FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2026-04-09T01:44:24Z 2026-04-09T01:44:24Z Enji Cooper ngie@FreeBSD.org 2026-04-09T01:44:24Z urn:sha1:10a428653ee7216475f1ddce3fb4cbf1200319f8 This change brings in version 3.5.6 of OpenSSL, which features several security fixes (the highest of which is a MEDIUM severity issue), as well as some miscellaneous feature updates. Please see the release notes [1] for more details. PS Apologies for the confusing merge commits -- I was testing out a new automated update process and failed to catch the commit message issues until after I pushed the change. 1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md MFC after: 1 day (the security issues warrant a quick backport). Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90' 2026-01-31T22:00:39Z Enji Cooper ngie@FreeBSD.org 2026-01-31T22:00:39Z urn:sha1:f25b8c9fb4f58cf61adb47d7570abe7caa6d385d This change adds OpenSSL 3.5.5 from upstream [1]. The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3]. This is a security release, but also contains several bugfixes. All of the CVE-worthy issues have already been addressed on the target branch(es), so the net-result is that this is a bugfix release. More information about the release (from a high level) can be found in the release notes [4]. MFC after: 1 week 1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz 2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc 3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256 4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md Merge commit '808413da28df9fb93e1f304e6016b15e660f54c8' 2026-01-27T19:13:40Z Gordon Tetlow gordon@FreeBSD.org 2026-01-26T18:14:21Z urn:sha1:9c151e1fbf1a71a4912afa9693a39d55a00db4eb This is a rollup commit from upstream to fix: Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187) Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467) NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468) "openssl dgst" one-shot codepath silently truncates inputs >16MB (CVE-2025-15469) TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199) Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160) Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418) Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419) Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420) NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421) Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795) ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796) See https://openssl-library.org/news/secadv/ for additional details. Approved by: so Obtained from: OpenSSL Security: FreeBSD-SA-26:01.openssl Security: CVE-2025-11187 Security: CVE-2025-15467 Security: CVE-2025-15468 Security: CVE-2025-15469 Security: CVE-2025-66199 Security: CVE-2025-68160 Security: CVE-2025-69418 Security: CVE-2025-69419 Security: CVE-2025-69420 Security: CVE-2025-69421 Security: CVE-2026-22795 Security: CVE-2026-22796 2025-10-04T03:26:18Z Enji Cooper ngie@FreeBSD.org 2025-10-04T03:26:18Z urn:sha1:046c625e9382e17da953767b881aaa782fa73af8 This change includes all necessary changes required to update to OpenSSL 3.5.4. More information about the 3.5.4 release can be found in the relevant release notes (see 8e12a5c4eb3507846b5 for more details). Merge commit '8e12a5c4eb3507846b507d0afe87d115af41df40' 2025-09-22T22:31:10Z Enji Cooper ngie@FreeBSD.org 2025-09-22T22:31:10Z urn:sha1:88b8b7f0c4e9948667a2279e78e975a784049cba This change updates the sources for crypto/openssl. The subsequent commit will update the build artifacts to match the 3.5.3 release. More details about the update can be found in the related vendor branch commits. MFC after: 1 week Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572' 2025-08-07T13:50:32Z Pierre Pronchery khorben@FreeBSD.org 2025-08-07T13:50:32Z urn:sha1:e7be843b4a162e68651d3911f0357ed464915629 Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation 2025-03-14T06:40:59Z Enji Cooper ngie@FreeBSD.org 2025-03-14T06:40:59Z urn:sha1:0d0c8621fd181e507f0fb50ffcca606faf66a8c2 This release incorporates the following bug fixes and mitigations: - [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 - [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49296 2024-09-08T04:31:22Z Enji Cooper ngie@FreeBSD.org 2024-09-08T04:30:17Z urn:sha1:a7148ab39c03abd4d1a84997c70bf96f15dd2a09 This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' 2024-06-26T23:50:13Z Enji Cooper ngie@FreeBSD.org 2024-06-26T23:50:13Z urn:sha1:44096ebd22ddd0081a357011714eff8963614b65 This release resolves 3 upstream found CVEs: - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) MFC after: 3 days Merge commit '1070e7dca8223387baf5155524b28f62bfe7da3c' 2024-02-02T21:21:36Z Cy Schubert cy@FreeBSD.org 2024-02-02T21:10:22Z urn:sha1:e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678]) Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html. Approved by: emaste MFC after: 3 days Merge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'