openssl_3_5: 3.5.0 -> 3.5.1
Taken from OpenSSL Release Page: OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this release is Low. This release incorporates the following bug fixes and mitigations: - Fix x509 application adds trusted use instead of rejected use. ([CVE-2025-4575]) Signed-off-by: Markus Theil <theil.markus@gmail.com>
This commit is contained in:
		
							parent
							
								
									536476f3aa
								
							
						
					
					
						commit
						54cf737988
					
				| @ -1,61 +0,0 @@ | ||||
| From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001 | ||||
| From: Tomas Mraz <tomas@openssl.org> | ||||
| Date: Tue, 20 May 2025 16:34:10 +0200 | ||||
| Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead | ||||
|  of rejection | ||||
| 
 | ||||
| Fixes CVE-2025-4575 | ||||
| 
 | ||||
| Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> | ||||
| Reviewed-by: Paul Dale <ppzgs1@gmail.com> | ||||
| (Merged from https://github.com/openssl/openssl/pull/27672) | ||||
| 
 | ||||
| (cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac) | ||||
| ---
 | ||||
|  apps/x509.c                 |  2 +- | ||||
|  test/recipes/25-test_x509.t | 12 +++++++++++- | ||||
|  2 files changed, 12 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/apps/x509.c b/apps/x509.c
 | ||||
| index fdae8f383a667..0c340c15b321a 100644
 | ||||
| --- a/apps/x509.c
 | ||||
| +++ b/apps/x509.c
 | ||||
| @@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
 | ||||
|                             prog, opt_arg()); | ||||
|                  goto opthelp; | ||||
|              } | ||||
| -            if (!sk_ASN1_OBJECT_push(trust, objtmp))
 | ||||
| +            if (!sk_ASN1_OBJECT_push(reject, objtmp))
 | ||||
|                  goto end; | ||||
|              trustout = 1; | ||||
|              break; | ||||
| diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
 | ||||
| index 09b61708ff8a5..dfa0a428f5f0c 100644
 | ||||
| --- a/test/recipes/25-test_x509.t
 | ||||
| +++ b/test/recipes/25-test_x509.t
 | ||||
| @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 | ||||
|   | ||||
|  setup("test_x509"); | ||||
|   | ||||
| -plan tests => 134;
 | ||||
| +plan tests => 138;
 | ||||
|   | ||||
|  # Prevent MSys2 filename munging for arguments that look like file paths but | ||||
|  # aren't | ||||
| @@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
 | ||||
|  && run(app(["openssl", "verify", "-no_check_time", | ||||
|              "-trusted", $ca, "-partial_chain", $caout]))); | ||||
|   | ||||
| +# test trust decoration
 | ||||
| +ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
 | ||||
| +            "-out", "ca-trusted.pem"])));
 | ||||
| +cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
 | ||||
| +              1, 'trusted use - E-mail Protection');
 | ||||
| +ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
 | ||||
| +            "-out", "ca-rejected.pem"])));
 | ||||
| +cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
 | ||||
| +              1, 'rejected use - E-mail Protection');
 | ||||
| +
 | ||||
|  subtest 'x509 -- x.509 v1 certificate' => sub { | ||||
|      tconversion( -type => 'x509', -prefix => 'x509v1', | ||||
|                   -in => srctop_file("test", "testx509.pem") ); | ||||
| @ -1,32 +0,0 @@ | ||||
| From 38bf6f3036d1baddbe4618a219aaf17d460091d9 Mon Sep 17 00:00:00 2001 | ||||
| From: Matt Caswell <matt@openssl.org> | ||||
| Date: Mon, 7 Apr 2025 09:58:30 +0100 | ||||
| Subject: [PATCH] Fix SSL_accept() | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=UTF-8 | ||||
| Content-Transfer-Encoding: 8bit | ||||
| 
 | ||||
| If you have a QUIC server SSL connection object, you should be able to | ||||
| call SSL_accept() on it. | ||||
| 
 | ||||
| Fixes #27282 | ||||
| 
 | ||||
| Reviewed-by: Neil Horman <nhorman@openssl.org> | ||||
| Reviewed-by: Saša Nedvědický <sashan@openssl.org> | ||||
| (Merged from https://github.com/openssl/openssl/pull/27283) | ||||
| ---
 | ||||
|  ssl/quic/quic_method.c | 4 ++-- | ||||
|  1 file changed, 2 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/ssl/quic/quic_method.c b/ssl/quic/quic_method.c
 | ||||
| index 0de2bca47e6bb..8092855efc61a 100644
 | ||||
| --- a/ssl/quic/quic_method.c
 | ||||
| +++ b/ssl/quic/quic_method.c
 | ||||
| @@ -23,5 +23,5 @@ IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION,
 | ||||
|   | ||||
|  IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION, | ||||
|                           OSSL_QUIC_server_method, | ||||
| -                         ssl_undefined_function,
 | ||||
| -                         ossl_quic_connect, ssl3_undef_enc_method)
 | ||||
| +                         ossl_quic_accept,
 | ||||
| +                         ssl_undefined_function, ssl3_undef_enc_method)
 | ||||
| @ -388,8 +388,8 @@ in | ||||
|   }; | ||||
| 
 | ||||
|   openssl_3_5 = common { | ||||
|     version = "3.5.0"; | ||||
|     hash = "sha256-NE0KefGpsIApsHROLMQBpD+ckKzRBE0JpTC0iFqOn8A="; | ||||
|     version = "3.5.1"; | ||||
|     hash = "sha256-UpBDsVz/pfNgd6TQr4Pz3jmYBxgdYHRB1zQZbYibZB8="; | ||||
| 
 | ||||
|     patches = [ | ||||
|       ./3.0/nix-ssl-cert-file.patch | ||||
| @ -404,12 +404,6 @@ in | ||||
|         else | ||||
|           ./3.5/use-etc-ssl-certs.patch | ||||
|       ) | ||||
| 
 | ||||
|       # can be dropped again with 3.5.1, see: https://github.com/openssl/openssl/issues/27282 | ||||
|       ./3.5/quic_accept.patch | ||||
| 
 | ||||
|       # can be dropped again with 3.5.1 | ||||
|       ./3.5/CVE-2025-4575.patch | ||||
|     ]; | ||||
| 
 | ||||
|     withDocs = true; | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Markus Theil
						Markus Theil