From patchwork Fri Jun 12 17:30:44 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 9936
Return-Path: <development+bounces-2276-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gcRPR6FKcz3wb2
	for <patchwork@web04.haj.ipfire.org>; Fri, 12 Jun 2026 17:30:51 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org
 [IPv6:2001:678:b28::201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4gcRPR3gc0z4gG
	for <patchwork@ipfire.org>; Fri, 12 Jun 2026 17:30:51 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gcRPR2sYcz2xgk
	for <patchwork@ipfire.org>; Fri, 12 Jun 2026 17:30:51 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org
 [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gcRPN6N0Wz30Sf
	for <development@lists.ipfire.org>; Fri, 12 Jun 2026 17:30:48 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4gcRPN05VYzBf;
	Fri, 12 Jun 2026 17:30:47 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1781285448;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sLLMhAoVw5Uhuj7JkJH7E1GrC5yOwoohX39vRAOvc5o=;
	b=dF66R1UkoBv/2YoKvZ7RxMokl3EulTGib/X0OBGtCZxh7DMxZrq8LDyIZGCXgFvAiMjzFK
	2kIczdpnmnZT12Cw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1781285448;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=sLLMhAoVw5Uhuj7JkJH7E1GrC5yOwoohX39vRAOvc5o=;
	b=XnvTn6jnMlHTNI4Uo72D3LcrrwDKRJq1F/2N6JJwZH+NmMv6EaZ+Jfohhi2na8J1kKh6em
	dLAY9aTCnJb2RaVszmE4Oi8rik+TGP+a/1Sfx06YFLWv5dhmbYrbgRhm0w+rr4UEs64ZxN
	ijIHPsqTXWFDE4xhuGVMEtm1vH2fS7EPYiqqnM0uOOkUnL8Nj4vHp7KOGuxi6Z8eRDZTPB
	Q9YrVGCTLCHC+h/PD88E8eu3XCxLWxPnsNF9LKffC/07YUUXgzc5HAw3OzUBx8Dm9rRcmA
	tPJQxeTeX9hPSLo7ni4dq//6xNisQIgn0/n/fGOAxZU1BsNgHL1yUAkw6OAnow==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] openssl: Update to version 3.6.3
Date: Fri, 12 Jun 2026 19:30:44 +0200
Message-ID: <20260612173044.3098900-2-adolf.belka@ipfire.org>
In-Reply-To: <20260612173044.3098900-1-adolf.belka@ipfire.org>
References: <20260612173044.3098900-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

- Update from version 3.6.2 to 3.6.3
- Update of rootfile
- Changelog
3.6.3
OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed
in this release is High.
This release incorporates the following bug fixes and mitigations:
    Fixed heap use-after-free in PKCS7_verify().
	(CVE-2026-45447)
    Fixed CMS AuthEnvelopedData processing may accept forged messages.
	(CVE-2026-34182)
    Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
	(CVE-2026-34183)
    Fixed double-free when checking OCSP stapled response.
	(CVE-2026-35188)
    Fixed NULL pointer dereference in QUIC server initial packet handling.
	(CVE-2026-42764)
    Fixed AES-OCB IV ignored on EVP_Cipher() path.
	(CVE-2026-45445)
    Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
	(CVE-2026-7383)
    Fixed out-of-bounds read in CMS password-based decryption.
	(CVE-2026-9076)
    Fixed heap buffer over-read in ASN.1 content parsing.
	(CVE-2026-34180)
    Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
	(CVE-2026-34181)
    Fixed NULL dereference in certificate verification with OCSP Checking.
	(CVE-2026-42765)
    Fixed possible NULL dereference in password-dased CMS decryption.
	(CVE-2026-42766)
    Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
	(CVE-2026-42767)
    Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
    and PKCS7_decrypt().
	(CVE-2026-42768)
    Fixed trust anchor substitution via cert/issuer typo in CMP
    rootCaKeyUpdate.
	(CVE-2026-42769)
    Fixed FFC-DH peer validation uses attacker-supplied q.
	(CVE-2026-42770)
    Fixed incorrect tag processing for empty messages in AES-GCM-SIV
    and AES-SIV modes.
	(CVE-2026-45446)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openssl | 6 ++++++
 lfs/openssl                     | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index bbdfd8cab..9b07e091d 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -1558,6 +1558,10 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_new_ssl.3ossl
 #usr/share/man/man3/BIO_new_ssl_connect.3ossl
 #usr/share/man/man3/BIO_next.3ossl
+#usr/share/man/man3/BIO_nread.3ossl
+#usr/share/man/man3/BIO_nread0.3ossl
+#usr/share/man/man3/BIO_nwrite.3ossl
+#usr/share/man/man3/BIO_nwrite0.3ossl
 #usr/share/man/man3/BIO_parse_hostserv.3ossl
 #usr/share/man/man3/BIO_pending.3ossl
 #usr/share/man/man3/BIO_pop.3ossl
@@ -1993,10 +1997,12 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/CRYPTO_mem_leaks_cb.3ossl
 #usr/share/man/man3/CRYPTO_mem_leaks_fp.3ossl
 #usr/share/man/man3/CRYPTO_memcmp.3ossl
+#usr/share/man/man3/CRYPTO_memdup.3ossl
 #usr/share/man/man3/CRYPTO_new_ex_data.3ossl
 #usr/share/man/man3/CRYPTO_realloc.3ossl
 #usr/share/man/man3/CRYPTO_realloc_array.3ossl
 #usr/share/man/man3/CRYPTO_realloc_fn.3ossl
+#usr/share/man/man3/CRYPTO_secure_actual_size.3ossl
 #usr/share/man/man3/CRYPTO_secure_allocated.3ossl
 #usr/share/man/man3/CRYPTO_secure_calloc.3ossl
 #usr/share/man/man3/CRYPTO_secure_clear_free.3ossl
diff --git a/lfs/openssl b/lfs/openssl
index a91e16700..ef2e5891c 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.6.2
+VER        = 3.6.3
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 21a23c53d16e9fbfb4c6d606d6056e7bb72e15c964c43a7f02837d805584bc34917fb2527cbc7fa75de63f3b5f840c693e7b43ac95e4bf9c10dce27f130bf69f
+$(DL_FILE)_BLAKE2 = 12dcbd977c3ccbeefd0310c23a8398d91395896b0d23e3e630d1318e96d650ee7dadd91c8ea1876458076b2d19d1fa72c70ae76669ce97d315aa813a0b826745
 
 install : $(TARGET)