Update dependency openssl/openssl to v4.0.1#133
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.0.0→4.0.1Release Notes
openssl/openssl (openssl/openssl)
v4.0.1: OpenSSL 4.0.1Compare Source
OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed
in this release is High.
This release incorporates the following bug fixes and mitigations:
Fixed heap use-after-free in
PKCS7_verify().(CVE-2026-45447)
Fixed CMS
AuthEnvelopedDataprocessing may accept forged messages.(CVE-2026-34182)
Fixed unbounded memory growth in the QUIC
PATH_CHALLENGEhandler.(CVE-2026-34183)
Fixed double-free when checking OCSP stapled response.
(CVE-2026-35188)
Fixed NULL pointer dereference in QUIC server initial packet handling.
(CVE-2026-42764)
Fixed AES-OCB IV ignored on
EVP_Cipher()path.(CVE-2026-45445)
Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
(CVE-2026-7383)
Fixed out-of-bounds read in CMS password-based decryption.
(CVE-2026-9076)
Fixed heap buffer over-read in ASN.1 content parsing.
(CVE-2026-34180)
Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
(CVE-2026-34181)
Fixed NULL dereference in certificate verification with OCSP Checking.
(CVE-2026-42765)
Fixed possible NULL dereference in password-dased CMS decryption.
(CVE-2026-42766)
Fixed NULL pointer dereference in CRMF
EncryptedValuedecryption.(CVE-2026-42767)
Fixed multi-
RecipientInfoBleichenbacher Oracle inCMS_decrypt()and
PKCS7_decrypt().(CVE-2026-42768)
Fixed trust anchor substitution via
cert/issuertypo in CMProotCaKeyUpdate.(CVE-2026-42769)
Fixed FFC-DH peer validation uses attacker-supplied
q.(CVE-2026-42770)
Fixed possible out of bounds read in
X509_VERIFY_PARAM_set1_email().(CVE-2026-42771)
Fixed incorrect tag processing for empty messages in AES-GCM-SIV
and AES-SIV modes.
(CVE-2026-45446)
Fixed a regression introduced in 4.0.0 that led to a
openssl pkeycommand crash when it was invoked to encrypt a private key with password
being provided interactively.
Fixed a regression introduced in 4.0.0 that led to
openssl s_client -advcommand prematurely terminating a session when reading input of 16384 bytes
in one
read()call.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.