NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/60382: OpenSSL 3.0.21 upgrade for netbsd-10



>Number:         60382
>Category:       lib
>Synopsis:       OpenSSL 3.0.21 upgrade for netbsd-10
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 29 01:00:00 +0000 2026
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD 10.0_STABLE
>Organization:
NetBSD
>Environment:
System: NetBSD homeworld.NetBSD.org 10.0_STABLE NetBSD 10.0_STABLE (NBMAIL) #0: Tue May 28 07:37:21 UTC 2024 spz%franklin.NetBSD.org@localhost:/home/netbsd/10/amd64/obj/sys/arch/amd64/compile/NBMAIL amd64
Architecture: x86_64
Machine: amd64
>Description:
netbsd-10 includes OpenSSL 3.0.12, and this version had
many CVE reported:
CVE-2026-45447  CVE-2026-45446  CVE-2025-68160  CVE-2025-9232   CVE-2024-0727
CVE-2026-34182  CVE-2026-31790  CVE-2025-69418  CVE-2024-13176  CVE-2023-6237
CVE-2026-45445  CVE-2026-28387  CVE-2025-69419  CVE-2024-9143   CVE-2023-6129
CVE-2026-7383   CVE-2026-28388  CVE-2025-69420  CVE-2024-6119   CVE-2023-5678
CVE-2026-9076   CVE-2026-28389  CVE-2025-69421  CVE-2024-5535   
CVE-2026-34180  CVE-2026-28390  CVE-2026-22795  CVE-2024-4741   
CVE-2026-42766  CVE-2026-31789  CVE-2026-22796  CVE-2024-4603   
CVE-2026-42770  CVE-2025-15467  CVE-2025-9230   CVE-2024-2511  

This PR is about updating to OpenSSL 3.0.21 for fixing above
mentionned CVE.

>How-To-Repeat:

>Fix:
This patch updates OpenSSL to 3.0.21. It is huge: 194k lines. Most of 
it is the unmodified import of openssl-3.0.1 in 
src/crypto/external/bsd/openssl/dist

How is was crafted  (procedure from src/doc/3RDPARTY with dditional
details):
- unpack openssl tarball in src/crypto/external/bsd/openssl/dist
- Run openssl2netbsd to get rid of the RCSID identifiers
- in src/crypto/external/bsd/openssl/dist
  ./configure
  make include/openssl/opensslv.h
  make include/openssl/fipskey.h
  cp include/openssl/opensslv.h include/openssl/fipskey.h \
     include/openssl/configuration.h  ../include/openssl
- clear dist and unpack openssl again
- review header filer modifications and merge changes
- run make in /usr/src/crypto/external/bsd/openssl/lib/libcrypto/man
  to regen man pages.
- run make in /usr/src/crypto/external/bsd/openssl/lib/libcrypto/arch/*
  to regen assembly files

The big patch:
https://dl.espci.fr/ticket/d02beafc0a42f837d86847ea007de62e




Home | Main Index | Thread Index | Old Index