MFV: openssl 3.5.7This change is a security release which resolves several issues with OpenSSL 3.5,the highest severity issue being ranked "High". Users are strongly encouraged toupdate to this r
MFV: openssl 3.5.7This change is a security release which resolves several issues with OpenSSL 3.5,the highest severity issue being ranked "High". Users are strongly encouraged toupdate to this release.More information about the release (from a high level) can be found inthe release notes [1].1. https://github.com/openssl/openssl/blob/openssl-3.5.7/NEWS.mdAll conflicts were resolved with `--theirs`, taking the release diffover the local diff; the conflicts occurred due to preemptive securityfixes applied by so@ in e508c343.MFC after: 3 days (the important security issues have beenpreemptively addressed)Merge commit '3a71a35ad9dad0e5d2cad8efecc8ba9d57c42d43'Conflicts: crypto/openssl/include/internal/quic_channel.h crypto/openssl/ssl/quic/quic_channel_local.h crypto/openssl/ssl/quic/quic_rx_depack.c crypto/openssl/test/cmsapitest.c crypto/openssl/test/evp_extra_test.c
show more ...
openssl: Fix multiple vulnerabilitiesThis is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte val
openssl: Fix multiple vulnerabilitiesThis is a rollup commit from upstream to fix: Reject oversized inputs in ASN1_mbstring_ncopy() cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation cms: kek_unwrap_key: test for fix out-of-bounds read in check-byte validation Avoid length truncation in ASN1_STRING_set pkcs12: verify that the pbmac1 key length is safe Reject potentially forged encrypted CMS AuthEnvelopedData messages QUIC stack must limit the number of PATH_CHALLENGE frames processed in RX Fix NULL dereference in QUIC address validation Fix potential NULL dereference processing CMS PasswordRecipientInfo Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt() Enforce implicit rejection for CMS/PKCS#7 decryption Use the correct issuer when validating rootCAKeyUpdate Match the local q DHX parameter against the peer's q Apply the buffered IV on the AES-OCB EVP_Cipher() path Fix handling of empty-ciphertext messages in AES-GCM-SIV and AES-SIV Fix possible use-after-free in OpenSSL PKCS7_verify()Approved by: soObtained from: OpenSSLSecurity: FreeBSD-SA-26:35.opensslSecurity: CVE-2026-7383Security: CVE-2026-9076Security: CVE-2026-34180Security: CVE-2026-34181Security: CVE-2026-34182Security: CVE-2026-34183Security: CVE-2026-42764Security: CVE-2026-42766Security: CVE-2026-42767Security: CVE-2026-42768Security: CVE-2026-42769Security: CVE-2026-42770Security: CVE-2026-45445Security: CVE-2026-45446Security: CVE-2026-45447
MFV: crypto/openssl: update to 3.5.6This change brings in version 3.5.6 of OpenSSL, which featuresseveral security fixes (the highest of which is a MEDIUM severityissue), as well as some miscella
MFV: crypto/openssl: update to 3.5.6This change brings in version 3.5.6 of OpenSSL, which featuresseveral security fixes (the highest of which is a MEDIUM severityissue), as well as some miscellaneous feature updates.Please see the release notes [1] for more details.PS Apologies for the confusing merge commits -- I was testing out anew automated update process and failed to catch the commit messageissues until after I pushed the change.1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.mdMFC after: 1 day (the security issues warrant a quick backport).Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90'
openssl: import 3.5.5This change adds OpenSSL 3.5.5 from upstream [1].The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3].This is a security release, but also contai
openssl: import 3.5.5This change adds OpenSSL 3.5.5 from upstream [1].The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3].This is a security release, but also contains several bugfixes. All ofthe CVE-worthy issues have already been addressed on the targetbranch(es), so the net-result is that this is a bugfix release.More information about the release (from a high level) can be found inthe release notes [4].MFC after: 1 week1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha2564. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.mdMerge commit '808413da28df9fb93e1f304e6016b15e660f54c8'
crypto/openssl: update to 3.5.4This change includes all necessary changes required to update to OpenSSL3.5.4.More information about the 3.5.4 release can be found in the relevantrelease notes (
crypto/openssl: update to 3.5.4This change includes all necessary changes required to update to OpenSSL3.5.4.More information about the 3.5.4 release can be found in the relevantrelease notes (see 8e12a5c4eb3507846b5 for more details).Merge commit '8e12a5c4eb3507846b507d0afe87d115af41df40'
crypto/openssl: update component to 3.5.3This change updates the sources for crypto/openssl. The subsequentcommit will update the build artifacts to match the 3.5.3 release.More details about th
crypto/openssl: update component to 3.5.3This change updates the sources for crypto/openssl. The subsequentcommit will update the build artifacts to match the 3.5.3 release.More details about the update can be found in the related vendor branchcommits.MFC after: 1 weekMerge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572'
openssl: Import version 3.5.1Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will beEOL after 2026-09-07.Approved by: philip (mentor)Sponsored by: Alpha-Omega Beach Cleaning Proj
openssl: Import version 3.5.1Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will beEOL after 2026-09-07.Approved by: philip (mentor)Sponsored by: Alpha-Omega Beach Cleaning ProjectSponsored by: The FreeBSD FoundationDifferential revision: https://reviews.freebsd.org/D51613
Merge commit '1095efe41feed8ea5a6fe5ca123c347ae0914801'Approved by: philip (mentor)Sponsored by: Alpha-Omega Beach Cleaning ProjectSponsored by: The FreeBSD Foundation
openssl: Import OpenSSL 3.0.16This release incorporates the following bug fixes and mitigations:- [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176- [CVE-2024-9143
openssl: Import OpenSSL 3.0.16This release incorporates the following bug fixes and mitigations:- [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176- [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143)Release notes can be found at:https://openssl-library.org/news/openssl-3.0-notes/index.htmlMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org/D49296
openssl: Import OpenSSL 3.0.15.This release incorporates the following bug fixes and mitigations:- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])- Fixed possible buffer o
openssl: Import OpenSSL 3.0.15.This release incorporates the following bug fixes and mitigations:- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])Release notes can be found at:https://openssl-library.org/news/openssl-3.0-notes/index.htmlCo-authored-by: gordonMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org/D46602Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
openssl: Bring over fix for CVE-2024-6119 from vendor/openssl-3.0.Merge commit 'e60dbfd00b009d424dfc5446d132872c93dd0aed'
Update to OpenSSL 3.0.14This release resolves 3 upstream found CVEs:- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)- Fixed an issue where checking excessively
Update to OpenSSL 3.0.14This release resolves 3 upstream found CVEs:- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)MFC after: 3 daysMerge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
OpenSSL: Vendor import of OpenSSL 3.0.13 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC
OpenSSL: Vendor import of OpenSSL 3.0.13 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678])Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html.Approved by: emasteMFC after: 3 daysMerge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'