Upgrade OpenSSL from 3.0.20 to 3.0.21. This upgrade brings in upstream fixes for multiple CVEs:
- CVE-2026-45447 (High): heap use-after-free in PKCS7_verify() - CVE-2026-7383: heap buffer overflow in ASN.1 multibyte string - CVE-2026-9076: out-of-bounds read in CMS password-based decryption - CVE-2026-34180: heap buffer over-read in ASN.1 content parsing - CVE-2026-42764: NULL pointer dereference in QUIC server packet handling - CVE-2026-45445: AES-OCB IV ignored on EVP_Cipher() path - CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages - CVE-2026-42766: NULL pointer dereference in password-based CMS decryption - CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q - CVE-2026-45446: incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes As a result of this upgrade, the following CVEs are already fixed in the upstream version and no longer require local patches: - CVE-2024-41996: vulnerability that could lead to denial of service - CVE-2023-50781: fixes related to certificate validation and memory handling Upstream changelog: https://github.com/openssl/openssl/blob/openssl-3.0.21/NEWS.md Signed-off-by: Aditya GS <[email protected]> Signed-off-by: Aditya GS <[email protected]> --- .../openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb} | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) rename meta-core/recipes-connectivity/openssl/{openssl_3.0.20.bb => openssl_3.0.21.bb} (96%) diff --git a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb similarity index 96% rename from meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb rename to meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb index d33874e..fffe303 100644 --- a/meta-core/recipes-connectivity/openssl/openssl_3.0.20.bb +++ b/meta-core/recipes-connectivity/openssl/openssl_3.0.21.bb @@ -12,20 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://CVE-2024-41996.patch \ - file://CVE-2023-50781-1.patch \ - file://CVE-2023-50781-2.patch \ - file://CVE-2023-50781-3.patch \ - file://CVE-2023-50781-4.patch \ - file://CVE-2023-50781-5.patch \ - file://CVE-2023-50781-6.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "c80a01dfc70ece4dc21168932c37739042d404d46ccc81a5986dd75314ecda6f" +SRC_URI[sha256sum] = "617e29af8e421f46649484a4937e48c685e47f46488167c982f88bc4ec1d522f" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239206): https://lists.openembedded.org/g/openembedded-core/message/239206 Mute This Topic: https://lists.openembedded.org/mt/119896665/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
