* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 52b09e531b11c193fe7df35c27a8e7da8cca79e6
@ 2025-10-03 16:27 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-10-03 16:27 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 52b09e531b11c193fe7df35c27a8e7da8cca79e6 (commit)
via e1338c784c46e606c42a4f0d89864d6afa0fd35b (commit)
from c0dce85d2c367f9f2b0129b44517f2fa039959f0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 52b09e531b11c193fe7df35c27a8e7da8cca79e6
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Oct 3 16:26:56 2025 +0000
core199: Ship OpenSSL
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e1338c784c46e606c42a4f0d89864d6afa0fd35b
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Fri Oct 3 16:04:35 2025 +0200
openssl: Update to version 3.5.4
- Update from version 3.5.1 to 3.5.4
- Update of rootfile
- Changelog
3.5.4
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9230])
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM
Issue summary: A timing side-channel which could potentially allow remote
recovery of the private key exists in the SM2 algorithm implementation on
64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations on
64 bit ARM platforms could allow recovering the private key by an attacker.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9231])
* Fix Out-of-bounds read in HTTP client no_proxy handling
Issue summary: An application using the OpenSSL HTTP client API functions
may trigger an out-of-bounds read if the "no_proxy" environment variable is
set and the host portion of the authority component of the HTTP URL is an
IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9232])
* The FIPS provider no longer performs a PCT on key import for ECX keys
(that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
signatures.
* Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in `OpenSSL_version(3)`.
3.5.3
* Avoided a potential race condition introduced in 3.5.1, where
`OSSL_STORE_CTX` kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential crashes
when multiple concurrent TLS connections are served.
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
and EC keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Secure memory allocation calls are no longer used for HMAC keys.
* `openssl req` no longer generates certificates with an empty extension list
when SKID/AKID are set to `none` during generation.
* The man page date is now derived from the release date provided
in `VERSION.dat` and not the current date for the released builds.
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
3.5.2
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/openssl | 2 ++
config/rootfiles/{oldcore/100 => core/199}/filelists/openssl | 0
lfs/openssl | 4 ++--
3 files changed, 4 insertions(+), 2 deletions(-)
copy config/rootfiles/{oldcore/100 => core/199}/filelists/openssl (100%)
Difference in files:
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 8c154485e..5374f5e65 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -5530,10 +5530,12 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/SSL_POLL_EVENT_E.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_EC.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_ECD.3ossl
+#usr/share/man/man3/SSL_POLL_EVENT_EL.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_ER.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_EW.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_F.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_I.3ossl
+#usr/share/man/man3/SSL_POLL_EVENT_IC.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_IS.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_ISB.3ossl
#usr/share/man/man3/SSL_POLL_EVENT_ISE.3ossl
diff --git a/config/rootfiles/core/199/filelists/openssl b/config/rootfiles/core/199/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/core/199/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/lfs/openssl b/lfs/openssl
index c59714470..dc3f733a0 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.5.1
+VER = 3.5.4
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 172db56ac41cee78bcb5d2223c33d78baf3326d8d466115f39be414384d265ad4541e00096d3f53435f9f89119882ae587b20b1ac05dc2ace46a0d43d7cc6996
+$(DL_FILE)_BLAKE2 = 07e02f88af05e189385eef28599b81bd16d242130975c79df46e565a0dd92f74e59807d4770a2b3316adf08f2ca6a0dd2bfc96ab2a88a8dfb5c0d19197fe8fbf
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-03 16:27 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-03 16:27 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 52b09e531b11c193fe7df35c27a8e7da8cca79e6 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox