[whinlatter,22/22] openssl: upgrade 3.5.4 -> 3.5.5

Message ID	030e8e0e4af2349abeea7c1de02e9062fd8aebbe.1769845858.git.yoann.congal@smile.fr
State	New
Headers	show Return-Path: <yoann.congal@smile.fr> ip: 209.85.128.52, mailfrom: yoann.congal@smile.fr) From: Yoann Congal <yoann.congal@smile.fr> To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 22/22] openssl: upgrade 3.5.4 -> 3.5.5 Date: Sat, 31 Jan 2026 08:56:33 +0100 Message-ID: <030e8e0e4af2349abeea7c1de02e9062fd8aebbe.1769845858.git.yoann.congal@smile.fr> In-Reply-To: <cover.1769845858.git.yoann.congal@smile.fr> References: <cover.1769845858.git.yoann.congal@smile.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter \| expand [whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter [whinlatter,02/22] oeqa/gitarchive: Push tag before copying log files [whinlatter,03/22] scripts/oe-git-archive: Ensure new push parameter is specified [whinlatter,04/22] grub: fix CVE-2025-54770 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-6… [whinlatter,05/22] mesa: fix build error with llvmpipe gallium driver [whinlatter,06/22] go: upgrade 1.25.5 -> 1.25.6 [whinlatter,07/22] zlib: ignore CVE-2026-22184 [whinlatter,08/22] python3-urllib3: patch CVE-2026-21441 [whinlatter,09/22] libtasn1: Fix CVE-2025-13151 [whinlatter,10/22] glibc: stable 2.42 branch updates [whinlatter,11/22] expat: patch CVE-2026-24515 [whinlatter,12/22] pseudo: Update to 1.9.3 release [whinlatter,13/22] dpkg: Fix ADMINDIR [whinlatter,14/22] docbook-xml-dtd4: fix the fetching failure [whinlatter,15/22] dropbear: patch CVE-2025-14282 [whinlatter,16/22] libtheora: set CVE_PRODUCT [whinlatter,17/22] libpng: upgrade 1.6.53 -> 1.6.54 [whinlatter,18/22] glib-2.0: patch CVE-2026-0988 [whinlatter,19/22] libxml2: patch CVE-2026-0989 [whinlatter,20/22] libxml2: patch CVE-2026-0990 [whinlatter,21/22] binutils: Upgrade to 2.45.1 release [whinlatter,22/22] openssl: upgrade 3.5.4 -> 3.5.5

Message ID

030e8e0e4af2349abeea7c1de02e9062fd8aebbe.1769845858.git.yoann.congal@smile.fr

State

New

Headers

From: Yoann Congal <yoann.congal@smile.fr>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][whinlatter 22/22] openssl: upgrade 3.5.4 -> 3.5.5
Date: Sat, 31 Jan 2026 08:56:33 +0100
Message-ID: 
 <030e8e0e4af2349abeea7c1de02e9062fd8aebbe.1769845858.git.yoann.congal@smile.fr>
In-Reply-To: <cover.1769845858.git.yoann.congal@smile.fr>
References: <cover.1769845858.git.yoann.congal@smile.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[whinlatter,01/22] oeqa/gitarchive: Fix git push URL parameter | expand

Commit Message

Yoann Congal Jan. 31, 2026, 7:56 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Resolved patch conflicts.

Release information [1]:

OpenSSL 3.5.5 is a security patch release. The most severe CVE fixed in this release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification. (CVE-2025-11187)
* Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing. (CVE-2025-15467)
* Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID. (CVE-2025-15468)
* Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB. (CVE-2025-15469)
* Fixed TLS 1.3 CompressedCertificate excessive memory allocation. (CVE-2025-66199)
* Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes. (CVE-2025-68160)
* Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls. (CVE-2025-69418)
* Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion. (CVE-2025-69419)
* Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function. (CVE-2025-69420)
* Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function. (CVE-2025-69421)
* Fixed Missing ASN1_TYPE validation in PKCS#12 parsing. (CVE-2026-22795)
* Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function. (CVE-2026-22796)

[1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-354-and-openssl-355-27-jan-2026

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...ke-history-reporting-when-test-fails.patch | 23 +++++++++----------
 .../0001-extend-check_cwm-test-timeout.patch  |  2 +-
 .../{openssl_3.5.4.bb => openssl_3.5.5.bb}    |  2 +-
 3 files changed, 13 insertions(+), 14 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.5.4.bb => openssl_3.5.5.bb} (99%)

Comments

Yoann Congal Jan. 31, 2026, 8:02 a.m. UTC | #1

Le sam. 31 janv. 2026 à 08:57, Yoann Congal <yoann.congal@smile.fr> a
écrit :

> From: Peter Marko <peter.marko@siemens.com>
>
> Resolved patch conflicts.
>
> Release information [1]:
>
> OpenSSL 3.5.5 is a security patch release. The most severe CVE fixed in
> this release is High.
> This release incorporates the following bug fixes and mitigations:
> * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC
> verification. (CVE-2025-11187)
> * Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
> (CVE-2025-15467)
> * Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher
> ID. (CVE-2025-15468)
> * Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
> (CVE-2025-15469)
> * Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
> (CVE-2025-66199)
> * Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
> (CVE-2025-68160)
> * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
> function calls. (CVE-2025-69418)
> * Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
> (CVE-2025-69419)
> * Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
> function. (CVE-2025-69420)
> * Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
> (CVE-2025-69421)
> * Fixed Missing ASN1_TYPE validation in PKCS#12 parsing. (CVE-2026-22795)
> * Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
> function. (CVE-2026-22796)
>
> [1]
> https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-354-and-openssl-355-27-jan-2026
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>

This patch was not included in the tested branch, please ignore (it is not
yet merged on master)


> ---
>  ...ke-history-reporting-when-test-fails.patch | 23 +++++++++----------
>  .../0001-extend-check_cwm-test-timeout.patch  |  2 +-
>  .../{openssl_3.5.4.bb => openssl_3.5.5.bb}    |  2 +-
>  3 files changed, 13 insertions(+), 14 deletions(-)
>  rename meta/recipes-connectivity/openssl/{openssl_3.5.4.bb =>
> openssl_3.5.5.bb} (99%)
>
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> index 5b7365a3531..a74c79303f6 100644
> ---
> a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
> @@ -7,10 +7,10 @@ Upstream-Status: Submitted [
> https://github.com/openssl/openssl/pull/22481]
>
>  Signed-off-by: William Lyu <William.Lyu@windriver.com>
>  ---
> - test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
> + test/helpers/handshake.c | 136 ++++++++++++++++++++++++++++++---------
>   test/helpers/handshake.h |  70 +++++++++++++++++++-
>   test/ssl_test.c          |  44 +++++++++++++
> - 3 files changed, 217 insertions(+), 34 deletions(-)
> + 3 files changed, 217 insertions(+), 33 deletions(-)
>
>  diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
>  index f611b3a..5703b48 100644
> @@ -119,7 +119,7 @@ index f611b3a..5703b48 100644
>   HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
>   {
>       HANDSHAKE_RESULT *ret;
> -@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL
> *client,
> +@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL
> *client,
>           SSL_set_post_handshake_auth(client, 1);
>   }
>
> @@ -135,7 +135,7 @@ index f611b3a..5703b48 100644
>   /* An SSL object and associated read-write buffers. */
>   typedef struct peer_st {
>       SSL *ssl;
> -@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
> +@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer)
>       }
>   }
>
> @@ -148,12 +148,11 @@ index f611b3a..5703b48 100644
>  -    SHUTDOWN,
>  -    CONNECTION_DONE
>  -} connect_phase_t;
> --
>  -
>   static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
>   {
>       switch (test_ctx->handshake_mode) {
> -@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
> +@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX
> *test_ctx, PEER *peer,
>       }
>   }
>
> @@ -173,7 +172,7 @@ index f611b3a..5703b48 100644
>   /*
>    * Determine the handshake outcome.
>    * last_status: the status of the peer to have acted last.
> -@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
>
>       start = time(NULL);
>
> @@ -184,8 +183,8 @@ index f611b3a..5703b48 100644
>       /*
>        * Half-duplex handshake loop.
>        * Client and server speak to each other synchronously in the same
> process.
> -@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> -                                       0 /* server went last */);
> +@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
> +                 0 /* server went last */);
>           }
>
>  +        save_loop_history(&(ret->history),
> @@ -292,14 +291,14 @@ index 78b03f9..b9967c2 100644
>
>   HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
>  @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX
> *server_ctx, SSL_CTX *server2_ctx,
> -                                     CTX_DATA *server2_ctx_data,
> -                                     CTX_DATA *client_ctx_data);
> +     CTX_DATA *server2_ctx_data,
> +     CTX_DATA *client_ctx_data);
>
>  +const char *handshake_connect_phase_name(connect_phase_t phase);
>  +const char *handshake_status_name(handshake_status_t handshake_status);
>  +const char *handshake_peer_status_name(peer_status_t peer_status);
>  +
> - #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
> + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
>  diff --git a/test/ssl_test.c b/test/ssl_test.c
>  index ea60851..9d6b093 100644
>  --- a/test/ssl_test.c
> diff --git
> a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> index d02d42f1b51..f6eb28069ac 100644
> ---
> a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> +++
> b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
> @@ -20,7 +20,7 @@ index 4a1e886a71..39f8c61ef9 100644
>  +++ b/test/radix/main.c
>  @@ -25,6 +25,11 @@ static int test_script(int idx)
>       int testresult;
> -     TERP_CONFIG cfg = {0};
> +     TERP_CONFIG cfg = { 0 };
>
>  +    // check_cwm test sometimes times out, the default 3000ms is
>  +    // not enough if the test execution starves for CPU
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> index e760baf3a02..c0d02b617ba 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
> @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>
> -SRC_URI[sha256sum] =
> "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
> +SRC_URI[sha256sum] =
> "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
>
>  inherit lib_package multilib_header multilib_script ptest perlnative
> manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
>

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index 5b7365a3531..a74c79303f6 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -7,10 +7,10 @@  Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
 
 Signed-off-by: William Lyu <William.Lyu@windriver.com>
 ---
- test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.c | 136 ++++++++++++++++++++++++++++++---------
  test/helpers/handshake.h |  70 +++++++++++++++++++-
  test/ssl_test.c          |  44 +++++++++++++
- 3 files changed, 217 insertions(+), 34 deletions(-)
+ 3 files changed, 217 insertions(+), 33 deletions(-)
 
 diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
 index f611b3a..5703b48 100644
@@ -119,7 +119,7 @@  index f611b3a..5703b48 100644
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
  {
      HANDSHAKE_RESULT *ret;
-@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
          SSL_set_post_handshake_auth(client, 1);
  }
  
@@ -135,7 +135,7 @@  index f611b3a..5703b48 100644
  /* An SSL object and associated read-write buffers. */
  typedef struct peer_st {
      SSL *ssl;
-@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer)
      }
  }
  
@@ -148,12 +148,11 @@  index f611b3a..5703b48 100644
 -    SHUTDOWN,
 -    CONNECTION_DONE
 -} connect_phase_t;
--
 -
  static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
  {
      switch (test_ctx->handshake_mode) {
-@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
      }
  }
  
@@ -173,7 +172,7 @@  index f611b3a..5703b48 100644
  /*
   * Determine the handshake outcome.
   * last_status: the status of the peer to have acted last.
-@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
  
      start = time(NULL);
  
@@ -184,8 +183,8 @@  index f611b3a..5703b48 100644
      /*
       * Half-duplex handshake loop.
       * Client and server speak to each other synchronously in the same process.
-@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
-                                       0 /* server went last */);
+@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                 0 /* server went last */);
          }
  
 +        save_loop_history(&(ret->history),
@@ -292,14 +291,14 @@  index 78b03f9..b9967c2 100644
  
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
 @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
-                                     CTX_DATA *server2_ctx_data,
-                                     CTX_DATA *client_ctx_data);
+     CTX_DATA *server2_ctx_data,
+     CTX_DATA *client_ctx_data);
  
 +const char *handshake_connect_phase_name(connect_phase_t phase);
 +const char *handshake_status_name(handshake_status_t handshake_status);
 +const char *handshake_peer_status_name(peer_status_t peer_status);
 +
- #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+ #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
 diff --git a/test/ssl_test.c b/test/ssl_test.c
 index ea60851..9d6b093 100644
 --- a/test/ssl_test.c
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
index d02d42f1b51..f6eb28069ac 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
@@ -20,7 +20,7 @@  index 4a1e886a71..39f8c61ef9 100644
 +++ b/test/radix/main.c
 @@ -25,6 +25,11 @@ static int test_script(int idx)
      int testresult;
-     TERP_CONFIG cfg = {0};
+     TERP_CONFIG cfg = { 0 };
  
 +    // check_cwm test sometimes times out, the default 3000ms is
 +    // not enough if the test execution starves for CPU
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.4.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.5.4.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.5.bb
index e760baf3a02..c0d02b617ba 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
@@ -19,7 +19,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
+SRC_URI[sha256sum] = "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

[whinlatter,22/22] openssl: upgrade 3.5.4 -> 3.5.5

Commit Message

Comments

Patch