* [Buildroot] [PATCH 2025.02.x] package/openssl: security bump to 3.5.7
@ 2026-06-18 6:21 Waldemar Brodkorb
2026-06-18 12:49 ` Thomas Perale via buildroot
0 siblings, 1 reply; 3+ messages in thread
From: Waldemar Brodkorb @ 2026-06-18 6:21 UTC (permalink / raw)
To: buildroot
See here for changes:
https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
This release incorporates the following bug fixes and mitigations:
Fixed heap use-after-free in PKCS7_verify().
(CVE-2026-45447)
Fixed CMS AuthEnvelopedData processing may accept forged messages.
(CVE-2026-34182)
Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
(CVE-2026-34183)
Fixed NULL pointer dereference in QUIC server initial packet handling.
(CVE-2026-42764)
Fixed AES-OCB IV ignored on EVP_Cipher() path.
(CVE-2026-45445)
Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
(CVE-2026-7383)
Fixed out-of-bounds read in CMS password-based decryption.
(CVE-2026-9076)
Fixed heap buffer over-read in ASN.1 content parsing.
(CVE-2026-34180)
Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
(CVE-2026-34181)
Fixed possible NULL dereference in password-dased CMS decryption.
(CVE-2026-42766)
Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
(CVE-2026-42767)
Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
and PKCS7_decrypt().
(CVE-2026-42768)
Fixed trust anchor substitution via cert/issuer typo in CMP
rootCaKeyUpdate.
(CVE-2026-42769)
Fixed FFC-DH peer validation uses attacker-supplied q.
(CVE-2026-42770)
Fixed incorrect tag processing for empty messages in AES-GCM-SIV
and AES-SIV modes.
(CVE-2026-45446)
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
---
package/libopenssl/libopenssl.hash | 4 ++--
package/libopenssl/libopenssl.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 781701532d..8a7186d669 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://github.com/openssl/openssl/releases/download/openssl-3.5.6/openssl-3.5.6.tar.gz.sha256
-sha256 deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 openssl-3.5.6.tar.gz
+# From https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz.sha256
+sha256 a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 openssl-3.5.7.tar.gz
# License files
sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index 837c3f0346..a9e18f96ac 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBOPENSSL_VERSION = 3.5.6
+LIBOPENSSL_VERSION = 3.5.7
LIBOPENSSL_SITE = https://github.com/openssl/openssl/releases/download/openssl-$(LIBOPENSSL_VERSION)
LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
LIBOPENSSL_LICENSE = Apache-2.0
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 2025.02.x] package/openssl: security bump to 3.5.7
2026-06-18 6:21 [Buildroot] [PATCH 2025.02.x] package/openssl: security bump to 3.5.7 Waldemar Brodkorb
@ 2026-06-18 12:49 ` Thomas Perale via buildroot
2026-06-18 12:52 ` Waldemar Brodkorb
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-06-18 12:49 UTC (permalink / raw)
To: Waldemar Brodkorb; +Cc: Thomas Perale, buildroot
Hi Waldemar,
Will apply https://lore.kernel.org/r/<20260612-openssl-3-5-7-v1-1-093c128bb691@cherry.de>
with your comment.
Thanks for sending the update.
PERALE Thomas
In reply of:
> See here for changes:
> https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
>
> This release incorporates the following bug fixes and mitigations:
>
> Fixed heap use-after-free in PKCS7_verify().
> (CVE-2026-45447)
>
> Fixed CMS AuthEnvelopedData processing may accept forged messages.
> (CVE-2026-34182)
>
> Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
> (CVE-2026-34183)
>
> Fixed NULL pointer dereference in QUIC server initial packet handling.
> (CVE-2026-42764)
>
> Fixed AES-OCB IV ignored on EVP_Cipher() path.
> (CVE-2026-45445)
>
> Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
> (CVE-2026-7383)
>
> Fixed out-of-bounds read in CMS password-based decryption.
> (CVE-2026-9076)
>
> Fixed heap buffer over-read in ASN.1 content parsing.
> (CVE-2026-34180)
>
> Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
> (CVE-2026-34181)
>
> Fixed possible NULL dereference in password-dased CMS decryption.
> (CVE-2026-42766)
>
> Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
> (CVE-2026-42767)
>
> Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
> and PKCS7_decrypt().
> (CVE-2026-42768)
>
> Fixed trust anchor substitution via cert/issuer typo in CMP
> rootCaKeyUpdate.
> (CVE-2026-42769)
>
> Fixed FFC-DH peer validation uses attacker-supplied q.
> (CVE-2026-42770)
>
> Fixed incorrect tag processing for empty messages in AES-GCM-SIV
> and AES-SIV modes.
> (CVE-2026-45446)
>
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
> ---
> package/libopenssl/libopenssl.hash | 4 ++--
> package/libopenssl/libopenssl.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
> index 781701532d..8a7186d669 100644
> --- a/package/libopenssl/libopenssl.hash
> +++ b/package/libopenssl/libopenssl.hash
> @@ -1,5 +1,5 @@
> -# From https://github.com/openssl/openssl/releases/download/openssl-3.5.6/openssl-3.5.6.tar.gz.sha256
> -sha256 deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 openssl-3.5.6.tar.gz
> +# From https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz.sha256
> +sha256 a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 openssl-3.5.7.tar.gz
>
> # License files
> sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt
> diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> index 837c3f0346..a9e18f96ac 100644
> --- a/package/libopenssl/libopenssl.mk
> +++ b/package/libopenssl/libopenssl.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -LIBOPENSSL_VERSION = 3.5.6
> +LIBOPENSSL_VERSION = 3.5.7
> LIBOPENSSL_SITE = https://github.com/openssl/openssl/releases/download/openssl-$(LIBOPENSSL_VERSION)
> LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
> LIBOPENSSL_LICENSE = Apache-2.0
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 2025.02.x] package/openssl: security bump to 3.5.7
2026-06-18 12:49 ` Thomas Perale via buildroot
@ 2026-06-18 12:52 ` Waldemar Brodkorb
0 siblings, 0 replies; 3+ messages in thread
From: Waldemar Brodkorb @ 2026-06-18 12:52 UTC (permalink / raw)
To: Thomas Perale; +Cc: buildroot
Hi Thomas,
oh, there was already a patch, I missed it.
Thanks for applying the openssl update.
best regards
Waldemar
Thomas Perale wrote,
> Hi Waldemar,
>
> Will apply https://lore.kernel.org/r/<20260612-openssl-3-5-7-v1-1-093c128bb691@cherry.de>
> with your comment.
>
> Thanks for sending the update.
> PERALE Thomas
>
> In reply of:
> > See here for changes:
> > https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
> >
> > This release incorporates the following bug fixes and mitigations:
> >
> > Fixed heap use-after-free in PKCS7_verify().
> > (CVE-2026-45447)
> >
> > Fixed CMS AuthEnvelopedData processing may accept forged messages.
> > (CVE-2026-34182)
> >
> > Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
> > (CVE-2026-34183)
> >
> > Fixed NULL pointer dereference in QUIC server initial packet handling.
> > (CVE-2026-42764)
> >
> > Fixed AES-OCB IV ignored on EVP_Cipher() path.
> > (CVE-2026-45445)
> >
> > Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
> > (CVE-2026-7383)
> >
> > Fixed out-of-bounds read in CMS password-based decryption.
> > (CVE-2026-9076)
> >
> > Fixed heap buffer over-read in ASN.1 content parsing.
> > (CVE-2026-34180)
> >
> > Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
> > (CVE-2026-34181)
> >
> > Fixed possible NULL dereference in password-dased CMS decryption.
> > (CVE-2026-42766)
> >
> > Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
> > (CVE-2026-42767)
> >
> > Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
> > and PKCS7_decrypt().
> > (CVE-2026-42768)
> >
> > Fixed trust anchor substitution via cert/issuer typo in CMP
> > rootCaKeyUpdate.
> > (CVE-2026-42769)
> >
> > Fixed FFC-DH peer validation uses attacker-supplied q.
> > (CVE-2026-42770)
> >
> > Fixed incorrect tag processing for empty messages in AES-GCM-SIV
> > and AES-SIV modes.
> > (CVE-2026-45446)
> >
> > Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
>
> > ---
> > package/libopenssl/libopenssl.hash | 4 ++--
> > package/libopenssl/libopenssl.mk | 2 +-
> > 2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
> > index 781701532d..8a7186d669 100644
> > --- a/package/libopenssl/libopenssl.hash
> > +++ b/package/libopenssl/libopenssl.hash
> > @@ -1,5 +1,5 @@
> > -# From https://github.com/openssl/openssl/releases/download/openssl-3.5.6/openssl-3.5.6.tar.gz.sha256
> > -sha256 deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 openssl-3.5.6.tar.gz
> > +# From https://github.com/openssl/openssl/releases/download/openssl-3.5.7/openssl-3.5.7.tar.gz.sha256
> > +sha256 a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 openssl-3.5.7.tar.gz
> >
> > # License files
> > sha256 7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a LICENSE.txt
> > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
> > index 837c3f0346..a9e18f96ac 100644
> > --- a/package/libopenssl/libopenssl.mk
> > +++ b/package/libopenssl/libopenssl.mk
> > @@ -4,7 +4,7 @@
> > #
> > ################################################################################
> >
> > -LIBOPENSSL_VERSION = 3.5.6
> > +LIBOPENSSL_VERSION = 3.5.7
> > LIBOPENSSL_SITE = https://github.com/openssl/openssl/releases/download/openssl-$(LIBOPENSSL_VERSION)
> > LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
> > LIBOPENSSL_LICENSE = Apache-2.0
> > --
> > 2.47.3
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-18 12:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-18 6:21 [Buildroot] [PATCH 2025.02.x] package/openssl: security bump to 3.5.7 Waldemar Brodkorb
2026-06-18 12:49 ` Thomas Perale via buildroot
2026-06-18 12:52 ` Waldemar Brodkorb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.