[Buildroot] [PATCH 1/1] package/libopenssl: security bump to version 3.6.2

[Buildroot] [PATCH 1/1] package/libopenssl: security bump to version 3.6.2

[Bernd Kuhls]

https://openssl-library.org/post/2026-04-07-release-announcement/

Fixes the following vulnerabilities:

CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation.
CVE-2026-28386 - Out-of-bounds Read in AES-CFB-128 on X86-64 with AVX-512 Support.
CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
CVE-2026-28389 - Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo.
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo.
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.

Removed patch 0004 which is included in this release.

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 ...ppc.pl-Removed-.localentry-directive.patch | 69 -------------------
 package/libopenssl/libopenssl.hash            |  4 +-
 package/libopenssl/libopenssl.mk              |  2 +-
 3 files changed, 3 insertions(+), 72 deletions(-)
 delete mode 100644 package/libopenssl/0004-aes-gcm-ppc.pl-Removed-.localentry-directive.patch

diff --git a/package/libopenssl/0004-aes-gcm-ppc.pl-Removed-.localentry-directive.patch b/package/libopenssl/0004-aes-gcm-ppc.pl-Removed-.localentry-directive.patch
deleted file mode 100644
index 7c507a2687..0000000000
--- a/package/libopenssl/0004-aes-gcm-ppc.pl-Removed-.localentry-directive.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 5aaa7e5fdc59e88a13d2911cb86d814d4e2669da Mon Sep 17 00:00:00 2001
-From: Danny Tsen <dtsen@us.ibm.com>
-Date: Wed, 28 Jan 2026 07:23:13 -0500
-Subject: [PATCH] aes-gcm-ppc.pl: Removed .localentry directive
-
-Otherwise there is mixing of  ELFv1 ABI and ELFv2 ABI directives
-and PPC64 big endian builds fail.
-
-Fixes #29815
-
-Signed-off-by: Danny Tsen <dtsen@us.ibm.com>
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-MergeDate: Tue Feb  3 08:39:50 2026
-(Merged from https://github.com/openssl/openssl/pull/29827)
-
-Upstream: https://github.com/openssl/openssl/commit/5aaa7e5fdc59e88a13d2911cb86d814d4e2669da
-
-Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
----
- crypto/modes/asm/aes-gcm-ppc.pl | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl
-index 68918a9305a2b..fd5dcc22a6117 100644
---- a/crypto/modes/asm/aes-gcm-ppc.pl
-+++ b/crypto/modes/asm/aes-gcm-ppc.pl
-@@ -409,7 +409,6 @@
- ################################################################################
- .align 4
- aes_gcm_crypt_1x:
--.localentry	aes_gcm_crypt_1x,0
- 
- 	cmpdi	5, 16
- 	bge	__More_1x
-@@ -492,7 +491,6 @@
- ################################################################################
- .align 4
- __Process_partial:
--.localentry	__Process_partial,0
- 
- 	# create partial mask
- 	vspltisb 16, -1
-@@ -564,7 +562,6 @@
- .global ppc_aes_gcm_encrypt
- .align 5
- ppc_aes_gcm_encrypt:
--.localentry     ppc_aes_gcm_encrypt,0
- 
- 	SAVE_REGS
- 	LOAD_HASH_TABLE
-@@ -752,7 +749,6 @@
- .global ppc_aes_gcm_decrypt
- .align 5
- ppc_aes_gcm_decrypt:
--.localentry	ppc_aes_gcm_decrypt, 0
- 
- 	SAVE_REGS
- 	LOAD_HASH_TABLE
-@@ -1032,7 +1028,6 @@
- .size   ppc_aes_gcm_decrypt,.-ppc_aes_gcm_decrypt
- 
- aes_gcm_out:
--.localentry	aes_gcm_out,0
- 
- 	mr	3, 11			# return count
- 
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 0e0dbd3926..05777cdac2 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
-# From https://github.com/openssl/openssl/releases/download/openssl-3.6.1/openssl-3.6.1.tar.gz.sha256
-sha256  b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e  openssl-3.6.1.tar.gz
+# From https://github.com/openssl/openssl/releases/download/openssl-3.6.2/openssl-3.6.2.tar.gz.sha256
+sha256  aaf51a1fe064384f811daeaeb4ec4dce7340ec8bd893027eee676af31e83a04f  openssl-3.6.2.tar.gz
 
 # License files
 sha256  7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a  LICENSE.txt
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index d580947899..bd4b889c88 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBOPENSSL_VERSION = 3.6.1
+LIBOPENSSL_VERSION = 3.6.2
 LIBOPENSSL_SITE = https://github.com/openssl/openssl/releases/download/openssl-$(LIBOPENSSL_VERSION)
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = Apache-2.0
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/libopenssl: security bump to version 3.6.2

[Julien Olivain via buildroot]

On 09/04/2026 15:17, Bernd Kuhls wrote:
> https://openssl-library.org/post/2026-04-07-release-announcement/
> 
> Fixes the following vulnerabilities:
> 
> CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE 
> Encapsulation.
> CVE-2026-28386 - Out-of-bounds Read in AES-CFB-128 on X86-64 with 
> AVX-512 Support.
> CVE-2026-28387 - Potential Use-after-free in DANE Client Code.
> CVE-2026-28388 - NULL Pointer Dereference When Processing a Delta CRL.
> CVE-2026-28389 - Possible NULL Dereference When Processing CMS 
> KeyAgreeRecipientInfo.
> CVE-2026-28390 - Possible NULL Dereference When Processing CMS 
> KeyTransportRecipientInfo.
> CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion.
> 
> Removed patch 0004 which is included in this release.
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot