Thanks, applied as 84f2395da708981aa88759fd9585edbc814b8ac9. Michael
[sent from post-receive hook] On Thu, 25 Jun 2026 21:23:27 +0200, Alexander Dahl <[email protected]> wrote: > Security update. Forward patchset, minor line relocations. > > CVEs fixed in 3.5.7: > > CVE-2026-45447 — Heap Use-After-Free in the PKCS7_verify() Function > CVE-2026-34182 — CMS AuthEnvelopedData Processing May Accept Forged > Messages > CVE-2026-34183 — Unbounded Memory Growth in the QUIC PATH_CHALLENGE > Handler > CVE-2026-42764 — NULL Pointer Dereference in QUIC Server Initial Packet > Handling > CVE-2026-45445 — AES-OCB IV Ignored on EVP_Cipher() Path > CVE-2026-7383 — Possible Heap Buffer Overflow in ASN.1 Multibyte String > Conversion > CVE-2026-9076 — Out-of-Bounds Read in CMS Password-Based Decryption > CVE-2026-34180 — Heap Buffer Over-read in ASN.1 Content Parsing > CVE-2026-34181 — PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC > Keys > CVE-2026-42766 — Possible NULL Dereference in Password-Based CMS > Decryption > CVE-2026-42767 — NULL Pointer Dereference in CRMF EncryptedValue > Decryption > CVE-2026-42768 — Multi-RecipientInfo Bleichenbacher Oracle in > CMS_decrypt() and PKCS7_decrypt() > CVE-2026-42769 — Trust-Anchor Substitution via cert/issuer Typo in CMP > rootCaKeyUpdate > CVE-2026-42770 — FFC-DH Peer Validation Uses Attacker-Supplied q > CVE-2026-45446 — Incorrect Tag Processing for Empty Messages in > AES-GCM-SIV and AES-SIV modes > > Link: https://openssl-library.org/news/openssl-3.5-notes/ > Link: https://github.com/openssl/openssl/releases/tag/openssl-3.5.7 > Link: https://groups.google.com/a/openssl.org/g/openssl-announce/c/YscHCN2QSi0 > Signed-off-by: Alexander Dahl <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/patches/openssl-3.5.6/0001-debian-targets.patch > b/patches/openssl-3.5.7/0001-debian-targets.patch > similarity index 100% > rename from patches/openssl-3.5.6/0001-debian-targets.patch > rename to patches/openssl-3.5.7/0001-debian-targets.patch > diff --git a/patches/openssl-3.5.6/0002-pic.patch > b/patches/openssl-3.5.7/0002-pic.patch > similarity index 100% > rename from patches/openssl-3.5.6/0002-pic.patch > rename to patches/openssl-3.5.7/0002-pic.patch > diff --git > a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > > b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > similarity index 92% > rename from > patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > rename to > patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > index bf5b10a4e60f..4ed616e24d02 100644 > --- > a/patches/openssl-3.5.6/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > +++ > b/patches/openssl-3.5.7/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch > @@ -28,10 +28,10 @@ Signed-off-by: Michael Olbrich <[email protected]> > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf > -index cba57b41273f..7fa3eeae412f 100644 > +index 692eccbfa1dc..225b1ea7032f 100644 > --- a/Configurations/10-main.conf > +++ b/Configurations/10-main.conf > -@@ -693,7 +693,7 @@ my %targets = ( > +@@ -694,7 +694,7 @@ my %targets = ( > shared_target => "linux-shared", > shared_cflag => "-fPIC", > shared_ldflag => sub { $disabled{pinshared} ? () : > "-Wl,-znodelete" }, > @@ -41,10 +41,10 @@ index cba57b41273f..7fa3eeae412f 100644 > "linux-latomic" => { > inherit_from => [ "linux-generic32" ], > diff --git a/Configure b/Configure > -index 499585438a16..98c0bcb92a79 100755 > +index 1b020faadb01..e8321ba49219 100755 > --- a/Configure > +++ b/Configure > -@@ -1836,7 +1836,7 @@ unless ($disabled{devcryptoeng}) { > +@@ -1841,7 +1841,7 @@ unless ($disabled{devcryptoeng}) { > unless ($disabled{ktls}) { > $config{ktls}=""; > my $cc = $config{CROSS_COMPILE}.$config{CC}; > diff --git > a/patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch > > b/patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch > similarity index 100% > rename from > patches/openssl-3.5.6/0004-conf-Serialize-allocation-free-of-ssl_names.patch > rename to > patches/openssl-3.5.7/0004-conf-Serialize-allocation-free-of-ssl_names.patch > diff --git a/patches/openssl-3.5.6/series b/patches/openssl-3.5.7/series > similarity index 100% > rename from patches/openssl-3.5.6/series > rename to patches/openssl-3.5.7/series > diff --git a/rules/openssl.make b/rules/openssl.make > index d50b67658907..fb8355dbd363 100644 > --- a/rules/openssl.make > +++ b/rules/openssl.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl > # > # Paths and names > # > -OPENSSL_VERSION := 3.5.6 > -OPENSSL_SHA256 := > deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736 > +OPENSSL_VERSION := 3.5.7 > +OPENSSL_SHA256 := > a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8 > OPENSSL := openssl-$(OPENSSL_VERSION) > OPENSSL_SUFFIX := tar.gz > OPENSSL_URL := \
