diff mbox series

[wrynose,meta] openssl: upgrade 3.5.6 -> 3.5.7

Message ID 20260615053642.1110908-1-naman.jain@partner.bmw.de
State Changes Requested, archived
Delegated to: Yoann Congal
Headers show
Series [wrynose,meta] openssl: upgrade 3.5.6 -> 3.5.7 | expand

Commit Message

Naman Jain June 15, 2026, 5:36 a.m. UTC 
From: Naman Jain <namanj1@kpit.com>

OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
* Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
* Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
* Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
* Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
* Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
* Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
* Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
* Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

[1] https://openssl-library.org/news/secadv/20260609.txt

Reference: [https://github.com/openssl/openssl/releases/tag/openssl-3.5.7]

Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
Signed-off-by: Naman Jain <namanj1@kpit.com>
---
 .../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (99%)

Comments

Yoann Congal June 15, 2026, 6:56 a.m. UTC | #1 
On Mon Jun 15, 2026 at 7:36 AM CEST, Naman Jain via lists.openembedded.org wrote:
> From: Naman Jain <namanj1@kpit.com>
>
> OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.
> This release incorporates the following bug fixes and mitigations:
> * Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
> * Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
> * Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
> * Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
> * Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
> * Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
> * Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
> * Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
> * Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)
>
> [1] https://openssl-library.org/news/secadv/20260609.txt
>
> Reference: [https://github.com/openssl/openssl/releases/tag/openssl-3.5.7]
>
> Signed-off-by: AshishKumar Mishra <ashishkumar.mishra@bmwtechworks.in>
> Signed-off-by: Naman Jain <namanj1@kpit.com>
> ---

Hello,

Looks like this upgrade needs ptest tweaking.
See https://lore.kernel.org/all/AS8PR10MB5073A4FA9653C5F2A6FC59EAFDE62@AS8PR10MB5073.EURPRD10.PROD.OUTLOOK.COM/

Let's wait for the upgrade to merge on master, then, request a backport.

Thanks!

>  .../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb}              | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (99%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
> similarity index 99%
> rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb
> index 6685654472..6d864e0746 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
> @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
>             file://environment.d-openssl.sh \
>             "
>  
> -SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
> +SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8"
>  
>  inherit lib_package multilib_header multilib_script ptest perlnative manpages
>  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb
index 6685654472..6d864e0746 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
@@ -19,7 +19,7 @@  SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
+SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"