### Changes between 3.0.18 and 3.0.19 [xx XXX xxxx]
+ * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
+
+ Severity: High
+
+ Issue summary: Parsing CMS `AuthEnvelopedData` message with maliciously
+ crafted AEAD parameters can trigger a stack buffer overflow.
+
+ Impact summary: A stack buffer overflow may lead to a crash, causing Denial
+ of Service, or potentially remote code execution.
+
+ Reported by: Stanislav Fort (Aisle Research)
+
+ ([CVE-2025-15467])
+
+ *Igor Ustinov*
+
+ * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
+
+ Severity: Low
+
+ Issue summary: Writing large, newline-free data into a BIO chain using the
+ line-buffering filter where the next BIO performs short writes can trigger
+ a heap-based out-of-bounds write.
+
+ Impact summary: This out-of-bounds write can cause memory corruption
+ which typically results in a crash, leading to Denial of Service for
+ an application.
+
+ Reported by: Petr Simecek (Aisle Research) and Stanislav Fort (Aisle
+ Research)
+
+ ([CVE-2025-68160])
+
+ *Stanislav Fort and Neil Horman*
+
+ * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
+ function calls.
+
+ Severity: Low
+
+ Issue summary: When using the low-level OCB API directly with AES-NI or
+ other hardware-accelerated code paths, inputs whose length is not a multiple
+ of 16 bytes can leave the final partial block unencrypted and
+ unauthenticated.
+
+ Impact summary: The trailing 1-15 bytes of a message may be exposed in
+ cleartext on encryption and are not covered by the authentication tag,
+ allowing an attacker to read or tamper with those bytes without detection.
+
+ Reported by: Stanislav Fort (Aisle Research)
+
+ ([CVE-2025-69418])
+
+ *Stanislav Fort*
+
+ * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
+
+ Severity: Low
+
+ Issue summary: Calling `PKCS12_get_friendlyname()` function on a maliciously
+ crafted PKCS#12 file with a `BMPString` (UTF-16BE) friendly name containing
+ non-ASCII BMP code point can trigger a one byte write before the allocated
+ buffer.
+
+ Impact summary: The out-of-bounds write can cause a memory corruption
+ which can have various consequences including a Denial of Service.
+
+ Reported by: Stanislav Fort (Aisle Research)
+
+ ([CVE-2025-69419])
+
+ *Norbert Pócs*
+
+ * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` function.
+
+ Severity: Low
+
+ Issue summary: A type confusion vulnerability exists in the TimeStamp
+ Response verification code where an `ASN1_TYPE` union member is accessed
+ without first validating the type, causing an invalid or NULL pointer
+ dereference when processing a malformed `TimeStamp` Response file.
+
+ Impact summary: An application calling `TS_RESP_verify_response()`
+ with a malformed TimeStamp Response can be caused to dereference an invalid
+ or NULL pointer when reading, resulting in a Denial of Service.
+
+ Reported by: Luigino Camastra (Aisle Research)
+
+ ([CVE-2025-69420])
+
+ *Bob Beck*
+
+ * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
+
+ Severity: Low
+
+ Issue summary: Processing a malformed PKCS#12 file can trigger a NULL
+ pointer dereference in the `PKCS12_item_decrypt_d2i_ex()` function.
+
+ Impact summary: A NULL pointer dereference can trigger a crash which leads
+ to Denial of Service for an application processing PKCS#12 files.
+
+ Reported by: Luigino Camastra (Aisle Research)
+
+ ([CVE-2025-69421])
+
+ *Luigino Camastra*
+
+ * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
+
+ Severity: Low
+
+ Issue summary: An invalid or NULL pointer dereference can happen in
+ an application processing a malformed PKCS#12 file.
+
+ Impact summary: An application processing a malformed PKCS#12 file can be
+ caused to dereference an invalid or NULL pointer on memory read, resulting
+ in a Denial of Service.
+
+ Reported by: Luigino Camastra (Aisle Research)
+
+ ([CVE-2026-22795])
+
+ *Bob Beck*
+
+ * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
+ function.
+
+ Severity: Low
+
+ Issue summary: A type confusion vulnerability exists in the signature
+ verification of signed PKCS#7 data where an `ASN1_TYPE` union member
+ is accessed without first validating the type, causing an invalid or NULL
+ pointer dereference when processing malformed PKCS#7 data.
+
+ Impact summary: An application performing signature verification of PKCS#7
+ data or calling directly the `PKCS7_digest_from_attributes()` function can be
+ caused to dereference an invalid or NULL pointer when reading, resulting in
+ a Denial of Service.
+
+ Reported by: Luigino Camastra (Aisle Research)
+
+ ([CVE-2026-22796])
+
+ *Bob Beck*
+
* Fixed incorrect acceptance of some malformed ECDSA signatures on s390x.
<!-- https://github.com/openssl/openssl/pull/29214 -->
<!-- Links -->
+[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
+[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
+[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
+[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
+[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
+[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
+[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
+[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
### Major changes between OpenSSL 3.0.18 and OpenSSL 3.0.19 [under development]
- * none
+OpenSSL 3.0.19 is a security patch release. The most severe CVE fixed in this
+release is High.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
+ ([CVE-2025-15467])
+
+ * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes.
+ ([CVE-2025-68160])
+
+ * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
+ function calls.
+ ([CVE-2025-69418])
+
+ * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion.
+ ([CVE-2025-69419])
+
+ * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()`
+ function.
+ ([CVE-2025-69420])
+
+ * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function.
+ ([CVE-2025-69421])
+
+ * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing.
+ ([CVE-2026-22795])
+
+ * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()`
+ function.
+ ([CVE-2026-22796])
### Major changes between OpenSSL 3.0.17 and OpenSSL 3.0.18 [30 Sep 2025]
* Support for various new platforms
<!-- Links -->
+[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
+[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
+[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
+[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
+[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
+[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
+[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
+[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
projects / thirdparty / openssl.git / commitdiff
