Opened 3 weeks ago
Closed 7 days ago
#5793 closed enhancement (fixed)
openssl-3.5.4
Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | high | Milestone: | 12.5 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New point version.
Change History (10)
comment:1 by , 3 weeks ago
follow-up: 7 comment:2 by , 3 weeks ago
Note that if upgrading from 3.5.2 (and maybe other versions) to 3.5.3, openssh would need a rebuild because OPENSSL_VERSION_NUMBER
was incorrect before 3.5.2, so openssh would believe it was built with an openssl pre-release but now running with a formal release, and error out.
comment:3 by , 8 days ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Fixed at commit 9e2fa9a05d3
Update to vim-9.1.1806. Update to iana-etc-20250926. Update to coreutils-9.8. Update to expat-2.7.3 (Security release). Update to linux-6.16.9. Update to markupsafe-3.0.3. Update to meson-1.9.1. Update to openssl-3.5.3. Update to util-linux-2.41.2.
comment:4 by , 8 days ago
Priority: | normal → high |
---|---|
Summary: | openssl-3.5.3 → openssl-3.5.4 |
Changes and CVEs fixed in 3.5.4: CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM. CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling. Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release builds, as it broke some existing applications that relied on the previous 3.x semantics, as documented in OpenSSL_version(3).
comment:5 by , 8 days ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:6 by , 8 days ago
Owner: | changed from | to
---|---|
Status: | reopened → new |
comment:7 by , 8 days ago
Replying to Xi Ruoyao:
Note that if upgrading from 3.5.2 (and maybe other versions) to 3.5.3, openssh would need a rebuild because
OPENSSL_VERSION_NUMBER
was incorrect before 3.5.2, so openssh would believe it was built with an openssl pre-release but now running with a formal release, and error out.
Not needed for 3.5.4 as they introduced back the bug for "bug compatibility." But if you already updated to 3.5.3 you need to rebuild OpenSSH again :(.
comment:8 by , 8 days ago
Good catch! I'll go adjust my staged security advisory to remove the section about needing to rebuild it :(
comment:10 by , 7 days ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
OSSL_STORE_CTX
kept open during lookup while potentially being used by multiple threads simultaneously, that could lead to potential crashes when multiple concurrent TLS connections are served.openssl req
no longer generates certificates with an empty extension list when SKID/AKID are set tonone
during generation.VERSION.dat
and not the current date for the released builds.OPENSSL_VERSION_NUMBER
.