CVS commit: pkgsrc/security/openssl

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Wed Jan 28 07:38:55 UTC 2026

Modified Files:
        pkgsrc/security/openssl: Makefile PLIST distinfo

Log Message:
openssl: updated to 3.6.1

OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    ([CVE-2025-11187])

  * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
    ([CVE-2025-15467])

  * Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
    ([CVE-2025-15468])

  * Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB.
    ([CVE-2025-15469])

  * Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation.
    ([CVE-2025-66199])

  * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
    ([CVE-2025-68160])

  * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    ([CVE-2025-69418])

  * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
    ([CVE-2025-69419])

  * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()`
    function.
    ([CVE-2025-69420])

  * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
    ([CVE-2025-69421])

  * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
    ([CVE-2026-22795])

  * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
    function.
    ([CVE-2026-22796])

  * Fixed a regression in `X509_V_FLAG_CRL_CHECK_ALL` flag handling by
    restoring its pre-3.6.0 behaviour.

  * Fixed a regression in handling stapled OCSP responses causing handshake
    failures for OpenSSL 3.6.0 servers with various client implementations.


To generate a diff of this commit:
cvs rdiff -u -r1.315 -r1.316 pkgsrc/security/openssl/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/security/openssl/PLIST
cvs rdiff -u -r1.185 -r1.186 pkgsrc/security/openssl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssl/Makefile
diff -u pkgsrc/security/openssl/Makefile:1.315 pkgsrc/security/openssl/Makefile:1.316
--- pkgsrc/security/openssl/Makefile:1.315      Sun Oct  5 14:22:44 2025
+++ pkgsrc/security/openssl/Makefile    Wed Jan 28 07:38:55 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.315 2025/10/05 14:22:44 js Exp $
+# $NetBSD: Makefile,v 1.316 2026/01/28 07:38:55 adam Exp $
 
 # Remember to upload-distfiles when updating OpenSSL -- otherwise it
 # is not possible for users who have bootstrapped without OpenSSL
 # to install it and enable HTTPS fetching.
-DISTNAME=      openssl-3.6.0
+DISTNAME=      openssl-3.6.1
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=openssl/}
 GITHUB_RELEASE=        ${DISTNAME}

Index: pkgsrc/security/openssl/PLIST
diff -u pkgsrc/security/openssl/PLIST:1.24 pkgsrc/security/openssl/PLIST:1.25
--- pkgsrc/security/openssl/PLIST:1.24  Fri Oct  3 09:11:10 2025
+++ pkgsrc/security/openssl/PLIST       Wed Jan 28 07:38:55 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.24 2025/10/03 09:11:10 adam Exp $
+@comment $NetBSD: PLIST,v 1.25 2026/01/28 07:38:55 adam Exp $
 bin/c_rehash
 bin/openssl
 include/openssl/aes.h
@@ -423,6 +423,8 @@ man/man3/BIO_bind.3
 man/man3/BIO_callback_ctrl.3
 man/man3/BIO_callback_fn.3
 man/man3/BIO_callback_fn_ex.3
+man/man3/BIO_clear_flags.3
+man/man3/BIO_clear_retry_flags.3
 man/man3/BIO_closesocket.3
 man/man3/BIO_connect.3
 man/man3/BIO_ctrl.3
@@ -496,6 +498,7 @@ man/man3/BIO_get_data.3
 man/man3/BIO_get_ex_data.3
 man/man3/BIO_get_ex_new_index.3
 man/man3/BIO_get_fd.3
+man/man3/BIO_get_flags.3
 man/man3/BIO_get_fp.3
 man/man3/BIO_get_indent.3
 man/man3/BIO_get_info_callback.3
@@ -513,6 +516,7 @@ man/man3/BIO_get_peer_name.3
 man/man3/BIO_get_peer_port.3
 man/man3/BIO_get_read_request.3
 man/man3/BIO_get_retry_BIO.3
+man/man3/BIO_get_retry_flags.3
 man/man3/BIO_get_retry_reason.3
 man/man3/BIO_get_rpoll_descriptor.3
 man/man3/BIO_get_shutdown.3
@@ -625,6 +629,7 @@ man/man3/BIO_set_conn_port.3
 man/man3/BIO_set_data.3
 man/man3/BIO_set_ex_data.3
 man/man3/BIO_set_fd.3
+man/man3/BIO_set_flags.3
 man/man3/BIO_set_fp.3
 man/man3/BIO_set_indent.3
 man/man3/BIO_set_info_callback.3
@@ -637,7 +642,10 @@ man/man3/BIO_set_nbio_accept.3
 man/man3/BIO_set_next.3
 man/man3/BIO_set_prefix.3
 man/man3/BIO_set_read_buffer_size.3
+man/man3/BIO_set_retry_read.3
 man/man3/BIO_set_retry_reason.3
+man/man3/BIO_set_retry_special.3
+man/man3/BIO_set_retry_write.3
 man/man3/BIO_set_shutdown.3
 man/man3/BIO_set_sock_type.3
 man/man3/BIO_set_ssl.3
@@ -659,6 +667,7 @@ man/man3/BIO_socket_wait.3
 man/man3/BIO_ssl_copy_session_id.3
 man/man3/BIO_ssl_shutdown.3
 man/man3/BIO_tell.3
+man/man3/BIO_test_flags.3
 man/man3/BIO_up_ref.3
 man/man3/BIO_vfree.3
 man/man3/BIO_vprintf.3
@@ -847,6 +856,7 @@ man/man3/CMS_ContentInfo_print_ctx.3
 man/man3/CMS_EncryptedData_decrypt.3
 man/man3/CMS_EncryptedData_encrypt.3
 man/man3/CMS_EncryptedData_encrypt_ex.3
+man/man3/CMS_EncryptedData_set1_key.3
 man/man3/CMS_EnvelopedData_create.3
 man/man3/CMS_EnvelopedData_create_ex.3
 man/man3/CMS_EnvelopedData_decrypt.3
@@ -2836,6 +2846,7 @@ man/man3/OPENSSL_mem_debug_pop.3
 man/man3/OPENSSL_mem_debug_push.3
 man/man3/OPENSSL_memdup.3
 man/man3/OPENSSL_no_config.3
+man/man3/OPENSSL_ppccap.3
 man/man3/OPENSSL_realloc.3
 man/man3/OPENSSL_realloc_array.3
 man/man3/OPENSSL_riscvcap.3

Index: pkgsrc/security/openssl/distinfo
diff -u pkgsrc/security/openssl/distinfo:1.185 pkgsrc/security/openssl/distinfo:1.186
--- pkgsrc/security/openssl/distinfo:1.185      Fri Oct  3 09:11:10 2025
+++ pkgsrc/security/openssl/distinfo    Wed Jan 28 07:38:55 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.185 2025/10/03 09:11:10 adam Exp $
+$NetBSD: distinfo,v 1.186 2026/01/28 07:38:55 adam Exp $
 
-BLAKE2s (openssl-3.6.0.tar.gz) = 2326b66bf7f763b3698462377f41a1bd01c1928cb3af17669ea7027bdeb0b30a
-SHA512 (openssl-3.6.0.tar.gz) = 866825a1cdf0b705b409402fbc7a713e7d9b8e7736c5126be57b354927954c148a341fc52b02c0629c1e015a889bfd40217f8e703b73235892e91da060909b76
-Size (openssl-3.6.0.tar.gz) = 54974351 bytes
+BLAKE2s (openssl-3.6.1.tar.gz) = bb303701bf6c4046902a09385d545a99446ea3a271a8d5193e5c635839b49a8d
+SHA512 (openssl-3.6.1.tar.gz) = 492cd2e0a7506e085d9840a929ead994390409a35c24e47e0cf44987920711b61f1513f21b7eee50e56f226b26cd654cda6dbd1f6e439563a93a8f0e530fefb5
+Size (openssl-3.6.1.tar.gz) = 54891951 bytes
 SHA1 (patch-Configurations_unix-Makefile.tmpl) = ea9b0a0c8de810362813d84a4f85c5ebdedf9fc6
 SHA1 (patch-util_perl_OpenSSL_config.pm) = 3ba3c23046bf69c7d348b4c1c8c8269d83cfa2b4