(openoffice) branch trunk updated: Bump bundled OpenSSL 3.0.13 -> 3.0.20

jim Tue, 09 Jun 2026 04:05:20 -0700

This is an automated email from the ASF dual-hosted git repository.

jimjag pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/openoffice.git



The following commit(s) were added to refs/heads/trunk by this push:
     new fe01e9b8e4 Bump bundled OpenSSL 3.0.13 -> 3.0.20
     new 286601bfa3 Merge branch 'bump-openssl-3.0.20' into trunk
fe01e9b8e4 is described below

commit fe01e9b8e4fe07cd2fb0e05a5c77b67a96523269
Author: Jim Jagielski <[email protected]>
AuthorDate: Tue Jun 9 06:58:57 2026 -0400

    Bump bundled OpenSSL 3.0.13 -> 3.0.20
    
    Updates the bundled OpenSSL to the latest 3.0 LTS patch release, pulling
    in all security fixes between 3.0.13 and 3.0.20. Stays within the 3.0 LTS
    line for lowest regression risk (no API/ABI changes).
    
    Note: the 3.0 LTS branch reaches end-of-life on 2026-09-07; a follow-up
    move to a newer LTS (e.g. 3.5) should be planned separately.
    
    Changes:
    - external_deps.lst: new tarball name, MD5, and download URL
      (MD5 fabdcf86f3f54e27689253f85b738959, verified against upstream tarball).
    - openssl/makefile.mk: OPENSSL_NAME and TARFILE_MD5.
    - openssl/openssl.patch: rebased the Windows compatibility guards
      (_WIN32_WINNT version checks in init.c / threads_win.c and the
      IPPROTO_IPV6 fallback in bio_sock2.c) onto 3.0.20 sources; context had
      shifted so the original hunks no longer applied.
    - openssl/opensslunx.patch: bumped the embedded version path to 3.0.20.
    
    Verified: declared MD5 matches the upstream tarball, and both the Unix
    (opensslunx.patch) and Windows (openssl.patch) patch sets apply cleanly
    to the 3.0.20 source tree via the build's "cd misc && patch -p2" step.
    Platform compile/link/runtime still to be confirmed by CI.
    
    Co-Authored-By: Claude Opus 4.8 <[email protected]>
---
 main/external_deps.lst        |  6 +++---
 main/openssl/makefile.mk      |  4 ++--
 main/openssl/openssl.patch    | 48 +++++++++++++++++++------------------------
 main/openssl/opensslunx.patch |  4 ++--
 4 files changed, 28 insertions(+), 34 deletions(-)

diff --git a/main/external_deps.lst b/main/external_deps.lst
index c33a6a0aae..32c8fbae89 100644
--- a/main/external_deps.lst
+++ b/main/external_deps.lst
@@ -151,9 +151,9 @@ if (SOLAR_JAVA==TRUE)
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 if (SYSTEM_OPENSSL!=YES)
-    MD5 = c15e53a62711002901d3515ac8b30b86
-    name = openssl-3.0.13.tar.gz
-    URL1 = https://www.openssl.org/source/$(name)
+    MD5 = fabdcf86f3f54e27689253f85b738959
+    name = openssl-3.0.20.tar.gz
+    URL1 = 
https://github.com/openssl/openssl/releases/download/openssl-3.0.20/$(name)
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 # On Windows, we need Strawberry Perl to build OpenSSL 3:
diff --git a/main/openssl/makefile.mk b/main/openssl/makefile.mk
index a5662eabea..789c2a7424 100644
--- a/main/openssl/makefile.mk
+++ b/main/openssl/makefile.mk
@@ -38,10 +38,10 @@ TARGET=openssl
 .ENDIF
 
 
-OPENSSL_NAME=openssl-3.0.13
+OPENSSL_NAME=openssl-3.0.20
 
 TARFILE_NAME=$(OPENSSL_NAME)
-TARFILE_MD5=c15e53a62711002901d3515ac8b30b86
+TARFILE_MD5=fabdcf86f3f54e27689253f85b738959
 
 CONFIGURE_DIR=.
 CONFIGURE_ACTION=config
diff --git a/main/openssl/openssl.patch b/main/openssl/openssl.patch
index c837f1e919..985899516c 100644
--- a/main/openssl/openssl.patch
+++ b/main/openssl/openssl.patch
@@ -1,8 +1,6 @@
-diff --git misc/build/openssl-3.0.13/crypto/bio/bio_sock2.c 
misc/build/openssl-3.0.13/crypto/bio/bio_sock2.c
-index 8bdad0c0b6..e52cd4f00e 100644
---- misc/build/openssl-3.0.13/crypto/bio/bio_sock2.c
-+++ misc/build/openssl-3.0.13/crypto/bio/bio_sock2.c
-@@ -270,6 +270,10 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int 
options)
+--- misc/build/openssl-3.0.20/crypto/bio/bio_sock2.c
++++ misc/build/openssl-3.0.20/crypto/bio/bio_sock2.c
+@@ -268,6 +268,10 @@
           * Therefore we always have to use setsockopt here.
           */
          on = options & BIO_SOCK_V6_ONLY ? 1 : 0;
@@ -11,40 +9,36 @@ index 8bdad0c0b6..e52cd4f00e 100644
 +#    define IPPROTO_IPV6 41
 +#  endif
          if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
-                        (const void *)&on, sizeof(on)) != 0) {
-             ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(),
-diff --git misc/build/openssl-3.0.13/crypto/init.c 
misc/build/openssl-3.0.13/crypto/init.c
-index cacf637c89..0728c0a20d 100644
---- misc/build/openssl-3.0.13/crypto/init.c
-+++ misc/build/openssl-3.0.13/crypto/init.c
-@@ -131,7 +131,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
- 
+                 (const void *)&on, sizeof(on))
+             != 0) {
+--- misc/build/openssl-3.0.20/crypto/init.c
++++ misc/build/openssl-3.0.20/crypto/init.c
+@@ -133,7 +133,7 @@
+
  #if !defined(OPENSSL_USE_NODELETE) \
      && !defined(OPENSSL_NO_PINSHARED)
--# if defined(DSO_WIN32) && !defined(_WIN32_WCE)
-+# if defined(DSO_WIN32) && !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0500
+-#if defined(DSO_WIN32) && !defined(_WIN32_WCE)
++#if defined(DSO_WIN32) && !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0500
      {
          HMODULE handle = NULL;
          BOOL ret;
-@@ -659,7 +659,7 @@ int OPENSSL_atexit(void (*handler)(void))
- #if !defined(OPENSSL_USE_NODELETE)\
+@@ -656,7 +656,7 @@
+ #if !defined(OPENSSL_USE_NODELETE) \
      && !defined(OPENSSL_NO_PINSHARED)
      {
--# if defined(DSO_WIN32) && !defined(_WIN32_WCE)
-+# if defined(DSO_WIN32) && !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0500
+-#if defined(DSO_WIN32) && !defined(_WIN32_WCE)
++#if defined(DSO_WIN32) && !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0500
          HMODULE handle = NULL;
          BOOL ret;
          union {
-diff --git misc/build/openssl-3.0.13/crypto/threads_win.c 
misc/build/openssl-3.0.13/crypto/threads_win.c
-index dbeda74d73..c599e88c59 100644
---- misc/build/openssl-3.0.13/crypto/threads_win.c
-+++ misc/build/openssl-3.0.13/crypto/threads_win.c
-@@ -54,7 +54,7 @@ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
+--- misc/build/openssl-3.0.20/crypto/threads_win.c
++++ misc/build/openssl-3.0.20/crypto/threads_win.c
+@@ -54,7 +54,7 @@
          return NULL;
      }
- 
--#  if !defined(_WIN32_WCE)
-+#  if !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0403
+
+-#if !defined(_WIN32_WCE)
++#if !defined(_WIN32_WCE) && _WIN32_WINNT >= 0x0403
      /* 0x400 is the spin count value suggested in the documentation */
      if (!InitializeCriticalSectionAndSpinCount(lock, 0x400)) {
          OPENSSL_free(lock);
diff --git a/main/openssl/opensslunx.patch b/main/openssl/opensslunx.patch
index 5ceac19471..84829be5e9 100644
--- a/main/openssl/opensslunx.patch
+++ b/main/openssl/opensslunx.patch
@@ -1,5 +1,5 @@
---- misc/build/openssl-3.0.13/Configurations/00-base-templates.conf    
2024-04-14 20:51:59.953276000 +0200
-+++ misc/build/openssl-3.0.13/Configurations/00-base-templates.conf    
2024-04-15 04:41:41.558374000 +0200
+--- misc/build/openssl-3.0.20/Configurations/00-base-templates.conf    
2024-04-14 20:51:59.953276000 +0200
++++ misc/build/openssl-3.0.20/Configurations/00-base-templates.conf    
2024-04-15 04:41:41.558374000 +0200
 @@ -67,9 +67,13 @@
  
          AR              => "ar",

(openoffice) branch trunk updated: Bump bundled OpenSSL 3.0.13 -> 3.0.20

Reply via email to