| Message ID | 20260615083317.2657-1-adityags2004@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | openssl: upgrade 3.0.19 -> 3.0.21 | expand |
On Mon Jun 15, 2026 at 10:33 AM CEST, Aditya GS via lists.openembedded.org wrote: > Upgrade OpenSSL from 3.0.19 to 3.0.21. Hello, This does not match versions from supported branches. What are you targeting? Regards, > > This upgrade brings in upstream fixes for multiple CVEs: > > - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify() > - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string > - CVE-2026-9076: out-of-bounds read in CMS password-based decryption > - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing > - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling > - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path > - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages > - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption > - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q > - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes > - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation > - CVE-2026-28387: potential use-after-free in DANE client code > - CVE-2026-28388: NULL pointer dereference when processing a delta CRL > - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo > - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo > - CVE-2026-31789: heap buffer overflow in hexadecimal conversion > > As a result of this upgrade, the following CVEs are already fixed in the > upstream version and no longer require local patches: > > - CVE-2024-41996: vulnerability that could lead to denial of service > - CVE-2023-50781: fixes related to certificate validation and memory handling > > Upstream changelog: > https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md > > Signed-off-by: Aditya GS <adityags2004@gmail.com> > Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in> > --- > .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} (95%) > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > similarity index 95% > rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb > index 293b450cd0..2531305cda 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > @@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > - file://CVE-2024-41996.patch \ > - file://CVE-2023-50781-1.patch \ > - file://CVE-2023-50781-2.patch \ > - file://CVE-2023-50781-3.patch \ > - file://CVE-2023-50781-4.patch \ > - file://CVE-2023-50781-5.patch \ > - file://CVE-2023-50781-6.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072" > +SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
Hi, Thanks for the review. This patch is not targeted for any upstream OpenEmbedded/OE-Core supported branch. It is intended for an internal BSP layer (meta-collab) where we are required to upgrade OpenSSL from 3.0.19 to 3.0.21 to address the upstream CVEs fixed in the 3.0.20 and 3.0.21 security patch releases. Since this is for an internal layer and not for OE-Core, you may ignore this submission. Regards, Aditya
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb similarity index 95% rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb index 293b450cd0..2531305cda 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb @@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://CVE-2024-41996.patch \ - file://CVE-2023-50781-1.patch \ - file://CVE-2023-50781-2.patch \ - file://CVE-2023-50781-3.patch \ - file://CVE-2023-50781-4.patch \ - file://CVE-2023-50781-5.patch \ - file://CVE-2023-50781-6.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072" +SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"