openssl-3.5.1

[Bruce Dubbs]

New point version.

[Xi Ruoyao]

Hmm, I cannot find it on ​https://openssl-library.org/source/, nor ​https://github.com/openssl/openssl/releases/.

[Bruce Dubbs]

I'm not sure why the currency script picked this up. I do see the following at ​https://github.com/openssl/openssl/releases/:

"... A fix is planned for OpenSSL 3.5.1"

But the script should not have looked at this section. I made a small fix to see if teh script will do better.

[Douglas R. Reno]

OpenSSL 3.5.1 is now available.

The one security fix is:

CVEs fixed in 3.5.1:

    CVE-2025-4575 - LOW - Fix x509 application adds trusted use instead of rejected use.

I don't see a need to rush on fixing this though, it can wait until the 15th.

[Douglas R. Reno]

This only affects 3.5, and we shipped LFS 12.3 with 3.4.x. The stable books thus aren't impacted by this vulnerability.

[Bruce Dubbs]

Changes between 3.5.0 and 3.5.1 [1 Jul 2025]

• Fix x509 application adds trusted use instead of rejected use.

Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate.

Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use.

([CVE-2025-4575])

• Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation alert being received. Older versions of OpenSSL failed with DTLS if a no_renegotiation alert was received. All versions of OpenSSL do this for TLS. From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We have now restored the original behaviour and brought DTLS back into line with TLS.

[Bruce Dubbs]

Fixed at commit 0937f177be.

    Update to readline-8.3.
    Update to perl-5.42.0.
    Update to openssl-3.5.1.
    Update to ninja-1.13.1.
    Update to linux-6.15.6.
    Update to gettext-0.25.1.
    Update to e2fsprogs-1.47.3.
    Update to bash-5.3.