* [PATCH] [Kirkstone][meta-lts-collab] openssl: upgrade 3.0.20 -> 3.0.21
@ 2026-06-20 4:39 Aditya GS
0 siblings, 0 replies; only message in thread
From: Aditya GS @ 2026-06-20 4:39 UTC (permalink / raw)
To: openembedded-core; +Cc: Aditya GS, Aditya GS
Upgrade OpenSSL from 3.0.20 to 3.0.21.
This upgrade brings in upstream fixes for multiple CVEs:
- CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
- CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
- CVE-2026-9076: out-of-bounds read in CMS password-based decryption
- CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
- CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
- CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
- CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
- CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
- CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
- CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes
As a result of this upgrade, the following CVEs are already fixed in the
upstream version and no longer require local patches:
- CVE-2024-41996: vulnerability that could lead to denial of service
- CVE-2023-50781: fixes related to certificate validation and memory handling
Upstream changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md
Signed-off-by: Aditya GS <adityags2004@gmail.com>
Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
---
.../openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb} | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
rename meta-core/recipes-connectivity/openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb} (96%)
diff --git a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
similarity index 96%
rename from meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb
rename to meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
index d33874e..fffe303 100644
--- a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb
+++ b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb
@@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
- file://CVE-2024-41996.patch \
- file://CVE-2023-50781-1.patch \
- file://CVE-2023-50781-2.patch \
- file://CVE-2023-50781-3.patch \
- file://CVE-2023-50781-4.patch \
- file://CVE-2023-50781-5.patch \
- file://CVE-2023-50781-6.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "c80a01dfc70ece4dc21168932c37739042d404d46ccc81a5986dd75314ecda6f"
+SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
inherit lib_package multilib_header multilib_script ptest perlnative
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-20 11:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-20 4:39 [PATCH] [Kirkstone][meta-lts-collab] openssl: upgrade 3.0.20 -> 3.0.21 Aditya GS
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.