From patchwork Fri Apr 24 16:42:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 9702
Return-Path: <development+bounces-1995-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g2Jg54yVdz3xF7
	for <patchwork@web04.haj.ipfire.org>; Fri, 24 Apr 2026 16:43:13 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4g2Jg41SzHz7Bw
	for <patchwork@ipfire.org>; Fri, 24 Apr 2026 16:43:12 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g2Jg10lpRz36V5
	for <patchwork@ipfire.org>; Fri, 24 Apr 2026 16:43:09 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org
 [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g2Jfy2B6pz33c4
	for <development@lists.ipfire.org>; Fri, 24 Apr 2026 16:43:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4g2Jfx74GNz5lW;
	Fri, 24 Apr 2026 16:43:05 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1777048986;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=w0nvJvl3jhX3xIFnifD2a6lT6kQS9kPJtIA4p4CchWA=;
	b=X02ka9Vzh/aFXBZIsHIAvGtle4ntawRVZovxN31pDS9Xupl1w53BNeH5wKLDfOWq1gt6cv
	zzcpwOVbaDLLV9CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1777048986;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=w0nvJvl3jhX3xIFnifD2a6lT6kQS9kPJtIA4p4CchWA=;
	b=UPFbOQS/0wXlGC7PwkOONo715/Kxj8O6bPX9t0jq66iDpcNvkCk3wfq+FTVMAjfBOSWW4W
	HGYWM/uxXAYQnhE8lVcoUNN3CppKd4R3ydorOKTOpq+NBwmaSM9bOQCl+G6dEWCQKgxikP
	cQPLzx2BVirx6ec6Bm13XFMd2BZx20lmrgctBAzB2SV5qPCC1E0sZGcxqp3IISrbM2lifp
	T77/kgs1foh4v9tCMqXbsNiOK0VdFq0mDAH8/VDGt3u9vhCSzFP3NDTmiKtlogTTGvjoow
	6BfEzbL/J603m1RZD3j+WXRC9q/PNH+2z6W3TvFenlgoK3vUdX/cYRShKDePcQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] openssl: Update to version 3.6.2
Date: Fri, 24 Apr 2026 18:42:59 +0200
Message-ID: <20260424164300.3505717-4-adolf.belka@ipfire.org>
In-Reply-To: <20260424164300.3505717-1-adolf.belka@ipfire.org>
References: <20260424164300.3505717-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

- Update from version 3.6.1 to 3.6.2
- Update of rootfile
- This looks to be the last release in the 3.x branch as 4.0.0 has been released.
   This patch updates that last 3.x branch version as it is a security release with
   eight CVE fixes in it.
   Also with the major change from 3.x to 4.x we will need to ensure that there are no
   issues for IPFire. I will do a separate build for 4.0.0 and test it before submitting
   that patch for consideration for 203 or 204
- Changelog
    3.6.2
	Fixed incorrect failure handling in RSA KEM RSASVE encapsulation.
	 (CVE-2026-31790)
	Fixed loss of key agreement group tuple structure when the DEFAULT keyword
	 is used in the server-side configuration of the key-agreement group list.
	 (CVE-2026-2673)
	Fixed out-of-bounds read in AES-CFB-128 on x86-64 CPUs with AVX-512 support.
	 (CVE-2026-28386)
	Fixed potential use-after-free in DANE client code.
	 (CVE-2026-28387)
	Fixed NULL pointer dereference when processing a delta CRL.
	 (CVE-2026-28388)
	Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.
	 (CVE-2026-28389)
	Fixed possible NULL dereference when processing CMS KeyTransportRecipientInfo.
	 (CVE-2026-28390)
	Fixed heap buffer overflow in hexadecimal conversion.
	 (CVE-2026-31789)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openssl | 3 +++
 lfs/openssl                     | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 98d8c211b..bbdfd8cab 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -848,6 +848,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/UI_UTIL_read_pw.html
 #usr/share/doc/openssl/html/man3/UI_create_method.html
 #usr/share/doc/openssl/html/man3/UI_new.html
+#usr/share/doc/openssl/html/man3/X509V3_EXT_print.html
 #usr/share/doc/openssl/html/man3/X509V3_get_d2i.html
 #usr/share/doc/openssl/html/man3/X509V3_set_ctx.html
 #usr/share/doc/openssl/html/man3/X509_ACERT_add1_attr.html
@@ -6226,6 +6227,8 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/USERNOTICE_new.3ossl
 #usr/share/man/man3/X509V3_EXT_d2i.3ossl
 #usr/share/man/man3/X509V3_EXT_i2d.3ossl
+#usr/share/man/man3/X509V3_EXT_print.3ossl
+#usr/share/man/man3/X509V3_EXT_print_fp.3ossl
 #usr/share/man/man3/X509V3_add1_i2d.3ossl
 #usr/share/man/man3/X509V3_get_d2i.3ossl
 #usr/share/man/man3/X509V3_set_ctx.3ossl
diff --git a/lfs/openssl b/lfs/openssl
index 588fe3619..a91e16700 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.6.1
+VER        = 3.6.2
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = da949967d40ca9e17baf1bedded5080e37bce2dfc187f2a46f80ec01e708f9d550d055ef8557812135c4a1081b8f3477c5d4dbe46e0f39a9b696a7dbdc6b769a
+$(DL_FILE)_BLAKE2 = 21a23c53d16e9fbfb4c6d606d6056e7bb72e15c964c43a7f02837d805584bc34917fb2527cbc7fa75de63f3b5f840c693e7b43ac95e4bf9c10dce27f130bf69f
 
 install : $(TARGET)