From: Peter Marko <peter.marko@siemens.com>
Date: Sun, 5 Oct 2025 11:18:52 +0000 (+0200)
Subject: openssl: upgrade 3.5.2 -> 3.5.4
X-Git-Tag: uninative-5.0~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e2b3c46fdf2e2b3854fa73bda434fdd41da0a3c;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

openssl: upgrade 3.5.2 -> 3.5.4

Release information:
https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-353-and-openssl-354-30-sep-2025

OpenSSL 3.5.4 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM. (CVE-2025-9231)
* Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)
* Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release builds, as it broke some exiting applications that relied on the previous 3.x semantics, as documented in OpenSSL_version(3).

Release information:
https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-352-and-openssl-353-16-sep-2025

OpenSSL 3.5.3 is a bug fix release.
This release incorporates the following bug fixes and mitigations:
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised OPENSSL_VERSION_NUMBER.
* Removed PCT on key import in the FIPS provider as it is not required by the standard.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 687d682976..dadc034c91 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -38,7 +38,7 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm
 index 09303c4..011bda1 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
-@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.2.bb b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.5.2.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.4.bb
index 396e69d7e7..c222b1533b 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.2.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.4.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec"
+SRC_URI[sha256sum] = "967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"