FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=vendor%2Fopenssl-3.0 2026-04-07T22:39:14Z 2026-04-07T22:39:14Z Enji Cooper ngie@FreeBSD.org 2026-04-07T22:39:14Z urn:sha1:a8688e45ec5509793681275a8631726fdeb5663a This change adds OpenSSL 3.0.20 from upstream [1]. The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. More information about the release (from a high level) can be found in the release notes [4]. 1. openssl-3.0.20.tar.gz 2. openssl-3.0.20.tar.gz.asc 3. openssl-3.0.20.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.0.20/NEWS.md 2026-01-29T01:30:35Z Enji Cooper ngie@FreeBSD.org 2026-01-29T01:30:35Z urn:sha1:677808048e318ef0c4ad69c0c2cc8d82167bffbe This change adds OpenSSL 3.0.19 from upstream [1]. The 3.0.19 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. More information about the release (from a high level) can be found in the release notes [4]. 1. https://github.com/openssl/openssl/releases/download/openssl-3.0.19/openssl-3.0.19.tar.gz 2. https://github.com/openssl/openssl/releases/download/openssl-3.0.19/openssl-3.0.19.tar.gz.asc 3. https://github.com/openssl/openssl/releases/download/openssl-3.0.19/openssl-3.0.19.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.0.19/NEWS.md 2025-09-30T19:09:15Z Enji Cooper ngie@FreeBSD.org 2025-09-30T19:08:16Z urn:sha1:12b8f7324509729dbf5c06c0e8fbc4723d3eefb3 These were accidentally missed in the prior commit (027bdf0ee383). 2025-09-30T19:03:51Z Enji Cooper ngie@FreeBSD.org 2025-09-30T19:03:15Z urn:sha1:027bdf0ee383fb657033470517517ceebecc3aa4 Per the upstream release notes, this is a security release. However, all of the needed fixes/mitigations have been deployed to all relevant 14.x branches making the update in this change less critical. This just aids with future release backporting. Obtained from: https://github.com/openssl/openssl/releases/download/openssl-3.0.18/openssl-3.0.18.tar.gz 2025-07-11T00:18:38Z Enji Cooper ngie@FreeBSD.org 2025-07-11T00:18:38Z urn:sha1:ecf8229ffeb17a05c78fab6b973b0cccb84e25c5 Per the upstream release notes, this is a ["bugfix release"](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#openssl-30). It does not contain any security-critical bugfixes, unlike the most recent prior releases of OpenSSL 3.0. This release is not an immediate candidate for inclusion in 14.3-* releases. That being said, content from this release will potentially be rolled into upcoming releases by virtue of this being an iterative 3.0.x release. The changes may be benign, but some care might be required in the event that some of the bugfixes affect shipping code which requires behavior that may have been changed in this release. Obtained from: https://github.com/openssl/openssl/releases/download/openssl-3.0.17/openssl-3.0.17.tar.gz 2025-03-06T17:49:50Z Enji Cooper ngie@FreeBSD.org 2025-03-06T17:49:50Z urn:sha1:1c34280346af8284acdc0eae39496811d37df25d This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html 2024-09-04T03:56:17Z Gordon Tetlow gordon@FreeBSD.org 2024-09-04T03:56:17Z urn:sha1:108164cf95d9594884c2dcccba2691335e6f221b This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html 2024-09-01T22:50:31Z Viktor Dukhovni viktor@openssl.org 2024-06-19T11:04:11Z urn:sha1:e60dbfd00b009d424dfc5446d132872c93dd0aed The incorrectly typed data is read only, used in a compare operation, so neither remote code execution, nor memory content disclosure were possible. However, applications performing certificate name checks were vulnerable to denial of service. The GENERAL_TYPE data type is a union, and we must take care to access the correct member, based on `gen->type`, not all the member fields have the same structure, and a segfault is possible if the wrong member field is read. The code in question was lightly refactored with the intent to make it more obviously correct. CVE-2024-6119 (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1) 2024-06-20T23:24:17Z Enji Cooper ngie@FreeBSD.org 2024-06-20T23:24:17Z urn:sha1:1070e7dca8223387baf5155524b28f62bfe7da3c This release resolves 3 upstream found CVEs: - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) 2024-02-02T09:48:38Z Cy Schubert cy@FreeBSD.org 2024-02-02T04:39:16Z urn:sha1:9dd13e84fa8eca8f3462bd55485aa3da8c37f54a * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678]) Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html.