### Changes between 3.2.5 and 3.2.6 [xx XXX xxxx]
+ * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
+
+ Issue summary: An application trying to decrypt CMS messages encrypted using
+ password based encryption can trigger an out-of-bounds read and write.
+
+ Impact summary: This out-of-bounds read may trigger a crash which leads to
+ Denial of Service for an application. The out-of-bounds write can cause
+ a memory corruption which can have various consequences including
+ a Denial of Service or Execution of attacker-supplied code.
+
+ The issue was reported by Stanislav Fort (Aisle Research).
+
+ ([CVE-2025-9230])
+
+ *Viktor Dukhovni*
+
+ * Fix Timing side-channel in SM2 algorithm on 64 bit ARM
+
+ Issue summary: A timing side-channel which could potentially allow remote
+ recovery of the private key exists in the SM2 algorithm implementation on
+ 64 bit ARM platforms.
+
+ Impact summary: A timing side-channel in SM2 signature computations on
+ 64 bit ARM platforms could allow recovering the private key by an attacker.
+
+ The issue was reported by Stanislav Fort (Aisle Research).
+
+ ([CVE-2025-9231])
+
+ *Stanislav Fort and Tomáš Mráz*
+
+ * Fix Out-of-bounds read in HTTP client no_proxy handling
+
+ Issue summary: An application using the OpenSSL HTTP client API functions
+ may trigger an out-of-bounds read if the "no_proxy" environment variable is
+ set and the host portion of the authority component of the HTTP URL is an
+ IPv6 address.
+
+ Impact summary: An out-of-bounds read can trigger a crash which leads to
+ Denial of Service for an application.
+
+ The issue was reported by Stanislav Fort (Aisle Research).
+
+ ([CVE-2025-9232])
+
+ *Stanislav Fort*
+
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
<!-- Links -->
+[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
+[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
+[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-12797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-12797
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
### Major changes between OpenSSL 3.2.5 and OpenSSL 3.2.6 [under development]
- * none
+OpenSSL 3.2.6 is a security patch release. The most severe CVE fixed in this
+release is Moderate.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
+ ([CVE-2025-9230])
+
+ * Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
+ ([CVE-2025-9231])
+
+ * Fix Out-of-bounds read in HTTP client no_proxy handling.
+ ([CVE-2025-9232])
### Major changes between OpenSSL 3.2.4 and OpenSSL 3.2.5 [1 Jul 2025]
* Support for various new platforms
<!-- Links -->
-
+[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
+[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
+[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
+[CVE-2024-12797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-12797
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
projects / thirdparty / openssl.git / commitdiff
