Hi, Thanks for the review. This patch is not targeted for any upstream OpenEmbedded/OE-Core supported branch. It is intended for an internal BSP layer (meta-collab) where we are required to upgrade OpenSSL from 3.0.19 to 3.0.21 to address the upstream CVEs fixed in the 3.0.20 and 3.0.21 security patch releases. Since this is for an internal layer and not for OE-Core, you may ignore this submission.
Regards, Aditya ________________________________ From: Yoann Congal <[email protected]> Sent: Monday, June 15, 2026 2:31 PM To: [email protected] <[email protected]>; [email protected] <[email protected]> Cc: Parrakat Nisha, JD-8 <[email protected]>; Suresh H A <[email protected]>; AshishKumar Mishra <[email protected]>; Nikhil R <[email protected]>; Aditya GS <[email protected]> Subject: Re: [OE-core] [PATCH] openssl: upgrade 3.0.19 -> 3.0.21 [You don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Caution: "External email, be cautious especially with link(s), attachment(s) or QR code(s)". On Mon Jun 15, 2026 at 10:33 AM CEST, Aditya GS via lists.openembedded.org wrote: > Upgrade OpenSSL from 3.0.19 to 3.0.21. Hello, This does not match versions from supported branches. What are you targeting? Regards, > > This upgrade brings in upstream fixes for multiple CVEs: > > - CVE-2026-45447 (High): heap use-after-free in PKCS7_verify() > - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string > - CVE-2026-9076: out-of-bounds read in CMS password-based decryption > - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing > - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling > - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path > - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages > - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption > - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q > - CVE-2026-45446: incorrect tag processing for empty messages in > AES-GCM-SIV and AES-SIV modes > - CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation > - CVE-2026-28387: potential use-after-free in DANE client code > - CVE-2026-28388: NULL pointer dereference when processing a delta CRL > - CVE-2026-28389: NULL dereference in CMS KeyAgreeRecipientInfo > - CVE-2026-28390: NULL dereference in CMS KeyTransportRecipientInfo > - CVE-2026-31789: heap buffer overflow in hexadecimal conversion > > As a result of this upgrade, the following CVEs are already fixed in the > upstream version and no longer require local patches: > > - CVE-2024-41996: vulnerability that could lead to denial of service > - CVE-2023-50781: fixes related to certificate validation and memory > handling > > Upstream changelog: > https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2Fopenssl-3.0.21%2FNEWS.md&data=05%7C02%7Caditya.gs%40bmwtechworks.in%7C4ca06f174ecd41274bcc08decabcb7fc%7C970fa6fd10314cc68c56488f3c61cd05%7C0%7C0%7C639171109068806752%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4zXCyTbP0EiXoF3vnNrmgILUnQlUiiV0dyUk%2Ffy4iPk%3D&reserved=0<https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md> > > Signed-off-by: Aditya GS <[email protected]> > Signed-off-by: Aditya GS <[email protected]> > --- > .../openssl/{openssl_3.0.19.bb => openssl_3.0.21.bb} | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.0.19.bb => > openssl_3.0.21.bb} (95%) > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > similarity index 95% > rename from meta/recipes-connectivity/openssl/openssl_3.0.19.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.21.bb > index 293b450cd0..2531305cda 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.21.bb > @@ -12,20 +12,13 @@ SRC_URI = > "https://ind01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Freleases%2Fdownload%2Fopenssl-%24&data=05%7C02%7Caditya.gs%40bmwtechworks.in%7C4ca06f174ecd41274bcc08decabcb7fc%7C970fa6fd10314cc68c56488f3c61cd05%7C0%7C0%7C639171109068834034%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=N8JHLKbuTSv%2F2FuSQciRUuAZP7%2FIxJtz3EpFCvW%2BtJU%3D&reserved=0{PV}/op > > file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ > file://afalg.patch \ > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > - file://CVE-2024-41996.patch \ > - file://CVE-2023-50781-1.patch \ > - file://CVE-2023-50781-2.patch \ > - file://CVE-2023-50781-3.patch \ > - file://CVE-2023-50781-4.patch \ > - file://CVE-2023-50781-5.patch \ > - file://CVE-2023-50781-6.patch \ > " > > SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072" > +SRC_URI[sha256sum] = > "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238827): https://lists.openembedded.org/g/openembedded-core/message/238827 Mute This Topic: https://lists.openembedded.org/mt/119812547/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
