Openembedded Core Discussions
 help / color / mirror / Atom feed
From: Aditya GS <adityags2004@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Nisha.M.Parrakat@bmw.de, Suresh.HA@bmwtechworks.in,
	AshishKumar.Mishra@bmwtechworks.in, Nikhil.R@bmwtechworks.in,
	Aditya GS <adityags2004@gmail.com>,
	Aditya GS <aditya.gs@bmwtechworks.in>
Subject: [PATCH] openssl: upgrade 3.0.19 -> 3.0.21
Date: Mon, 15 Jun 2026 14:03:17 +0530	[thread overview]
Message-ID: <20260615083317.2657-1-adityags2004@gmail.com> (raw)

Upgrade OpenSSL from 3.0.19 to 3.0.21.

This upgrade brings in upstream fixes for multiple CVEs:

  - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
  - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
  - CVE-2026-9076: out-of-bounds read in CMS password-based decryption
  - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
  - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
  - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
  - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
  - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
  - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
  - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes
  - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation
  - CVE-2026-28387: potential use-after-free in DANE client code
  - CVE-2026-28388: NULL pointer dereference when processing a delta CRL
  - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo
  - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo
  - CVE-2026-31789: heap buffer overflow in hexadecimal conversion

As a result of this upgrade, the following CVEs are already fixed in the
upstream version and no longer require local patches:

  - CVE-2024-41996: vulnerability that could lead to denial of service
  - CVE-2023-50781: fixes related to certificate validation and memory handling

Upstream changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md

Signed-off-by: Aditya GS <adityags2004@gmail.com>
Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
---
 .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb}     | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} (95%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
similarity index 95%
rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb
index 293b450cd0..2531305cda 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
@@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2024-41996.patch \
-           file://CVE-2023-50781-1.patch \
-           file://CVE-2023-50781-2.patch \
-           file://CVE-2023-50781-3.patch \
-           file://CVE-2023-50781-4.patch \
-           file://CVE-2023-50781-5.patch \
-           file://CVE-2023-50781-6.patch \
           "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072"
+SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.34.1



             reply	other threads:[~2026-06-15  8:56 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-15  8:33 Aditya GS [this message]
2026-06-15  9:01 ` [OE-core] [PATCH] openssl: upgrade 3.0.19 -> 3.0.21 Yoann Congal
2026-06-15  9:15   ` Aditya GS

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260615083317.2657-1-adityags2004@gmail.com \
    --to=adityags2004@gmail.com \
    --cc=AshishKumar.Mishra@bmwtechworks.in \
    --cc=Nikhil.R@bmwtechworks.in \
    --cc=Nisha.M.Parrakat@bmw.de \
    --cc=Suresh.HA@bmwtechworks.in \
    --cc=aditya.gs@bmwtechworks.in \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox