* [PATCH] openssl: upgrade 3.0.19 -> 3.0.21
@ 2026-06-15 8:33 Aditya GS
2026-06-15 9:01 ` [OE-core] " Yoann Congal
0 siblings, 1 reply; 3+ messages in thread
From: Aditya GS @ 2026-06-15 8:33 UTC (permalink / raw)
To: openembedded-core
Cc: Nisha.M.Parrakat, Suresh.HA, AshishKumar.Mishra, Nikhil.R,
Aditya GS, Aditya GS
Upgrade OpenSSL from 3.0.19 to 3.0.21.
This upgrade brings in upstream fixes for multiple CVEs:
- CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
- CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
- CVE-2026-9076: out-of-bounds read in CMS password-based decryption
- CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
- CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
- CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
- CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
- CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
- CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
- CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes
- CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation
- CVE-2026-28387: potential use-after-free in DANE client code
- CVE-2026-28388: NULL pointer dereference when processing a delta CRL
- CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo
- CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo
- CVE-2026-31789: heap buffer overflow in hexadecimal conversion
As a result of this upgrade, the following CVEs are already fixed in the
upstream version and no longer require local patches:
- CVE-2024-41996: vulnerability that could lead to denial of service
- CVE-2023-50781: fixes related to certificate validation and memory handling
Upstream changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md
Signed-off-by: Aditya GS <adityags2004@gmail.com>
Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
---
.../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} (95%)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
similarity index 95%
rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb
index 293b450cd0..2531305cda 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
@@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
- file://CVE-2024-41996.patch \
- file://CVE-2023-50781-1.patch \
- file://CVE-2023-50781-2.patch \
- file://CVE-2023-50781-3.patch \
- file://CVE-2023-50781-4.patch \
- file://CVE-2023-50781-5.patch \
- file://CVE-2023-50781-6.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072"
+SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
inherit lib_package multilib_header multilib_script ptest perlnative
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] openssl: upgrade 3.0.19 -> 3.0.21
2026-06-15 8:33 [PATCH] openssl: upgrade 3.0.19 -> 3.0.21 Aditya GS
@ 2026-06-15 9:01 ` Yoann Congal
2026-06-15 9:15 ` Aditya GS
0 siblings, 1 reply; 3+ messages in thread
From: Yoann Congal @ 2026-06-15 9:01 UTC (permalink / raw)
To: adityags2004, openembedded-core
Cc: Nisha.M.Parrakat, Suresh.HA, AshishKumar.Mishra, Nikhil.R,
Aditya GS
On Mon Jun 15, 2026 at 10:33 AM CEST, Aditya GS via lists.openembedded.org wrote:
> Upgrade OpenSSL from 3.0.19 to 3.0.21.
Hello,
This does not match versions from supported branches. What are you
targeting?
Regards,
>
> This upgrade brings in upstream fixes for multiple CVEs:
>
> - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
> - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
> - CVE-2026-9076: out-of-bounds read in CMS password-based decryption
> - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
> - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
> - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
> - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
> - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
> - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
> - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes
> - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation
> - CVE-2026-28387: potential use-after-free in DANE client code
> - CVE-2026-28388: NULL pointer dereference when processing a delta CRL
> - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo
> - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo
> - CVE-2026-31789: heap buffer overflow in hexadecimal conversion
>
> As a result of this upgrade, the following CVEs are already fixed in the
> upstream version and no longer require local patches:
>
> - CVE-2024-41996: vulnerability that could lead to denial of service
> - CVE-2023-50781: fixes related to certificate validation and memory handling
>
> Upstream changelog:
> https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md
>
> Signed-off-by: Aditya GS <adityags2004@gmail.com>
> Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
> ---
> .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +--------
> 1 file changed, 1 insertion(+), 8 deletions(-)
> rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} (95%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> similarity index 95%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> index 293b450cd0..2531305cda 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> @@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> file://afalg.patch \
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
> - file://CVE-2024-41996.patch \
> - file://CVE-2023-50781-1.patch \
> - file://CVE-2023-50781-2.patch \
> - file://CVE-2023-50781-3.patch \
> - file://CVE-2023-50781-4.patch \
> - file://CVE-2023-50781-5.patch \
> - file://CVE-2023-50781-6.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
> file://environment.d-openssl.sh \
> "
>
> -SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072"
> +SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
>
> inherit lib_package multilib_header multilib_script ptest perlnative
> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] openssl: upgrade 3.0.19 -> 3.0.21
2026-06-15 9:01 ` [OE-core] " Yoann Congal
@ 2026-06-15 9:15 ` Aditya GS
0 siblings, 0 replies; 3+ messages in thread
From: Aditya GS @ 2026-06-15 9:15 UTC (permalink / raw)
To: Yoann Congal, adityags2004@gmail.com,
openembedded-core@lists.openembedded.org
Cc: Parrakat Nisha, JD-8, Suresh H A, AshishKumar Mishra, Nikhil R
[-- Attachment #1: Type: text/plain, Size: 5841 bytes --]
Hi,
Thanks for the review. This patch is not targeted for any upstream OpenEmbedded/OE-Core supported branch. It is intended for an internal BSP layer (meta-collab) where we are required to upgrade OpenSSL from 3.0.19 to 3.0.21 to address the upstream CVEs fixed in the 3.0.20 and 3.0.21 security patch releases. Since this is for an internal layer and not for OE-Core, you may ignore this submission.
Regards,
Aditya
________________________________
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Monday, June 15, 2026 2:31 PM
To: adityags2004@gmail.com <adityags2004@gmail.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Cc: Parrakat Nisha, JD-8 <Nisha.M.Parrakat@bmw.de>; Suresh H A <Suresh.HA@bmwtechworks.in>; AshishKumar Mishra <AshishKumar.Mishra@bmwtechworks.in>; Nikhil R <Nikhil.R@bmwtechworks.in>; Aditya GS <Aditya.GS@bmwtechworks.in>
Subject: Re: [OE-core] [PATCH] openssl: upgrade 3.0.19 -> 3.0.21
[You don't often get email from yoann.congal@smile.fr. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Caution: "External email, be cautious especially with link(s), attachment(s) or QR code(s)".
On Mon Jun 15, 2026 at 10:33 AM CEST, Aditya GS via lists.openembedded.org wrote:
> Upgrade OpenSSL from 3.0.19 to 3.0.21.
Hello,
This does not match versions from supported branches. What are you
targeting?
Regards,
>
> This upgrade brings in upstream fixes for multiple CVEs:
>
> - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify()
> - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string
> - CVE-2026-9076: out-of-bounds read in CMS password-based decryption
> - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing
> - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling
> - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path
> - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages
> - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption
> - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q
> - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes
> - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation
> - CVE-2026-28387: potential use-after-free in DANE client code
> - CVE-2026-28388: NULL pointer dereference when processing a delta CRL
> - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo
> - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo
> - CVE-2026-31789: heap buffer overflow in hexadecimal conversion
>
> As a result of this upgrade, the following CVEs are already fixed in the
> upstream version and no longer require local patches:
>
> - CVE-2024-41996: vulnerability that could lead to denial of service
> - CVE-2023-50781: fixes related to certificate validation and memory handling
>
> Upstream changelog:
> https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fopenssl-3.0.21%2FNEWS.md&data=05%7C02%7Caditya.gs%40bmwtechworks.in%7C4ca06f174ecd41274bcc08decabcb7fc%7C970fa6fd10314cc68c56488f3c61cd05%7C0%7C0%7C639171109068806752%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4zXCyTbP0EiXoF3vnNrmgILUnQlUiiV0dyUk%2Ffy4iPk%3D&reserved=0<https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md>
>
> Signed-off-by: Aditya GS <adityags2004@gmail.com>
> Signed-off-by: Aditya GS <aditya.gs@bmwtechworks.in>
> ---
> .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +--------
> 1 file changed, 1 insertion(+), 8 deletions(-)
> rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} (95%)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> similarity index 95%
> rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb
> rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> index 293b450cd0..2531305cda 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb
> @@ -12,20 +12,13 @@ SRC_URI = "https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Freleases%2Fdownload%2Fopenssl-%24&data=05%7C02%7Caditya.gs%40bmwtechworks.in%7C4ca06f174ecd41274bcc08decabcb7fc%7C970fa6fd10314cc68c56488f3c61cd05%7C0%7C0%7C639171109068834034%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=N8JHLKbuTSv%2F2FuSQciRUuAZP7%2FIxJtz3EpFCvW%2BtJU%3D&reserved=0{PV}/op
> file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
> file://afalg.patch \
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
> - file://CVE-2024-41996.patch \
> - file://CVE-2023-50781-1.patch \
> - file://CVE-2023-50781-2.patch \
> - file://CVE-2023-50781-3.patch \
> - file://CVE-2023-50781-4.patch \
> - file://CVE-2023-50781-5.patch \
> - file://CVE-2023-50781-6.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
> file://environment.d-openssl.sh \
> "
>
> -SRC_URI[sha256sum] = "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072"
> +SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f"
>
> inherit lib_package multilib_header multilib_script ptest perlnative
> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 10247 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-15 9:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-15 8:33 [PATCH] openssl: upgrade 3.0.19 -> 3.0.21 Aditya GS
2026-06-15 9:01 ` [OE-core] " Yoann Congal
2026-06-15 9:15 ` Aditya GS
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox