[PATCH] [Kirkstone][meta-lts-collab] openssl: upgrade 3.0.20 -> 3.0.21

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Aditya GS <adityags2004@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Aditya GS <adityags2004@gmail.com>,
	Aditya GS <aditya.gs@bmwtechworks.in>
Subject: [PATCH] [Kirkstone][meta-lts-collab] openssl: upgrade 3.0.20 -> 3.0.21
Date: Sat, 20 Jun 2026 10:09:20 +0530	[thread overview]
Message-ID: <20260620043921.514-1-adityags2004@gmail.com> (raw)

Upgrade OpenSSL from 3.0.20 to 3.0.21.

This upgrade brings in upstream fixes for multiple CVEs:

  - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
  - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
  - CVE-2026-9076: out-of-bounds read in CMS password-based decryption
  - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
  - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
  - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
  - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
  - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
  - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
  - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes

As a result of this upgrade, the following CVEs are already fixed in the
upstream version and no longer require local patches:

  - CVE-2024-41996: vulnerability that could lead to denial of service
  - CVE-2023-50781: fixes related to certificate validation and memory handling

Upstream changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md

Signed-off-by: Aditya GS <adityags2004@gmail.com>
Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
---
 .../openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb}     | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)
 rename meta-core/recipes-connectivity/openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb} (96%)

diff --git a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
similarity index 96%
rename from meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb
rename to meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
index d33874e..fffe303 100644
--- a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb
+++ b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
@@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2024-41996.patch \
-           file://CVE-2023-50781-1.patch \
-           file://CVE-2023-50781-2.patch \
-           file://CVE-2023-50781-3.patch \
-           file://CVE-2023-50781-4.patch \
-           file://CVE-2023-50781-5.patch \
-           file://CVE-2023-50781-6.patch \
           "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "c80a01dfc70ece4dc21168932c37739042d404d46ccc81a5986dd75314ecda6f"
+SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.34.1

                 reply	other threads:[~2026-06-20 11:30 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d33874e dfblob:fffe303 )
 OR (
bs:"[PATCH] [Kirkstone][meta-lts-collab] openssl: upgrade 3.0.20 -> 3.0.21" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260620043921.514-1-adityags2004@gmail.com \
    --to=adityags2004@gmail.com \
    --cc=aditya.gs@bmwtechworks.in \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.