Re: [OE-core] [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1

Mon, 02 Mar 2026 23:11:00 -0800 

On 3/3/26 15:05, Marko, Peter wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

This should not be taken until Wrynose is branched-of.
We want 3.5.x which is LTS.
OK, according to https://openssl-library.org/source/,  3.5.5 is already newest in 3.5.x, please drop this patch 

//Hongxu


Also the most relevant release notes for the commit message are those from 
3.6.0.
Patches from 3.6.1 are already in 3.5.5...

Peter


-----Original Message-----
From: [email protected] <openembedded-
[email protected]> On Behalf Of hongxu via
lists.openembedded.org
Sent: Tuesday, March 3, 2026 7:56
To: [email protected]
Subject: [OE-core] [PATCH 07/19] openssl: upgrade 3.5.5 -> 3.6.1

Release note [1]:

OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

     Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
     (CVE-2025-11187)

     Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
     (CVE-2025-15467)

     Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
     (CVE-2025-15468)

     Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
     (CVE-2025-15469)

     Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
     (CVE-2025-66199)

     Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
     (CVE-2025-68160)

     Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
     function calls.
     (CVE-2025-69418)

     Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
     (CVE-2025-69419)

     Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
     function.
     (CVE-2025-69420)

     Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
     (CVE-2025-69421)

     Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
     (CVE-2026-22795)

     Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
     function.
     (CVE-2026-22796)

     Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by
     restoring its pre-3.6.0 behaviour.

     Fixed a regression in handling stapled OCSP responses causing handshake
     failures for OpenSSL 3.6.0 servers with various client implementations.

[1] https://github.com/openssl/openssl/releases/tag/openssl-3.6.1

Signed-off-by: Hongxu Jia <[email protected]>
---
  ...ke-history-reporting-when-test-fails.patch | 25 ++++++++-----------
  ...1-Configure-do-not-tweak-mips-cflags.patch |  6 ++---
  ...sysroot-and-debug-prefix-map-from-co.patch |  7 +++---
  .../0001-extend-check_cwm-test-timeout.patch  |  4 +--
  .../{openssl_3.5.5.bb => openssl_3.6.1.bb}    |  2 +-
  5 files changed, 20 insertions(+), 24 deletions(-)
  rename meta/recipes-connectivity/openssl/{openssl_3.5.5.bb =>
openssl_3.6.1.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-
history-reporting-when-test-fails.patch b/meta/recipes-
connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-
fails.patch
index a74c79303f..5104a3cc00 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-
reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-
reporting-when-test-fails.patch
@@ -1,4 +1,4 @@
-From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
+From cda360c014be3c6bfbec23045ae0cb784908cf59 Mon Sep 17 00:00:00 2001
  From: William Lyu <[email protected]>
  Date: Fri, 20 Oct 2023 16:22:37 -0400
  Subject: [PATCH] Added handshake history reporting when test fails
@@ -13,10 +13,10 @@ Signed-off-by: William Lyu <[email protected]>
   3 files changed, 217 insertions(+), 33 deletions(-)

  diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index f611b3a..5703b48 100644
+index 5e56060..f9bb035 100644
  --- a/test/helpers/handshake.c
  +++ b/test/helpers/handshake.c
-@@ -25,6 +25,102 @@
+@@ -26,6 +26,102 @@
   #include <netinet/sctp.h>
   #endif

@@ -119,7 +119,7 @@ index f611b3a..5703b48 100644
   HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
   {
       HANDSHAKE_RESULT *ret;
-@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL
*client,
+@@ -828,15 +924,6 @@ static void configure_handshake_ssl(SSL *server, SSL
*client,
           SSL_set_post_handshake_auth(client, 1);
   }

@@ -135,7 +135,7 @@ index f611b3a..5703b48 100644
   /* An SSL object and associated read-write buffers. */
   typedef struct peer_st {
       SSL *ssl;
-@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1181,16 +1268,6 @@ static void do_shutdown_step(PEER *peer)
       }
   }

@@ -152,7 +152,7 @@ index f611b3a..5703b48 100644
   static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
   {
       switch (test_ctx->handshake_mode) {
-@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX
*test_ctx, PEER *peer,
+@@ -1268,19 +1345,6 @@ static void do_connect_step(const SSL_TEST_CTX
*test_ctx, PEER *peer,
       }
   }

@@ -172,7 +172,7 @@ index f611b3a..5703b48 100644
   /*
    * Determine the handshake outcome.
    * last_status: the status of the peer to have acted last.
-@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1645,6 +1709,10 @@ static HANDSHAKE_RESULT
*do_handshake_internal(

       start = time(NULL);

@@ -183,7 +183,7 @@ index f611b3a..5703b48 100644
       /*
        * Half-duplex handshake loop.
        * Client and server speak to each other synchronously in the same 
process.
-@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1666,6 +1734,10 @@ static HANDSHAKE_RESULT
*do_handshake_internal(
                   0 /* server went last */);
           }

@@ -195,7 +195,7 @@ index f611b3a..5703b48 100644
           case HANDSHAKE_SUCCESS:
               client_turn_count = 0;
  diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
-index 78b03f9..b9967c2 100644
+index 7cf654f..b4459d7 100644
  --- a/test/helpers/handshake.h
  +++ b/test/helpers/handshake.h
  @@ -1,5 +1,5 @@
@@ -300,7 +300,7 @@ index 78b03f9..b9967c2 100644
  +
   #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */
  diff --git a/test/ssl_test.c b/test/ssl_test.c
-index ea60851..9d6b093 100644
+index 27b4415..64a13c0 100644
  --- a/test/ssl_test.c
  +++ b/test/ssl_test.c
  @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
@@ -360,7 +360,4 @@ index ea60851..9d6b093 100644
  +
       return ret;
   }
-
---
-2.25.1
-
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-
tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-
Configure-do-not-tweak-mips-cflags.patch
index cf5ff356ee..d1526cb69a 100644
--- 
a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-
cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-
mips-cflags.patch
@@ -1,4 +1,4 @@
-From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
+From 8db9b88edbfbf40d56f330110efdc5cade6f183e Mon Sep 17 00:00:00 2001
  From: Alexander Kanavin <[email protected]>
  Date: Tue, 30 May 2023 09:11:27 -0700
  Subject: [PATCH] Configure: do not tweak mips cflags
@@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <[email protected]>
   1 file changed, 10 deletions(-)

  diff --git a/Configure b/Configure
-index fff97bd..5ee54c1 100755
+index 6cc03bf..2bcb075 100755
  --- a/Configure
  +++ b/Configure
-@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
2>&1` =~ m/-mno-cygwin/m)
+@@ -1573,16 +1573,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help
2>&1` =~ m/-mno-cygwin/m)
           push @{$config{shared_ldflag}}, "-mno-cygwin";
           }

diff --git 
a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-
and-debug-prefix-map-from-co.patch b/meta/recipes-
connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-
from-co.patch
index dadc034c91..f70b14ab84 100644
--- 
a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-
debug-prefix-map-from-co.patch
+++ 
b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-
debug-prefix-map-from-co.patch
@@ -1,4 +1,4 @@
-From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
+From 31f71d1f2def3def2b44ec905cc9bcc7d8d2b454 Mon Sep 17 00:00:00 2001
  From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <[email protected]>
  Date: Tue, 6 Nov 2018 14:50:47 +0100
  Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
@@ -28,14 +28,13 @@ Signed-off-by: Kai Kang <[email protected]>
  Update to fix buildpaths qa issue for '-ffile-prefix-map'.

  Signed-off-by: Khem Raj <[email protected]>
-
  ---
   Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
   crypto/build.info                 |  2 +-
   2 files changed, 16 insertions(+), 2 deletions(-)

  diff --git a/Configurations/unix-Makefile.tmpl 
b/Configurations/unix-Makefile.tmpl
-index 09303c4..011bda1 100644
+index 71b069e..ad82899 100644
  --- a/Configurations/unix-Makefile.tmpl
  +++ b/Configurations/unix-Makefile.tmpl
  @@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
@@ -68,7 +67,7 @@ index 09303c4..011bda1 100644

   # For x86 assembler: Set PROCESSOR to 386 if you want to support
  diff --git a/crypto/build.info b/crypto/build.info
-index aee5c46..95c9577 100644
+index 872684c..96d37c6 100644
  --- a/crypto/build.info
  +++ b/crypto/build.info
  @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-
test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-
check_cwm-test-timeout.patch
index f6eb28069a..6bf768cf94 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-
timeout.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-
timeout.patch
@@ -1,4 +1,4 @@
-From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001
+From 1f2bfacaefde4fbf6020946333df45cdd84bfac8 Mon Sep 17 00:00:00 2001
  From: Gyorgy Sarvari <[email protected]>
  Date: Thu, 23 Oct 2025 11:24:36 +0200
  Subject: [PATCH] extend check_cwm test timeout
@@ -15,7 +15,7 @@ Signed-off-by: Gyorgy Sarvari <[email protected]>
   1 file changed, 5 insertions(+)

  diff --git a/test/radix/main.c b/test/radix/main.c
-index 4a1e886a71..39f8c61ef9 100644
+index 0f3dc11..d925639 100644
  --- a/test/radix/main.c
  +++ b/test/radix/main.c
  @@ -25,6 +25,11 @@ static int test_script(int idx)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb b/meta/recipes-
connectivity/openssl/openssl_3.6.1.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.5.5.bb
rename to meta/recipes-connectivity/openssl/openssl_3.6.1.bb
index 7799647415..849bfe0874 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.5.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.6.1.bb
@@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
             file://environment.d-openssl.sh \
             "

-SRC_URI[sha256sum] =
"b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
+SRC_URI[sha256sum] =
"b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e"

  inherit lib_package multilib_header multilib_script ptest perlnative manpages
  MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.34.1




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232259): 
https://lists.openembedded.org/g/openembedded-core/message/232259
Mute This Topic: https://lists.openembedded.org/mt/118109846/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to