blob/openssl-3.0.18/NEWS.md#openssl-30
> 
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
>  .../openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb}            | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-connectivity/openssl/{openssl_3.0.17.bb =>
> openssl_3.0.18.bb} (99%)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-
> connectivity/openssl/openssl_3.0.18.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> index a50bd2edbf..a8dd338327 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> @@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
> 
> -SRC_URI[sha256sum] =
> "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce"
> +SRC_URI[sha256sum] =
> "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"
> 
>  inherit lib_package multilib_header multilib_script ptest perlnative
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> --
> 2.40.0
Steve Sakoman Oct. 6, 2025, 3:51 p.m. UTC | #2
On Mon, Oct 6, 2025 at 2:52 AM Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:
>
> I have sent out another patch which also refreshed patches.
> Here I'd like to ask the maintainers regarding patch refresh policy.
> Should I be doing it also when the do_patch does not report any fuzz, only when some line numbers moved a bit?

Definitely eliminate fuzz, but if the patches apply I'm not too
concerned about line numbers moving a bit.

However I notice that your version of this patch also changed the
content of one of the patches (CVE-2024-41996.patch).  Was this
intentional?

Steve

>
> Peter
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Polampalli, Archana via
> > lists.openembedded.org
> > Sent: Monday, October 6, 2025 10:14
> > To: openembedded-core@lists.openembedded.org
> > Subject: [oe-core][kirkstone][PATCH 1/1] openssl: upgrade 3.0.17 -> 3.0.18
> >
> > From: Archana Polampalli <archana.polampalli@windriver.com>
> >
> > This release incorporates the following bug fixes and mitigations:
> > Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
> > Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)
> >
> > Changelog:
> > https://github.com/openssl/openssl/blob/openssl-3.0.18/NEWS.md#openssl-30
> >
> > Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> > ---
> >  .../openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb}            | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >  rename meta/recipes-connectivity/openssl/{openssl_3.0.17.bb =>
> > openssl_3.0.18.bb} (99%)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-
> > connectivity/openssl/openssl_3.0.18.bb
> > similarity index 99%
> > rename from meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> > rename to meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> > index a50bd2edbf..a8dd338327 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> > @@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
> >             file://environment.d-openssl.sh \
> >             "
> >
> > -SRC_URI[sha256sum] =
> > "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce"
> > +SRC_URI[sha256sum] =
> > "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"
> >
> >  inherit lib_package multilib_header multilib_script ptest perlnative
> >  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> > --
> > 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#224472): https://lists.openembedded.org/g/openembedded-core/message/224472
> Mute This Topic: https://lists.openembedded.org/mt/115613876/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Marko, Peter Oct. 6, 2025, 5:16 p.m. UTC | #3
> -----Original Message-----
> From: Steve Sakoman <steve@sakoman.com>
> Sent: Monday, October 6, 2025 17:51
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: archana.polampalli@windriver.com; openembedded-
> core@lists.openembedded.org
> Subject: Re: [oe-core][kirkstone][PATCH 1/1] openssl: upgrade 3.0.17 -> 3.0.18
> 
> On Mon, Oct 6, 2025 at 2:52 AM Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> wrote:
> >
> > I have sent out another patch which also refreshed patches.
> > Here I'd like to ask the maintainers regarding patch refresh policy.
> > Should I be doing it also when the do_patch does not report any fuzz, only when
> some line numbers moved a bit?
> 
> Definitely eliminate fuzz, but if the patches apply I'm not too
> concerned about line numbers moving a bit.
> 
> However I notice that your version of this patch also changed the
> content of one of the patches (CVE-2024-41996.patch).  Was this
> intentional?
> 
> Steve

That's what devtool did and I assessed it as correct change.
It looks like the patch was not 100% per specification as patch needs to have leading "+", "-" or " ".
Probably patch edited manually and editor stripped the space due to editorconfig?

Peter

> 
> >
> > Peter
> >
> > > -----Original Message-----
> > > From: openembedded-core@lists.openembedded.org <openembedded-
> > > core@lists.openembedded.org> On Behalf Of Polampalli, Archana via
> > > lists.openembedded.org
> > > Sent: Monday, October 6, 2025 10:14
> > > To: openembedded-core@lists.openembedded.org
> > > Subject: [oe-core][kirkstone][PATCH 1/1] openssl: upgrade 3.0.17 -> 3.0.18
> > >
> > > From: Archana Polampalli <archana.polampalli@windriver.com>
> > >
> > > This release incorporates the following bug fixes and mitigations:
> > > Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
> > > Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)
> > >
> > > Changelog:
> > > https://github.com/openssl/openssl/blob/openssl-3.0.18/NEWS.md#openssl-30
> > >
> > > Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> > > ---
> > >  .../openssl/{openssl_3.0.17.bb => openssl_3.0.18.bb}            | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >  rename meta/recipes-connectivity/openssl/{openssl_3.0.17.bb =>
> > > openssl_3.0.18.bb} (99%)
> > >
> > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> b/meta/recipes-
> > > connectivity/openssl/openssl_3.0.18.bb
> > > similarity index 99%
> > > rename from meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> > > rename to meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> > > index a50bd2edbf..a8dd338327 100644
> > > --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
> > > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
> > > @@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
> > >             file://environment.d-openssl.sh \
> > >             "
> > >
> > > -SRC_URI[sha256sum] =
> > > "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce"
> > > +SRC_URI[sha256sum] =
> > > "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"
> > >
> > >  inherit lib_package multilib_header multilib_script ptest perlnative
> > >  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
> > > --
> > > 2.40.0
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#224472): https://lists.openembedded.org/g/openembedded-
> core/message/224472
> > Mute This Topic: https://lists.openembedded.org/mt/115613876/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
> [steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.17.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.18.bb
index a50bd2edbf..a8dd338327 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
@@ -25,7 +25,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce"
+SRC_URI[sha256sum] = "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"