This should not be taken until Wrynose is branched-of. We want 3.5.x which is LTS.
Also the most relevant release notes for the commit message are those from 3.6.0. Patches from 3.6.1 are already in 3.5.5... Peter > -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of hongxu via > lists.openembedded.org > Sent: Tuesday, March 3, 2026 7:56 > To: [email protected] > Subject: [OE-core] [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1 > > Release note [1]: > > OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this > release is High. > > This release incorporates the following bug fixes and mitigations: > > Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC > verification. > (CVE-2025-11187) > > Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing. > (CVE-2025-15467) > > Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID. > (CVE-2025-15468) > > Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB. > (CVE-2025-15469) > > Fixed TLS 1.3 CompressedCertificate excessive memory allocation. > (CVE-2025-66199) > > Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes. > (CVE-2025-68160) > > Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB > function calls. > (CVE-2025-69418) > > Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion. > (CVE-2025-69419) > > Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() > function. > (CVE-2025-69420) > > Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function. > (CVE-2025-69421) > > Fixed Missing ASN1_TYPE validation in PKCS#12 parsing. > (CVE-2026-22795) > > Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() > function. > (CVE-2026-22796) > > Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by > restoring its pre-3.6.0 behaviour. > > Fixed a regression in handling stapled OCSP responses causing handshake > failures for OpenSSL 3.6.0 servers with various client implementations. > > [1] https://github.com/openssl/openssl/releases/tag/openssl-3.6.1 > > Signed-off-by: Hongxu Jia <[email protected]> > --- > ...ke-history-reporting-when-test-fails.patch | 25 ++++++++----------- > ...1-Configure-do-not-tweak-mips-cflags.patch | 6 ++--- > ...sysroot-and-debug-prefix-map-from-co.patch | 7 +++--- > .../0001-extend-check_cwm-test-timeout.patch | 4 +-- > .../{openssl_3.5.5.bb => openssl_3.6.1.bb} | 2 +- > 5 files changed, 20 insertions(+), 24 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.5.5.bb => > openssl_3.6.1.bb} (99%) > > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake- > history-reporting-when-test-fails.patch b/meta/recipes- > connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test- > fails.patch > index a74c79303f..5104a3cc00 100644 > --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history- > reporting-when-test-fails.patch > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history- > reporting-when-test-fails.patch > @@ -1,4 +1,4 @@ > -From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001 > +From cda360c014be3c6bfbec23045ae0cb784908cf59 Mon Sep 17 00:00:00 2001 > From: William Lyu <[email protected]> > Date: Fri, 20 Oct 2023 16:22:37 -0400 > Subject: [PATCH] Added handshake history reporting when test fails > @@ -13,10 +13,10 @@ Signed-off-by: William Lyu <[email protected]> > 3 files changed, 217 insertions(+), 33 deletions(-) > > diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c > -index f611b3a..5703b48 100644 > +index 5e56060..f9bb035 100644 > --- a/test/helpers/handshake.c > +++ b/test/helpers/handshake.c > -@@ -25,6 +25,102 @@ > +@@ -26,6 +26,102 @@ > #include <netinet/sctp.h> > #endif > > @@ -119,7 +119,7 @@ index f611b3a..5703b48 100644 > HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) > { > HANDSHAKE_RESULT *ret; > -@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL > *client, > +@@ -828,15 +924,6 @@ static void configure_handshake_ssl(SSL *server, SSL > *client, > SSL_set_post_handshake_auth(client, 1); > } > > @@ -135,7 +135,7 @@ index f611b3a..5703b48 100644 > /* An SSL object and associated read-write buffers. */ > typedef struct peer_st { > SSL *ssl; > -@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer) > +@@ -1181,16 +1268,6 @@ static void do_shutdown_step(PEER *peer) > } > } > > @@ -152,7 +152,7 @@ index f611b3a..5703b48 100644 > static int renegotiate_op(const SSL_TEST_CTX *test_ctx) > { > switch (test_ctx->handshake_mode) { > -@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX > *test_ctx, PEER *peer, > +@@ -1268,19 +1345,6 @@ static void do_connect_step(const SSL_TEST_CTX > *test_ctx, PEER *peer, > } > } > > @@ -172,7 +172,7 @@ index f611b3a..5703b48 100644 > /* > * Determine the handshake outcome. > * last_status: the status of the peer to have acted last. > -@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( > +@@ -1645,6 +1709,10 @@ static HANDSHAKE_RESULT > *do_handshake_internal( > > start = time(NULL); > > @@ -183,7 +183,7 @@ index f611b3a..5703b48 100644 > /* > * Half-duplex handshake loop. > * Client and server speak to each other synchronously in the same > process. > -@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( > +@@ -1666,6 +1734,10 @@ static HANDSHAKE_RESULT > *do_handshake_internal( > 0 /* server went last */); > } > > @@ -195,7 +195,7 @@ index f611b3a..5703b48 100644 > case HANDSHAKE_SUCCESS: > client_turn_count = 0; > diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h > -index 78b03f9..b9967c2 100644 > +index 7cf654f..b4459d7 100644 > --- a/test/helpers/handshake.h > +++ b/test/helpers/handshake.h > @@ -1,5 +1,5 @@ > @@ -300,7 +300,7 @@ index 78b03f9..b9967c2 100644 > + > #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ > diff --git a/test/ssl_test.c b/test/ssl_test.c > -index ea60851..9d6b093 100644 > +index 27b4415..64a13c0 100644 > --- a/test/ssl_test.c > +++ b/test/ssl_test.c > @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; > @@ -360,7 +360,4 @@ index ea60851..9d6b093 100644 > + > return ret; > } > - > --- > -2.25.1 > - > + > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not- > tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001- > Configure-do-not-tweak-mips-cflags.patch > index cf5ff356ee..d1526cb69a 100644 > --- > a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips- > cflags.patch > +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak- > mips-cflags.patch > @@ -1,4 +1,4 @@ > -From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 > +From 8db9b88edbfbf40d56f330110efdc5cade6f183e Mon Sep 17 00:00:00 2001 > From: Alexander Kanavin <[email protected]> > Date: Tue, 30 May 2023 09:11:27 -0700 > Subject: [PATCH] Configure: do not tweak mips cflags > @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <[email protected]> > 1 file changed, 10 deletions(-) > > diff --git a/Configure b/Configure > -index fff97bd..5ee54c1 100755 > +index 6cc03bf..2bcb075 100755 > --- a/Configure > +++ b/Configure > -@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help > 2>&1` =~ m/-mno-cygwin/m) > +@@ -1573,16 +1573,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help > 2>&1` =~ m/-mno-cygwin/m) > push @{$config{shared_ldflag}}, "-mno-cygwin"; > } > > diff --git > a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot- > and-debug-prefix-map-from-co.patch b/meta/recipes- > connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map- > from-co.patch > index dadc034c91..f70b14ab84 100644 > --- > a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and- > debug-prefix-map-from-co.patch > +++ > b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and- > debug-prefix-map-from-co.patch > @@ -1,4 +1,4 @@ > -From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001 > +From 31f71d1f2def3def2b44ec905cc9bcc7d8d2b454 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <[email protected]> > Date: Tue, 6 Nov 2018 14:50:47 +0100 > Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler > @@ -28,14 +28,13 @@ Signed-off-by: Kai Kang <[email protected]> > Update to fix buildpaths qa issue for '-ffile-prefix-map'. > > Signed-off-by: Khem Raj <[email protected]> > - > --- > Configurations/unix-Makefile.tmpl | 16 +++++++++++++++- > crypto/build.info | 2 +- > 2 files changed, 16 insertions(+), 2 deletions(-) > > diff --git a/Configurations/unix-Makefile.tmpl > b/Configurations/unix-Makefile.tmpl > -index 09303c4..011bda1 100644 > +index 71b069e..ad82899 100644 > --- a/Configurations/unix-Makefile.tmpl > +++ b/Configurations/unix-Makefile.tmpl > @@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), > @@ -68,7 +67,7 @@ index 09303c4..011bda1 100644 > > # For x86 assembler: Set PROCESSOR to 386 if you want to support > diff --git a/crypto/build.info b/crypto/build.info > -index aee5c46..95c9577 100644 > +index 872684c..96d37c6 100644 > --- a/crypto/build.info > +++ b/crypto/build.info > @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF > diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm- > test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend- > check_cwm-test-timeout.patch > index f6eb28069a..6bf768cf94 100644 > --- a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test- > timeout.patch > +++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test- > timeout.patch > @@ -1,4 +1,4 @@ > -From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001 > +From 1f2bfacaefde4fbf6020946333df45cdd84bfac8 Mon Sep 17 00:00:00 2001 > From: Gyorgy Sarvari <[email protected]> > Date: Thu, 23 Oct 2025 11:24:36 +0200 > Subject: [PATCH] extend check_cwm test timeout > @@ -15,7 +15,7 @@ Signed-off-by: Gyorgy Sarvari <[email protected]> > 1 file changed, 5 insertions(+) > > diff --git a/test/radix/main.c b/test/radix/main.c > -index 4a1e886a71..39f8c61ef9 100644 > +index 0f3dc11..d925639 100644 > --- a/test/radix/main.c > +++ b/test/radix/main.c > @@ -25,6 +25,11 @@ static int test_script(int idx) > diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > b/meta/recipes- > connectivity/openssl/openssl_3.6.1.bb > similarity index 99% > rename from meta/recipes-connectivity/openssl/openssl_3.5.5.bb > rename to meta/recipes-connectivity/openssl/openssl_3.6.1.bb > index 7799647415..849bfe0874 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.6.1.bb > @@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89" > +SRC_URI[sha256sum] = > "b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e" > > inherit lib_package multilib_header multilib_script ptest perlnative manpages > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232258): https://lists.openembedded.org/g/openembedded-core/message/232258 Mute This Topic: https://lists.openembedded.org/mt/118109846/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
