CVS commit: pkgsrc/security/openssl

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/openssl
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Tue, 9 Jun 2026 14:57:03 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jun  9 14:57:03 UTC 2026

Modified Files:
        pkgsrc/security/openssl: Makefile PLIST distinfo

Log Message:
openssl: updated to 3.6.3

OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed
in this release is High.

This release incorporates the following bug fixes and mitigations:

Fixed heap use-after-free in PKCS7_verify().
(CVE-2026-45447)

Fixed CMS AuthEnvelopedData processing may accept forged messages.
(CVE-2026-34182)

Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
(CVE-2026-34183)

Fixed double-free when checking OCSP stapled response.
(CVE-2026-35188)

Fixed NULL pointer dereference in QUIC server initial packet handling.
(CVE-2026-42764)

Fixed AES-OCB IV ignored on EVP_Cipher() path.
(CVE-2026-45445)

Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
(CVE-2026-7383)

Fixed out-of-bounds read in CMS password-based decryption.
(CVE-2026-9076)

Fixed heap buffer over-read in ASN.1 content parsing.
(CVE-2026-34180)

Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
(CVE-2026-34181)

Fixed NULL dereference in certificate verification with OCSP Checking.
(CVE-2026-42765)

Fixed possible NULL dereference in password-dased CMS decryption.
(CVE-2026-42766)

Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
(CVE-2026-42767)

Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
and PKCS7_decrypt().
(CVE-2026-42768)

Fixed trust anchor substitution via cert/issuer typo in CMP
rootCaKeyUpdate.
(CVE-2026-42769)

Fixed FFC-DH peer validation uses attacker-supplied q.
(CVE-2026-42770)

Fixed incorrect tag processing for empty messages in AES-GCM-SIV
and AES-SIV modes.
(CVE-2026-45446)


To generate a diff of this commit:
cvs rdiff -u -r1.317 -r1.318 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.26 -r1.27 pkgsrc/security/openssl/PLIST
cvs rdiff -u -r1.188 -r1.189 pkgsrc/security/openssl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssl/Makefile
diff -u pkgsrc/security/openssl/Makefile:1.317 pkgsrc/security/openssl/Makefile:1.318
--- pkgsrc/security/openssl/Makefile:1.317      Tue Apr  7 18:37:35 2026
+++ pkgsrc/security/openssl/Makefile    Tue Jun  9 14:57:03 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.317 2026/04/07 18:37:35 wiz Exp $
+# $NetBSD: Makefile,v 1.318 2026/06/09 14:57:03 adam Exp $
 
 # Remember to upload-distfiles when updating OpenSSL -- otherwise it
 # is not possible for users who have bootstrapped without OpenSSL
 # to install it and enable HTTPS fetching.
-DISTNAME=      openssl-3.6.2
+DISTNAME=      openssl-3.6.3
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=openssl/}
 GITHUB_RELEASE=        ${DISTNAME}

Index: pkgsrc/security/openssl/PLIST
diff -u pkgsrc/security/openssl/PLIST:1.26 pkgsrc/security/openssl/PLIST:1.27
--- pkgsrc/security/openssl/PLIST:1.26  Tue Apr  7 18:37:35 2026
+++ pkgsrc/security/openssl/PLIST       Tue Jun  9 14:57:03 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.26 2026/04/07 18:37:35 wiz Exp $
+@comment $NetBSD: PLIST,v 1.27 2026/06/09 14:57:03 adam Exp $
 bin/c_rehash
 bin/openssl
 include/openssl/aes.h
@@ -579,6 +579,10 @@ man/man3/BIO_new_socket.3
 man/man3/BIO_new_ssl.3
 man/man3/BIO_new_ssl_connect.3
 man/man3/BIO_next.3
+man/man3/BIO_nread.3
+man/man3/BIO_nread0.3
+man/man3/BIO_nwrite.3
+man/man3/BIO_nwrite0.3
 man/man3/BIO_parse_hostserv.3
 man/man3/BIO_pending.3
 man/man3/BIO_pop.3
@@ -1014,10 +1018,12 @@ man/man3/CRYPTO_mem_leaks.3
 man/man3/CRYPTO_mem_leaks_cb.3
 man/man3/CRYPTO_mem_leaks_fp.3
 man/man3/CRYPTO_memcmp.3
+man/man3/CRYPTO_memdup.3
 man/man3/CRYPTO_new_ex_data.3
 man/man3/CRYPTO_realloc.3
 man/man3/CRYPTO_realloc_array.3
 man/man3/CRYPTO_realloc_fn.3
+man/man3/CRYPTO_secure_actual_size.3
 man/man3/CRYPTO_secure_allocated.3
 man/man3/CRYPTO_secure_calloc.3
 man/man3/CRYPTO_secure_clear_free.3

Index: pkgsrc/security/openssl/distinfo
diff -u pkgsrc/security/openssl/distinfo:1.188 pkgsrc/security/openssl/distinfo:1.189
--- pkgsrc/security/openssl/distinfo:1.188      Tue Apr  7 18:37:35 2026
+++ pkgsrc/security/openssl/distinfo    Tue Jun  9 14:57:03 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.188 2026/04/07 18:37:35 wiz Exp $
+$NetBSD: distinfo,v 1.189 2026/06/09 14:57:03 adam Exp $
 
-BLAKE2s (openssl-3.6.2.tar.gz) = a66d68bf51f8c83fead828c4a8e91e73f77ebe16513d8d579b1b5646454ab358
-SHA512 (openssl-3.6.2.tar.gz) = 46549ed4d6b0160adfa3e1406bc16f3083a7f3c85bdda289c1dbebd0db91433c39855dae765787ec68157faffba4cdb05a0600af4652e3e35da939e0bad8ef1e
-Size (openssl-3.6.2.tar.gz) = 54913556 bytes
+BLAKE2s (openssl-3.6.3.tar.gz) = 805be28e9457a3da03cf81331cc9cda847505771385ebccf33fe84e264593e2a
+SHA512 (openssl-3.6.3.tar.gz) = 4179ad56f285fd27a1c7b294472afdca588e915d4f8a9610e461f34f0678004aebe32e88434ae536a63a7c9aff6607702a3b341e2faacb7899c27d6def4cc92d
+Size (openssl-3.6.3.tar.gz) = 54953005 bytes
 SHA1 (patch-Configurations_unix-Makefile.tmpl) = ea9b0a0c8de810362813d84a4f85c5ebdedf9fc6
 SHA1 (patch-util_perl_OpenSSL_config.pm) = 3ba3c23046bf69c7d348b4c1c8c8269d83cfa2b4

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/www/py-tornado
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/www/py-tornado
Indexes:

Home | Main Index | Thread Index | Old Index