From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-1640-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f1bQ310WJz32Vl
	for <archive@lists.ipfire.org>; Wed, 28 Jan 2026 21:44:11 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f1bPz4Qz5z2xHh
	for <development@lists.ipfire.org>; Wed, 28 Jan 2026 21:44:07 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4f1bPz0w2sz5hh;
	Wed, 28 Jan 2026 21:44:07 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1769636647;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SyLiRmYjZzPVghtJP/Ot8BE1jejOzkDEx0JhGp6XJYc=;
	b=VWm3tSc548hfP68mPGrYoKllWaVRz77w2Y+9Uoyj0Cmafc8rdpGalucJpgVxiLE8NhOTXI
	COV/iRT+yElieACw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1769636647;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SyLiRmYjZzPVghtJP/Ot8BE1jejOzkDEx0JhGp6XJYc=;
	b=hxAjdloPJ1mzKbBr2MMDzJjtzpwEqpiGYDh3u1BQBGXpBS4qEYfYwyuFjz2WrFPm6C3awS
	BjjPDj6O3r2xHeqr7mspWDVIRigrkTUJIaHyFR3x+rsHn3C4DfEyR4+n0rKB5U8N7fsz4d
	/OOx3JIVcATyL+q+C+92JXi5erePYe/pZMf3IhkF3iepLQCzTBsPd80+WYWN3j24EwzDpk
	RnJrA7YesPVVOMsXrn0wqy7i2oQcOtCghzoS4d/jEjynox7AOtbfnbq2hlJxJpR5prRCID
	/jMXYAtJ9pdCpcfXGrpFYQmazU4JCMhY2HBS7gSGBLpXvxBmbrYMh1LAU9Skgg==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] openssl: Update to version 3.6.1
Date: Wed, 28 Jan 2026 22:44:03 +0100
Message-ID: <20260128214403.3621016-2-adolf.belka@ipfire.org>
In-Reply-To: <20260128214403.3621016-1-adolf.belka@ipfire.org>
References: <20260128214403.3621016-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
    3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    ([CVE-2025-11187])

  * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
    ([CVE-2025-15467])

  * Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
    ([CVE-2025-15468])

  * Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
    ([CVE-2025-15469])

  * Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
    ([CVE-2025-66199])

  * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
    ([CVE-2025-68160])

  * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    ([CVE-2025-69418])

  * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
    ([CVE-2025-69419])

  * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()`
    function.
    ([CVE-2025-69420])

  * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
    ([CVE-2025-69421])

  * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
    ([CVE-2026-22795])

  * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
    function.
    ([CVE-2026-22796])

  * Fixed a regression in `X509_V_FLAG_CRL_CHECK_ALL` flag handling by
    restoring its pre-3.6.0 behaviour.

  * Fixed a regression in handling stapled OCSP responses causing handshake
    failures for OpenSSL 3.6.0 servers with various client implementations.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openssl | 15 +++++++++++++++
 lfs/openssl                     |  6 +++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 2052f8284..98d8c211b 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -297,6 +297,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/BIO_s_socket.html
 #usr/share/doc/openssl/html/man3/BIO_sendmmsg.html
 #usr/share/doc/openssl/html/man3/BIO_set_callback.html
+#usr/share/doc/openssl/html/man3/BIO_set_flags.html
 #usr/share/doc/openssl/html/man3/BIO_should_retry.html
 #usr/share/doc/openssl/html/man3/BIO_socket_wait.html
 #usr/share/doc/openssl/html/man3/BN_BLINDING_new.html
@@ -323,6 +324,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/CMAC_CTX.html
 #usr/share/doc/openssl/html/man3/CMS_EncryptedData_decrypt.html
 #usr/share/doc/openssl/html/man3/CMS_EncryptedData_encrypt.html
+#usr/share/doc/openssl/html/man3/CMS_EncryptedData_set1_key.html
 #usr/share/doc/openssl/html/man3/CMS_EnvelopedData_create.html
 #usr/share/doc/openssl/html/man3/CMS_add0_cert.html
 #usr/share/doc/openssl/html/man3/CMS_add1_recipient_cert.html
@@ -404,6 +406,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/ERR_set_mark.html
 #usr/share/doc/openssl/html/man3/EVP_ASYM_CIPHER_free.html
 #usr/share/doc/openssl/html/man3/EVP_BytesToKey.html
+#usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_app_data.html
 #usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_cipher_data.html
 #usr/share/doc/openssl/html/man3/EVP_CIPHER_CTX_get_original_iv.html
 #usr/share/doc/openssl/html/man3/EVP_CIPHER_meth_new.html
@@ -523,6 +526,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/OPENSSL_load_builtin_modules.html
 #usr/share/doc/openssl/html/man3/OPENSSL_load_u16_le.html
 #usr/share/doc/openssl/html/man3/OPENSSL_malloc.html
+#usr/share/doc/openssl/html/man3/OPENSSL_ppccap.html
 #usr/share/doc/openssl/html/man3/OPENSSL_riscvcap.html
 #usr/share/doc/openssl/html/man3/OPENSSL_s390xcap.html
 #usr/share/doc/openssl/html/man3/OPENSSL_secure_malloc.html
@@ -1397,6 +1401,8 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_callback_ctrl.3ossl
 #usr/share/man/man3/BIO_callback_fn.3ossl
 #usr/share/man/man3/BIO_callback_fn_ex.3ossl
+#usr/share/man/man3/BIO_clear_flags.3ossl
+#usr/share/man/man3/BIO_clear_retry_flags.3ossl
 #usr/share/man/man3/BIO_closesocket.3ossl
 #usr/share/man/man3/BIO_connect.3ossl
 #usr/share/man/man3/BIO_ctrl.3ossl
@@ -1470,6 +1476,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_get_ex_data.3ossl
 #usr/share/man/man3/BIO_get_ex_new_index.3ossl
 #usr/share/man/man3/BIO_get_fd.3ossl
+#usr/share/man/man3/BIO_get_flags.3ossl
 #usr/share/man/man3/BIO_get_fp.3ossl
 #usr/share/man/man3/BIO_get_indent.3ossl
 #usr/share/man/man3/BIO_get_info_callback.3ossl
@@ -1487,6 +1494,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_get_peer_port.3ossl
 #usr/share/man/man3/BIO_get_read_request.3ossl
 #usr/share/man/man3/BIO_get_retry_BIO.3ossl
+#usr/share/man/man3/BIO_get_retry_flags.3ossl
 #usr/share/man/man3/BIO_get_retry_reason.3ossl
 #usr/share/man/man3/BIO_get_rpoll_descriptor.3ossl
 #usr/share/man/man3/BIO_get_shutdown.3ossl
@@ -1599,6 +1607,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_set_data.3ossl
 #usr/share/man/man3/BIO_set_ex_data.3ossl
 #usr/share/man/man3/BIO_set_fd.3ossl
+#usr/share/man/man3/BIO_set_flags.3ossl
 #usr/share/man/man3/BIO_set_fp.3ossl
 #usr/share/man/man3/BIO_set_indent.3ossl
 #usr/share/man/man3/BIO_set_info_callback.3ossl
@@ -1611,7 +1620,10 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_set_next.3ossl
 #usr/share/man/man3/BIO_set_prefix.3ossl
 #usr/share/man/man3/BIO_set_read_buffer_size.3ossl
+#usr/share/man/man3/BIO_set_retry_read.3ossl
 #usr/share/man/man3/BIO_set_retry_reason.3ossl
+#usr/share/man/man3/BIO_set_retry_special.3ossl
+#usr/share/man/man3/BIO_set_retry_write.3ossl
 #usr/share/man/man3/BIO_set_shutdown.3ossl
 #usr/share/man/man3/BIO_set_sock_type.3ossl
 #usr/share/man/man3/BIO_set_ssl.3ossl
@@ -1633,6 +1645,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/BIO_ssl_copy_session_id.3ossl
 #usr/share/man/man3/BIO_ssl_shutdown.3ossl
 #usr/share/man/man3/BIO_tell.3ossl
+#usr/share/man/man3/BIO_test_flags.3ossl
 #usr/share/man/man3/BIO_up_ref.3ossl
 #usr/share/man/man3/BIO_vfree.3ossl
 #usr/share/man/man3/BIO_vprintf.3ossl
@@ -1821,6 +1834,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/CMS_EncryptedData_decrypt.3ossl
 #usr/share/man/man3/CMS_EncryptedData_encrypt.3ossl
 #usr/share/man/man3/CMS_EncryptedData_encrypt_ex.3ossl
+#usr/share/man/man3/CMS_EncryptedData_set1_key.3ossl
 #usr/share/man/man3/CMS_EnvelopedData_create.3ossl
 #usr/share/man/man3/CMS_EnvelopedData_create_ex.3ossl
 #usr/share/man/man3/CMS_EnvelopedData_decrypt.3ossl
@@ -3810,6 +3824,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/OPENSSL_mem_debug_push.3ossl
 #usr/share/man/man3/OPENSSL_memdup.3ossl
 #usr/share/man/man3/OPENSSL_no_config.3ossl
+#usr/share/man/man3/OPENSSL_ppccap.3ossl
 #usr/share/man/man3/OPENSSL_realloc.3ossl
 #usr/share/man/man3/OPENSSL_realloc_array.3ossl
 #usr/share/man/man3/OPENSSL_riscvcap.3ossl
diff --git a/lfs/openssl b/lfs/openssl
index 88bc6d98f..588fe3619 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.6.0
+VER        = 3.6.1
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 4a0150aa9a78581e74119b338848458249630c94a43589a5b311d41c669b817b043007ddd13b3fb81233da10af3ccd455f3fbf3b09cf45016c475a8e2044e965
+$(DL_FILE)_BLAKE2 = da949967d40ca9e17baf1bedded5080e37bce2dfc187f2a46f80ec01e708f9d550d055ef8557812135c4a1081b8f3477c5d4dbe46e0f39a9b696a7dbdc6b769a
 
 install : $(TARGET)
 
-- 
2.52.0