From: Hongxu Jia <hongxu.jia@windriver.com>
To: "Marko, Peter" <Peter.Marko@siemens.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1
Date: Tue, 3 Mar 2026 15:10:40 +0800 [thread overview]
Message-ID: <a493f426-aacf-497f-bb51-b7558d700695@windriver.com> (raw)
In-Reply-To: <AS1PR10MB56974F259389E8F040610854FD7FA@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>
On 3/3/26 15:05, Marko, Peter wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> This should not be taken until Wrynose is branched-of.
> We want 3.5.x which is LTS.
OK, according to https://openssl-library.org/source/, 3.5.5 is already
newest in 3.5.x, please drop this patch
//Hongxu
> Also the most relevant release notes for the commit message are those from 3.6.0.
> Patches from 3.6.1 are already in 3.5.5...
>
> Peter
>
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of hongxu via
>> lists.openembedded.org
>> Sent: Tuesday, March 3, 2026 7:56
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1
>>
>> Release note [1]:
>>
>> OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
>> release is High.
>>
>> This release incorporates the following bug fixes and mitigations:
>>
>> Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
>> (CVE-2025-11187)
>>
>> Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
>> (CVE-2025-15467)
>>
>> Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
>> (CVE-2025-15468)
>>
>> Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
>> (CVE-2025-15469)
>>
>> Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
>> (CVE-2025-66199)
>>
>> Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
>> (CVE-2025-68160)
>>
>> Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
>> function calls.
>> (CVE-2025-69418)
>>
>> Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
>> (CVE-2025-69419)
>>
>> Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
>> function.
>> (CVE-2025-69420)
>>
>> Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
>> (CVE-2025-69421)
>>
>> Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
>> (CVE-2026-22795)
>>
>> Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
>> function.
>> (CVE-2026-22796)
>>
>> Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by
>> restoring its pre-3.6.0 behaviour.
>>
>> Fixed a regression in handling stapled OCSP responses causing handshake
>> failures for OpenSSL 3.6.0 servers with various client implementations.
>>
>> [1] https://github.com/openssl/openssl/releases/tag/openssl-3.6.1
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> ...ke-history-reporting-when-test-fails.patch | 25 ++++++++-----------
>> ...1-Configure-do-not-tweak-mips-cflags.patch | 6 ++---
>> ...sysroot-and-debug-prefix-map-from-co.patch | 7 +++---
>> .../0001-extend-check_cwm-test-timeout.patch | 4 +--
>> .../{openssl_3.5.5.bb => openssl_3.6.1.bb} | 2 +-
>> 5 files changed, 20 insertions(+), 24 deletions(-)
>> rename meta/recipes-connectivity/openssl/{openssl_3.5.5.bb =>
>> openssl_3.6.1.bb} (99%)
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-
>> history-reporting-when-test-fails.patch b/meta/recipes-
>> connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-
>> fails.patch
>> index a74c79303f..5104a3cc00 100644
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-
>> reporting-when-test-fails.patch
>> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-
>> reporting-when-test-fails.patch
>> @@ -1,4 +1,4 @@
>> -From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
>> +From cda360c014be3c6bfbec23045ae0cb784908cf59 Mon Sep 17 00:00:00 2001
>> From: William Lyu <William.Lyu@windriver.com>
>> Date: Fri, 20 Oct 2023 16:22:37 -0400
>> Subject: [PATCH] Added handshake history reporting when test fails
>> @@ -13,10 +13,10 @@ Signed-off-by: William Lyu <William.Lyu@windriver.com>
>> 3 files changed, 217 insertions(+), 33 deletions(-)
>>
>> diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
>> -index f611b3a..5703b48 100644
>> +index 5e56060..f9bb035 100644
>> --- a/test/helpers/handshake.c
>> +++ b/test/helpers/handshake.c
>> -@@ -25,6 +25,102 @@
>> +@@ -26,6 +26,102 @@
>> #include <netinet/sctp.h>
>> #endif
>>
>> @@ -119,7 +119,7 @@ index f611b3a..5703b48 100644
>> HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
>> {
>> HANDSHAKE_RESULT *ret;
>> -@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL
>> *client,
>> +@@ -828,15 +924,6 @@ static void configure_handshake_ssl(SSL *server, SSL
>> *client,
>> SSL_set_post_handshake_auth(client, 1);
>> }
>>
>> @@ -135,7 +135,7 @@ index f611b3a..5703b48 100644
>> /* An SSL object and associated read-write buffers. */
>> typedef struct peer_st {
>> SSL *ssl;
>> -@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer)
>> +@@ -1181,16 +1268,6 @@ static void do_shutdown_step(PEER *peer)
>> }
>> }
>>
>> @@ -152,7 +152,7 @@ index f611b3a..5703b48 100644
>> static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
>> {
>> switch (test_ctx->handshake_mode) {
>> -@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX
>> *test_ctx, PEER *peer,
>> +@@ -1268,19 +1345,6 @@ static void do_connect_step(const SSL_TEST_CTX
>> *test_ctx, PEER *peer,
>> }
>> }
>>
>> @@ -172,7 +172,7 @@ index f611b3a..5703b48 100644
>> /*
>> * Determine the handshake outcome.
>> * last_status: the status of the peer to have acted last.
>> -@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
>> +@@ -1645,6 +1709,10 @@ static HANDSHAKE_RESULT
>> *do_handshake_internal(
>>
>> start = time(NULL);
>>
>> @@ -183,7 +183,7 @@ index f611b3a..5703b48 100644
>> /*
>> * Half-duplex handshake loop.
>> * Client and server speak to each other synchronously in the same process.
>> -@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
>> +@@ -1666,6 +1734,10 @@ static HANDSHAKE_RESULT
>> *do_handshake_internal(
>> 0 /* server went last */);
>> }
>>
>> @@ -195,7 +195,7 @@ index f611b3a..5703b48 100644
>> case HANDSHAKE_SUCCESS:
>> client_turn_count = 0;
>> diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
>> -index 78b03f9..b9967c2 100644
>> +index 7cf654f..b4459d7 100644
>> --- a/test/helpers/handshake.h
>> +++ b/test/helpers/handshake.h
>> @@ -1,5 +1,5 @@
>> @@ -300,7 +300,7 @@ index 78b03f9..b9967c2 100644
>> +
>> #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
>> diff --git a/test/ssl_test.c b/test/ssl_test.c
>> -index ea60851..9d6b093 100644
>> +index 27b4415..64a13c0 100644
>> --- a/test/ssl_test.c
>> +++ b/test/ssl_test.c
>> @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
>> @@ -360,7 +360,4 @@ index ea60851..9d6b093 100644
>> +
>> return ret;
>> }
>> -
>> ---
>> -2.25.1
>> -
>> +
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
>> tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-
>> Configure-do-not-tweak-mips-cflags.patch
>> index cf5ff356ee..d1526cb69a 100644
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-
>> cflags.patch
>> +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
>> mips-cflags.patch
>> @@ -1,4 +1,4 @@
>> -From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
>> +From 8db9b88edbfbf40d56f330110efdc5cade6f183e Mon Sep 17 00:00:00 2001
>> From: Alexander Kanavin <alex@linutronix.de>
>> Date: Tue, 30 May 2023 09:11:27 -0700
>> Subject: [PATCH] Configure: do not tweak mips cflags
>> @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
>> 1 file changed, 10 deletions(-)
>>
>> diff --git a/Configure b/Configure
>> -index fff97bd..5ee54c1 100755
>> +index 6cc03bf..2bcb075 100755
>> --- a/Configure
>> +++ b/Configure
>> -@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
>> 2>&1` =~ m/-mno-cygwin/m)
>> +@@ -1573,16 +1573,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
>> 2>&1` =~ m/-mno-cygwin/m)
>> push @{$config{shared_ldflag}}, "-mno-cygwin";
>> }
>>
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-
>> and-debug-prefix-map-from-co.patch b/meta/recipes-
>> connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-
>> from-co.patch
>> index dadc034c91..f70b14ab84 100644
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-
>> debug-prefix-map-from-co.patch
>> +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-
>> debug-prefix-map-from-co.patch
>> @@ -1,4 +1,4 @@
>> -From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
>> +From 31f71d1f2def3def2b44ec905cc9bcc7d8d2b454 Mon Sep 17 00:00:00 2001
>> From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
>> Date: Tue, 6 Nov 2018 14:50:47 +0100
>> Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
>> @@ -28,14 +28,13 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com>
>> Update to fix buildpaths qa issue for '-ffile-prefix-map'.
>>
>> Signed-off-by: Khem Raj <raj.khem@gmail.com>
>> -
>> ---
>> Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
>> crypto/build.info | 2 +-
>> 2 files changed, 16 insertions(+), 2 deletions(-)
>>
>> diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
>> -index 09303c4..011bda1 100644
>> +index 71b069e..ad82899 100644
>> --- a/Configurations/unix-Makefile.tmpl
>> +++ b/Configurations/unix-Makefile.tmpl
>> @@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
>> @@ -68,7 +67,7 @@ index 09303c4..011bda1 100644
>>
>> # For x86 assembler: Set PROCESSOR to 386 if you want to support
>> diff --git a/crypto/build.info b/crypto/build.info
>> -index aee5c46..95c9577 100644
>> +index 872684c..96d37c6 100644
>> --- a/crypto/build.info
>> +++ b/crypto/build.info
>> @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
>> diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-
>> test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-
>> check_cwm-test-timeout.patch
>> index f6eb28069a..6bf768cf94 100644
>> --- a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-
>> timeout.patch
>> +++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-
>> timeout.patch
>> @@ -1,4 +1,4 @@
>> -From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
>> +From 1f2bfacaefde4fbf6020946333df45cdd84bfac8 Mon Sep 17 00:00:00 2001
>> From: Gyorgy Sarvari <skandigraun@gmail.com>
>> Date: Thu, 23 Oct 2025 11:24:36 +0200
>> Subject: [PATCH] extend check_cwm test timeout
>> @@ -15,7 +15,7 @@ Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/test/radix/main.c b/test/radix/main.c
>> -index 4a1e886a71..39f8c61ef9 100644
>> +index 0f3dc11..d925639 100644
>> --- a/test/radix/main.c
>> +++ b/test/radix/main.c
>> @@ -25,6 +25,11 @@ static int test_script(int idx)
>> diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-
>> connectivity/openssl/openssl_3.6.1.bb
>> similarity index 99%
>> rename from meta/recipes-connectivity/openssl/openssl_3.5.5.bb
>> rename to meta/recipes-connectivity/openssl/openssl_3.6.1.bb
>> index 7799647415..849bfe0874 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_3.6.1.bb
>> @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
>> file://environment.d-openssl.sh \
>> "
>>
>> -SRC_URI[sha256sum] =
>> "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
>> +SRC_URI[sha256sum] =
>> "b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e"
>>
>> inherit lib_package multilib_header multilib_script ptest perlnative manpages
>> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
>> --
>> 2.34.1
next prev parent reply other threads:[~2026-03-03 7:10 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 6:56 [PATCH 01/19] btrfs-tools: upgrade 6.17.1 -> 6.19 Hongxu Jia
2026-03-03 6:56 ` [PATCH 02/19] ncurses: upgrade 6.5 -> 6.6 Hongxu Jia
2026-03-04 8:00 ` [OE-core] " Mathieu Dubois-Briand
2026-03-04 8:03 ` Hongxu Jia
[not found] ` <189994AF67AC963D.971272@lists.openembedded.org>
2026-03-04 10:26 ` Hongxu Jia
2026-03-03 6:56 ` [PATCH 03/19] connman: upgrade 1.45 -> 2.0 Hongxu Jia
2026-03-03 6:56 ` [PATCH 04/19] ell: upgrade 0.81 -> 0.82 Hongxu Jia
2026-03-03 6:56 ` [PATCH 05/19] font-alias: upgrade 1.0.5 -> 1.0.6 Hongxu Jia
2026-03-03 6:56 ` [PATCH 06/19] gn: upgrade to latest revision Hongxu Jia
2026-03-03 7:16 ` Patchtest results for " patchtest
2026-03-03 6:56 ` [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1 Hongxu Jia
2026-03-03 7:05 ` [OE-core] " Marko, Peter
2026-03-03 7:10 ` Hongxu Jia [this message]
2026-03-03 6:56 ` [PATCH 08/19] python3-cryptography{-vectors}: 46.0.4 -> 46.0.5 Hongxu Jia
2026-03-03 7:16 ` Patchtest results for " patchtest
2026-03-03 6:56 ` [PATCH 09/19] python3-hypothesis: upgrade 6.151.4 -> 6.151.9 Hongxu Jia
2026-03-03 6:56 ` [PATCH 10/19] python3-markdown: upgrade 3.10.1 -> 3.10.2 Hongxu Jia
2026-03-03 6:56 ` [PATCH 11/19] python3-pip: upgrade 26.0 -> 26.0.1 Hongxu Jia
2026-03-03 6:56 ` [PATCH 12/19] python3-pycparser: upgrade 2.23 -> 3.0 Hongxu Jia
2026-03-03 7:16 ` Patchtest results for " patchtest
2026-03-03 6:56 ` [PATCH 13/19] python3-pyproject-metadata: upgrade 0.10.0 -> 0.11.0 Hongxu Jia
2026-03-03 6:56 ` [PATCH 14/19] python3-setuptools: upgrade 80.9.0 -> 82.0.0 Hongxu Jia
2026-03-03 19:11 ` [OE-core] " Mathieu Dubois-Briand
2026-03-04 2:27 ` Hongxu Jia
[not found] ` <1899825EC78E920E.971272@lists.openembedded.org>
2026-03-04 3:37 ` Hongxu Jia
2026-03-03 6:56 ` [PATCH 15/19] python3-testtools: upgrade 2.8.2 -> 2.8.3 Hongxu Jia
2026-03-03 7:16 ` Patchtest results for " patchtest
2026-03-03 6:56 ` [PATCH 16/19] python3-trove-classifiers: upgrade 2025.12.1.14 -> 2026.1.14.14 Hongxu Jia
2026-03-03 6:56 ` [PATCH 17/19] python3-uv-build: upgrade 0.9.28 -> 0.10.4 Hongxu Jia
2026-03-03 6:56 ` [PATCH 18/19] python3-xmltodict: upgrade 1.0.2 -> 1.0.3 Hongxu Jia
2026-03-03 6:56 ` [PATCH 19/19] xauth: upgrade 1.1.4 -> 1.1.5 Hongxu Jia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a493f426-aacf-497f-bb51-b7558d700695@windriver.com \
--to=hongxu.jia@windriver.com \
--cc=Peter.Marko@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox