Security update. Forward patchset, minor line relocations.
CVEs fixed in 3.5.7:
CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function
CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged Messages
CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet
Handling
CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path
CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String
Conversion
CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption
CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing
CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS Decryption
CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue Decryption
CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
and PKCS7_decrypt()
CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP
rootCaKeyUpdate
CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q
CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in AES-GCM-SIV
and AES-SIV modes
Link: https://openssl-library.org/news/openssl-3.5-notes/
Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7
Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0
Signed-off-by: Alexander Dahl <[email protected]>
---
.../0001-debian-targets.patch | 0
patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch | 0
...igure-allow-to-enable-ktls-if-target-does-not-st.patch | 8 ++++----
...0004-conf-Serialize-allocation-free-of-ssl_names.patch | 0
patches/{openssl-3.5.6 => openssl-3.5.7}/series | 0
rules/openssl.make | 4 ++--
6 files changed, 6 insertions(+), 6 deletions(-)
rename patches/{openssl-3.5.6 => openssl-3.5.7}/0001-debian-targets.patch
(100%)
rename patches/{openssl-3.5.6 => openssl-3.5.7}/0002-pic.patch (100%)
rename patches/{openssl-3.5.6 =>
openssl-3.5.7}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
(92%)
rename patches/{openssl-3.5.6 =>
openssl-3.5.7}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%)
rename patches/{openssl-3.5.6 => openssl-3.5.7}/series (100%)
diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch
b/patches/openssl-3.5.7/0001-debian-targets.patch
similarity index 100%
rename from patches/openssl-3.5.6/0001-debian-targets.patch
rename to patches/openssl-3.5.7/0001-debian-targets.patch
diff --git a/patches/openssl-3.5.6/0002-pic.patch
b/patches/openssl-3.5.7/0002-pic.patch
similarity index 100%
rename from patches/openssl-3.5.6/0002-pic.patch
rename to patches/openssl-3.5.7/0002-pic.patch
diff --git
a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
similarity index 92%
rename from
patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
rename to
patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
index bf5b10a4e..4ed616e24 100644
---
a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
+++
b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch
@@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <[email protected]>
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index cba57b41273f..7fa3eeae412f 100644
+index 692eccbfa1dc..225b1ea7032f 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
-@@ -693,7 +693,7 @@ my %targets = (
+@@ -694,7 +694,7 @@ my %targets = (
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => sub { $disabled{pinshared} ? () :
"-Wl,-znodelete" },
@@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
-index 499585438a16..98c0bcb92a79 100755
+index 1b020faadb01..e8321ba49219 100755
--- a/Configure
+++ b/Configure
-@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
diff --git
a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch
b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
similarity index 100%
rename from
patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch
rename to
patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch
diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series
similarity index 100%
rename from patches/openssl-3.5.6/series
rename to patches/openssl-3.5.7/series
diff --git a/rules/openssl.make b/rules/openssl.make
index d50b67658..fb8355dbd 100644
--- a/rules/openssl.make
+++ b/rules/openssl.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl
#
# Paths and names
#
-OPENSSL_VERSION := 3.5.6
-OPENSSL_SHA256 :=
deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736
+OPENSSL_VERSION := 3.5.7
+OPENSSL_SHA256 :=
a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8
OPENSSL := openssl-$(OPENSSL_VERSION)
OPENSSL_SUFFIX := tar.gz
OPENSSL_URL := \
base-commit: 3d185e7c01807e7a2f58a89fe811ed572d267099
--
2.47.3
