FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2026-04-09T01:44:24Z 2026-04-09T01:44:24Z Enji Cooper ngie@FreeBSD.org 2026-04-09T01:44:24Z urn:sha1:10a428653ee7216475f1ddce3fb4cbf1200319f8 This change brings in version 3.5.6 of OpenSSL, which features several security fixes (the highest of which is a MEDIUM severity issue), as well as some miscellaneous feature updates. Please see the release notes [1] for more details. PS Apologies for the confusing merge commits -- I was testing out a new automated update process and failed to catch the commit message issues until after I pushed the change. 1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md MFC after: 1 day (the security issues warrant a quick backport). Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90' 2026-01-31T22:07:17Z Enji Cooper ngie@FreeBSD.org 2026-01-31T22:06:28Z urn:sha1:1731fc70f7344af08db49b06c63c963fa12ee354 MFC with: f25b8c9fb4f58cf61adb47d7570abe7caa6d385d MFC after: 1 week 2026-01-31T22:00:39Z Enji Cooper ngie@FreeBSD.org 2026-01-31T22:00:39Z urn:sha1:f25b8c9fb4f58cf61adb47d7570abe7caa6d385d This change adds OpenSSL 3.5.5 from upstream [1]. The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. All of the CVE-worthy issues have already been addressed on the target branch(es), so the net-result is that this is a bugfix release. More information about the release (from a high level) can be found in the release notes [4]. MFC after: 1 week 1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz 2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc 3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md Merge commit '808413da28df9fb93e1f304e6016b15e660f54c8' 2026-01-27T19:13:40Z Gordon Tetlow gordon@FreeBSD.org 2026-01-26T18:14:21Z urn:sha1:9c151e1fbf1a71a4912afa9693a39d55a00db4eb This is a rollup commit from upstream to fix: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187) Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467) NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468) "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469) TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199) Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160) Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418) Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419) Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420) NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421) Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795) ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796) See https://openssl-library.org/news/secadv/ for additional details. Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:01.openssl Security: CVE-2025-11187 Security: CVE-2025-15467 Security: CVE-2025-15468 Security: CVE-2025-15469 Security: CVE-2025-66199 Security: CVE-2025-68160 Security: CVE-2025-69418 Security: CVE-2025-69419 Security: CVE-2025-69420 Security: CVE-2025-69421 Security: CVE-2026-22795 Security: CVE-2026-22796 2025-10-04T03:26:18Z Enji Cooper ngie@FreeBSD.org 2025-10-04T03:26:18Z urn:sha1:046c625e9382e17da953767b881aaa782fa73af8 This change includes all necessary changes required to update to OpenSSL 3.5.4. More information about the 3.5.4 release can be found in the relevant release notes (see 8e12a5c4eb3507846b5 for more details). Merge commit '8e12a5c4eb3507846b507d0afe87d115af41df40' 2025-09-22T22:31:10Z Enji Cooper ngie@FreeBSD.org 2025-09-22T22:31:10Z urn:sha1:88b8b7f0c4e9948667a2279e78e975a784049cba This change updates the sources for crypto/openssl. The subsequent commit will update the build artifacts to match the 3.5.3 release. More details about the update can be found in the related vendor branch commits. MFC after: 1 week Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572' 2025-08-21T17:02:46Z Enji Cooper ngie@FreeBSD.org 2025-08-01T04:03:33Z urn:sha1:267f8c1f4b09431b335d5f48d84586047471f978 This change adds a custom BSD makefile containing multiple high-level PHONY targets, similar to targets provided by the ports framework. The Makefile does the following: - Reruns Configure with a deterministic set of arguments to ensure that all appropriate features have been enabled/disabled in OpenSSL. - Preens the pkgconfig files to remove duplicate paths in their `CFLAGS` and `includedir` variables. - Rebuilds all ASM files to ensure that the content contained is fresh. - Rebuilds all manpages to ensure that the content contained in the manpages is fresh. Some additional work needs to be done to make the manpage regeneration "operation" reproducible (the date the manpages were generated is embedded in the files). All dynamic configuration previously captured in `include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been moved to `freebsd/include/dynamic_freebsd_configuration.h` and `freebsd/include/crypto/bn_conf.h`, respectively. This helps ensure that future updates don't wipe out FreeBSD customizations to these files, which tune behavior on a per-target architecture basis, e.g., ARM vs x86, 32-bit vs 64-bit, etc. MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D51663 2025-08-07T13:54:34Z Pierre Pronchery khorben@FreeBSD.org 2025-07-11T21:57:10Z urn:sha1:4757b351ea9d59d71d4a38b82506d2d16fcd560d Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be EOL after 2026-09-07. Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D51613 2025-08-07T13:50:32Z Pierre Pronchery khorben@FreeBSD.org 2025-08-07T13:50:32Z urn:sha1:e7be843b4a162e68651d3911f0357ed464915629 Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation 2025-03-14T06:40:59Z Enji Cooper ngie@FreeBSD.org 2025-03-14T06:40:59Z urn:sha1:0d0c8621fd181e507f0fb50ffcca606faf66a8c2 This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49296