Skip to content

Update dependency openssl/openssl to v4.0.1#133

Merged
renovate[bot] merged 1 commit into
masterfrom
renovate/openssl-openssl-4.x
Jun 9, 2026
Merged

Update dependency openssl/openssl to v4.0.1#133
renovate[bot] merged 1 commit into
masterfrom
renovate/openssl-openssl-4.x

Conversation

@renovate

@renovate renovate Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
openssl/openssl patch 4.0.04.0.1

Release Notes

openssl/openssl (openssl/openssl)

v4.0.1: OpenSSL 4.0.1

Compare Source

OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed
in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify().
    (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages.
    (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
    (CVE-2026-34183)

  • Fixed double-free when checking OCSP stapled response.
    (CVE-2026-35188)

  • Fixed NULL pointer dereference in QUIC server initial packet handling.
    (CVE-2026-42764)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path.
    (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
    (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption.
    (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing.
    (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
    (CVE-2026-34181)

  • Fixed NULL dereference in certificate verification with OCSP Checking.
    (CVE-2026-42765)

  • Fixed possible NULL dereference in password-dased CMS decryption.
    (CVE-2026-42766)

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
    (CVE-2026-42767)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
    and PKCS7_decrypt().
    (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP
    rootCaKeyUpdate.
    (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q.
    (CVE-2026-42770)

  • Fixed possible out of bounds read in X509_VERIFY_PARAM_set1_email().
    (CVE-2026-42771)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV
    and AES-SIV modes.
    (CVE-2026-45446)

  • Fixed a regression introduced in 4.0.0 that led to a openssl pkey
    command crash when it was invoked to encrypt a private key with password
    being provided interactively.

  • Fixed a regression introduced in 4.0.0 that led to openssl s_client -adv
    command prematurely terminating a session when reading input of 16384 bytes
    in one read() call.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • "before 2am"

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) June 9, 2026 13:59
@renovate renovate Bot merged commit 8e6f197 into master Jun 9, 2026
1 check passed
@renovate renovate Bot deleted the renovate/openssl-openssl-4.x branch June 9, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants