diff mbox series

openssl: Update to version 3.6.3

Message ID 20260612173044.3098900-2-adolf.belka@ipfire.org
State New
Headers
Series openssl: Update to version 3.6.3 |

Commit Message

Adolf Belka 12 Jun 2026, 5:30 p.m. UTC 
- Update from version 3.6.2 to 3.6.3
- Update of rootfile
- Changelog
3.6.3
OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed
in this release is High.
This release incorporates the following bug fixes and mitigations:
    Fixed heap use-after-free in PKCS7_verify().
	(CVE-2026-45447)
    Fixed CMS AuthEnvelopedData processing may accept forged messages.
	(CVE-2026-34182)
    Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
	(CVE-2026-34183)
    Fixed double-free when checking OCSP stapled response.
	(CVE-2026-35188)
    Fixed NULL pointer dereference in QUIC server initial packet handling.
	(CVE-2026-42764)
    Fixed AES-OCB IV ignored on EVP_Cipher() path.
	(CVE-2026-45445)
    Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
	(CVE-2026-7383)
    Fixed out-of-bounds read in CMS password-based decryption.
	(CVE-2026-9076)
    Fixed heap buffer over-read in ASN.1 content parsing.
	(CVE-2026-34180)
    Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
	(CVE-2026-34181)
    Fixed NULL dereference in certificate verification with OCSP Checking.
	(CVE-2026-42765)
    Fixed possible NULL dereference in password-dased CMS decryption.
	(CVE-2026-42766)
    Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
	(CVE-2026-42767)
    Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
    and PKCS7_decrypt().
	(CVE-2026-42768)
    Fixed trust anchor substitution via cert/issuer typo in CMP
    rootCaKeyUpdate.
	(CVE-2026-42769)
    Fixed FFC-DH peer validation uses attacker-supplied q.
	(CVE-2026-42770)
    Fixed incorrect tag processing for empty messages in AES-GCM-SIV
    and AES-SIV modes.
	(CVE-2026-45446)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openssl | 6 ++++++
 lfs/openssl                     | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index bbdfd8cab..9b07e091d 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -1558,6 +1558,10 @@  usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_new_ssl.3ossl
 #usr/share/man/man3/BIO_new_ssl_connect.3ossl
 #usr/share/man/man3/BIO_next.3ossl
+#usr/share/man/man3/BIO_nread.3ossl
+#usr/share/man/man3/BIO_nread0.3ossl
+#usr/share/man/man3/BIO_nwrite.3ossl
+#usr/share/man/man3/BIO_nwrite0.3ossl
 #usr/share/man/man3/BIO_parse_hostserv.3ossl
 #usr/share/man/man3/BIO_pending.3ossl
 #usr/share/man/man3/BIO_pop.3ossl
@@ -1993,10 +1997,12 @@  usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/CRYPTO_mem_leaks_cb.3ossl
 #usr/share/man/man3/CRYPTO_mem_leaks_fp.3ossl
 #usr/share/man/man3/CRYPTO_memcmp.3ossl
+#usr/share/man/man3/CRYPTO_memdup.3ossl
 #usr/share/man/man3/CRYPTO_new_ex_data.3ossl
 #usr/share/man/man3/CRYPTO_realloc.3ossl
 #usr/share/man/man3/CRYPTO_realloc_array.3ossl
 #usr/share/man/man3/CRYPTO_realloc_fn.3ossl
+#usr/share/man/man3/CRYPTO_secure_actual_size.3ossl
 #usr/share/man/man3/CRYPTO_secure_allocated.3ossl
 #usr/share/man/man3/CRYPTO_secure_calloc.3ossl
 #usr/share/man/man3/CRYPTO_secure_clear_free.3ossl
diff --git a/lfs/openssl b/lfs/openssl
index a91e16700..ef2e5891c 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 3.6.2
+VER        = 3.6.3
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 21a23c53d16e9fbfb4c6d606d6056e7bb72e15c964c43a7f02837d805584bc34917fb2527cbc7fa75de63f3b5f840c693e7b43ac95e4bf9c10dce27f130bf69f
+$(DL_FILE)_BLAKE2 = 12dcbd977c3ccbeefd0310c23a8398d91395896b0d23e3e630d1318e96d650ee7dadd91c8ea1876458076b2d19d1fa72c70ae76669ce97d315aa813a0b826745
 
 install : $(TARGET)