On Mon Jun 15, 2026 at 10:33 AM CEST, Aditya GS via lists.openembedded.org wrote: > Upgrade OpenSSL from 3.0.19 to 3.0.21.
Hello, This does not match versions from supported branches. What are you targeting? Regards, > > This upgrade brings in upstream fixes for multiple CVEs: > > - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify() > - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string > - CVE-2026-9076: out-of-bounds read in CMS password-based decryption > - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing > - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling > - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path > - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages > - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption > - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q > - CVE-2026-45446: incorrect tag processing for empty messages in > AES-GCM-SIV and AES-SIV modes > - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation > - CVE-2026-28387: potential use-after-free in DANE client code > - CVE-2026-28388: NULL pointer dereference when processing a delta CRL > - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo > - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo > - CVE-2026-31789: heap buffer overflow in hexadecimal conversion > > As a result of this upgrade, the following CVEs are already fixed in the > upstream version and no longer require local patches: > > - CVE-2024-41996: vulnerability that could lead to denial of service > - CVE-2023-50781: fixes related to certificate validation and memory > handling > > Upstream changelog: > https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md > > Signed-off-by: Aditya GS <[email protected]> > Signed-off-by: Aditya GS <[email protected]> > --- > .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => > openssl_3.0.21.bb} (95%) > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > similarity index 95% > rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb > index 293b450cd0..2531305cda 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > @@ -12,20 +12,13 @@ SRC_URI = > "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op > > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > - file://CVE-2024-41996.patch \ > - file://CVE-2023-50781-1.patch \ > - file://CVE-2023-50781-2.patch \ > - file://CVE-2023-50781-3.patch \ > - file://CVE-2023-50781-4.patch \ > - file://CVE-2023-50781-5.patch \ > - file://CVE-2023-50781-6.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072" > +SRC_URI[sha256sum] = > "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238826): https://lists.openembedded.org/g/openembedded-core/message/238826 Mute This Topic: https://lists.openembedded.org/mt/119812547/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
