Opened 6 weeks ago
Closed 4 weeks ago
#5793 closed enhancement (fixed)
openssl-3.5.4
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.5 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (10)
comment:1 by , 6 weeks ago
follow-up: 7 comment:2 by , 6 weeks ago
Note that if upgrading from 3.5.2 (and maybe other versions) to 3.5.3, openssh would need a rebuild because OPENSSL_VERSION_NUMBER was incorrect before 3.5.2, so openssh would believe it was built with an openssl pre-release but now running with a formal release, and error out.
comment:3 by , 4 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed at commit 9e2fa9a05d3
Update to vim-9.1.1806. Update to iana-etc-20250926. Update to coreutils-9.8. Update to expat-2.7.3 (Security release). Update to linux-6.16.9. Update to markupsafe-3.0.3. Update to meson-1.9.1. Update to openssl-3.5.3. Update to util-linux-2.41.2.
comment:4 by , 4 weeks ago
| Priority: | normal → high |
|---|---|
| Summary: | openssl-3.5.3 → openssl-3.5.4 |
Changes and CVEs fixed in 3.5.4:
CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.
Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release builds, as it
broke some existing applications that relied on the previous 3.x semantics, as
documented in OpenSSL_version(3).
comment:5 by , 4 weeks ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:6 by , 4 weeks ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:7 by , 4 weeks ago
Replying to Xi Ruoyao:
Note that if upgrading from 3.5.2 (and maybe other versions) to 3.5.3, openssh would need a rebuild because
OPENSSL_VERSION_NUMBERwas incorrect before 3.5.2, so openssh would believe it was built with an openssl pre-release but now running with a formal release, and error out.
Not needed for 3.5.4 as they introduced back the bug for "bug compatibility." But if you already updated to 3.5.3 you need to rebuild OpenSSH again :(.
comment:8 by , 4 weeks ago
Good catch! I'll go adjust my staged security advisory to remove the section about needing to rebuild it :(
comment:10 by , 4 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |

Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
OSSL_STORE_CTXkept open during lookup while potentially being used by multiple threads simultaneously, that could lead to potential crashes when multiple concurrent TLS connections are served.openssl reqno longer generates certificates with an empty extension list when SKID/AKID are set tononeduring generation.VERSION.datand not the current date for the released builds.OPENSSL_VERSION_NUMBER.