openssl: Update to version 3.6.1
Commit Message
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
* Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
([CVE-2025-15469])
* Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
([CVE-2025-66199])
* Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
([CVE-2025-68160])
* Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls.
([CVE-2025-69418])
* Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
([CVE-2025-69419])
* Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()`
function.
([CVE-2025-69420])
* Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
([CVE-2025-69421])
* Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
([CVE-2026-22795])
* Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
function.
([CVE-2026-22796])
* Fixed a regression in `X509_V_FLAG_CRL_CHECK_ALL` flag handling by
restoring its pre-3.6.0 behaviour.
* Fixed a regression in handling stapled OCSP responses causing handshake
failures for OpenSSL 3.6.0 servers with various client implementations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/openssl | 15 +++++++++++++++
lfs/openssl | 6 +++---
2 files changed, 18 insertions(+), 3 deletions(-)
@@ -297,6 +297,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/BIO_s_socket.html
#usr/share/doc/openssl/html/man3/BIO_sendmmsg.html
#usr/share/doc/openssl/html/man3/BIO_set_callback.html
+#usr/share/doc/openssl/html/man3/BIO_set_flags.html
#usr/share/doc/openssl/html/man3/BIO_should_retry.html
#usr/share/doc/openssl/html/man3/BIO_socket_wait.html
#usr/share/doc/openssl/html/man3/BN_BLINDING_new.html
@@ -323,6 +324,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/CMAC_CTX.html
#usr/share/doc/openssl/html/man3/CMS_EncryptedData_decrypt.html
#usr/share/doc/openssl/html/man3/CMS_EncryptedData_encrypt.html
+#usr/share/doc/openssl/html/man3/CMS_EncryptedData_set1_key.html
#usr/share/doc/openssl/html/man3/CMS_EnvelopedData_create.html
#usr/share/doc/openssl/html/man3/CMS_add0_cert.html
#usr/share/doc/openssl/html/man3/CMS_add1_recipient_cert.html
@@ -404,6 +406,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/ERR_set_mark.html
#usr/share/doc/openssl/html/man3/EVP_ASYM_CIPHER_free.html
#usr/share/doc/openssl/html/man3/EVP_BytesToKey.html
+#usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_app_data.html
#usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_cipher_data.html
#usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_original_iv.html
#usr/share/doc/openssl/html/man3/EVP_CIPHER_meth_new.html
@@ -523,6 +526,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/OPENSSL_load_builtin_modules.html
#usr/share/doc/openssl/html/man3/OPENSSL_load_u16_le.html
#usr/share/doc/openssl/html/man3/OPENSSL_malloc.html
+#usr/share/doc/openssl/html/man3/OPENSSL_ppccap.html
#usr/share/doc/openssl/html/man3/OPENSSL_riscvcap.html
#usr/share/doc/openssl/html/man3/OPENSSL_s390xcap.html
#usr/share/doc/openssl/html/man3/OPENSSL_secure_malloc.html
@@ -1397,6 +1401,8 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_callback_ctrl.3ossl
#usr/share/man/man3/BIO_callback_fn.3ossl
#usr/share/man/man3/BIO_callback_fn_ex.3ossl
+#usr/share/man/man3/BIO_clear_flags.3ossl
+#usr/share/man/man3/BIO_clear_retry_flags.3ossl
#usr/share/man/man3/BIO_closesocket.3ossl
#usr/share/man/man3/BIO_connect.3ossl
#usr/share/man/man3/BIO_ctrl.3ossl
@@ -1470,6 +1476,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_get_ex_data.3ossl
#usr/share/man/man3/BIO_get_ex_new_index.3ossl
#usr/share/man/man3/BIO_get_fd.3ossl
+#usr/share/man/man3/BIO_get_flags.3ossl
#usr/share/man/man3/BIO_get_fp.3ossl
#usr/share/man/man3/BIO_get_indent.3ossl
#usr/share/man/man3/BIO_get_info_callback.3ossl
@@ -1487,6 +1494,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_get_peer_port.3ossl
#usr/share/man/man3/BIO_get_read_request.3ossl
#usr/share/man/man3/BIO_get_retry_BIO.3ossl
+#usr/share/man/man3/BIO_get_retry_flags.3ossl
#usr/share/man/man3/BIO_get_retry_reason.3ossl
#usr/share/man/man3/BIO_get_rpoll_descriptor.3ossl
#usr/share/man/man3/BIO_get_shutdown.3ossl
@@ -1599,6 +1607,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_set_data.3ossl
#usr/share/man/man3/BIO_set_ex_data.3ossl
#usr/share/man/man3/BIO_set_fd.3ossl
+#usr/share/man/man3/BIO_set_flags.3ossl
#usr/share/man/man3/BIO_set_fp.3ossl
#usr/share/man/man3/BIO_set_indent.3ossl
#usr/share/man/man3/BIO_set_info_callback.3ossl
@@ -1611,7 +1620,10 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_set_next.3ossl
#usr/share/man/man3/BIO_set_prefix.3ossl
#usr/share/man/man3/BIO_set_read_buffer_size.3ossl
+#usr/share/man/man3/BIO_set_retry_read.3ossl
#usr/share/man/man3/BIO_set_retry_reason.3ossl
+#usr/share/man/man3/BIO_set_retry_special.3ossl
+#usr/share/man/man3/BIO_set_retry_write.3ossl
#usr/share/man/man3/BIO_set_shutdown.3ossl
#usr/share/man/man3/BIO_set_sock_type.3ossl
#usr/share/man/man3/BIO_set_ssl.3ossl
@@ -1633,6 +1645,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/BIO_ssl_copy_session_id.3ossl
#usr/share/man/man3/BIO_ssl_shutdown.3ossl
#usr/share/man/man3/BIO_tell.3ossl
+#usr/share/man/man3/BIO_test_flags.3ossl
#usr/share/man/man3/BIO_up_ref.3ossl
#usr/share/man/man3/BIO_vfree.3ossl
#usr/share/man/man3/BIO_vprintf.3ossl
@@ -1821,6 +1834,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/CMS_EncryptedData_decrypt.3ossl
#usr/share/man/man3/CMS_EncryptedData_encrypt.3ossl
#usr/share/man/man3/CMS_EncryptedData_encrypt_ex.3ossl
+#usr/share/man/man3/CMS_EncryptedData_set1_key.3ossl
#usr/share/man/man3/CMS_EnvelopedData_create.3ossl
#usr/share/man/man3/CMS_EnvelopedData_create_ex.3ossl
#usr/share/man/man3/CMS_EnvelopedData_decrypt.3ossl
@@ -3810,6 +3824,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/OPENSSL_mem_debug_push.3ossl
#usr/share/man/man3/OPENSSL_memdup.3ossl
#usr/share/man/man3/OPENSSL_no_config.3ossl
+#usr/share/man/man3/OPENSSL_ppccap.3ossl
#usr/share/man/man3/OPENSSL_realloc.3ossl
#usr/share/man/man3/OPENSSL_realloc_array.3ossl
#usr/share/man/man3/OPENSSL_riscvcap.3ossl
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 3.6.0
+VER = 3.6.1
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 4a0150aa9a78581e74119b338848458249630c94a43589a5b311d41c669b817b043007ddd13b3fb81233da10af3ccd455f3fbf3b09cf45016c475a8e2044e965
+$(DL_FILE)_BLAKE2 = da949967d40ca9e17baf1bedded5080e37bce2dfc187f2a46f80ec01e708f9d550d055ef8557812135c4a1081b8f3477c5d4dbe46e0f39a9b696a7dbdc6b769a
install : $(TARGET)