Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions SPECS/openssl/CVE-2026-42769.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
From aaabb38e258400e96274e72ce0cff0cc6af6d826 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Fri, 17 Apr 2026 14:09:52 -0600
Subject: [PATCH 2/3] Use the correct issuer when validating rootCAKeyUpdate

This correctly uses the existing root, and not the same certificate
as the root of the chain to validate.

While we are here, we also turn on self signed certificate signature
checking as this case is actually bringing in trust anchors as
self signed certs, and fix a possible NULL deref.

Fixes CVE-2026-42769

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:54:01 2026
(cherry picked from commit 8b6c5dacb6ade54f30778cf344600d4a9df1f032)

Upstream Patch Reference: https://github.com/openssl/openssl/commit/777b363b16fcf2153bb3ded39dc3838713667c44
---
crypto/cmp/cmp_genm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c
index 67d98fc..523be8f 100644
--- a/crypto/cmp/cmp_genm.c
+++ b/crypto/cmp/cmp_genm.c
@@ -202,7 +202,7 @@ static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx)
for (i = 0; i < sk_X509_num(trust); i++) {
issuer = sk_X509_value(trust, i);
if ((*check_issued)(store_ctx, cert, issuer)) {
- if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF))
+ if (X509_add_cert(chain, issuer, X509_ADD_FLAG_UP_REF))
ok = 1;
break;
}
@@ -235,6 +235,7 @@ static int verify_ss_cert(OSSL_LIB_CTX *libctx, const char *propq,
if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL
|| !X509_STORE_CTX_init(csc, ts, target, untrusted))
goto err;
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CHECK_SS_SIGNATURE);
X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb);
ok = X509_verify_cert(csc) > 0;

@@ -253,7 +254,8 @@ verify_ss_cert_trans(OSSL_CMP_CTX *ctx, X509 *trusted /* may be NULL */,
int res = 0;

if (trusted != NULL) {
- X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+ X509_VERIFY_PARAM *vpm = (ts == NULL) ? NULL
+ : X509_STORE_get0_param(ts);

if ((ts = X509_STORE_new()) == NULL)
return 0;
--
2.45.4

47 changes: 47 additions & 0 deletions SPECS/openssl/CVE-2026-42770.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From d3b41d8606807c7f8207dff3dad2f1e1cc3cd72f Mon Sep 17 00:00:00 2001
From: Norbert Pocs <norbertp@openssl.org>
Date: Tue, 12 May 2026 15:16:04 +0200
Subject: [PATCH 3/3] Match the local q DHX parameter against the peer's q

As FFC/DH peer public key validation uses the peer's q value instead
of checking against the local q, we must also check that these
q values match when setting the peer's public key.

Fixes CVE-2026-42770

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 19:56:27 2026
(cherry picked from commit 29b9df160cc5f20ee3907cce0cb271b982846bce)

Upstream Patch Reference: https://github.com/openssl/openssl/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c
---
providers/implementations/exchange/dh_exch.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index 2d5dcad..72de945 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -113,12 +113,15 @@ static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
static int dh_match_params(DH *priv, DH *peer)
{
int ret;
+ int ignore_q = 1;
FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);

+ if (dhparams_priv != NULL && dhparams_priv->q != NULL)
+ ignore_q = 0;
ret = dhparams_priv != NULL
&& dhparams_peer != NULL
- && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
+ && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, ignore_q);
if (!ret)
ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
return ret;
--
2.45.4

47 changes: 47 additions & 0 deletions SPECS/openssl/CVE-2026-45447.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
From 43c31006116dbcfb71f045d41ee5fe41a2d6e01e Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus@openssl.foundation>
Date: Sat, 16 May 2026 08:16:23 +0200
Subject: [PATCH 1/3] Fix possible use-after-free in OpenSSL PKCS7_verify()

Fixes CVE-2026-45447

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 20:22:50 2026
(cherry picked from commit b4fbcf9fd25f781b17b763e3ec84d6b6dc096f6e)

Upstream Patch Reference: https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c
---
crypto/pkcs7/pk7_smime.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 0fe6031..159e3be 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -219,6 +219,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
int i, j = 0, k, ret = 0;
BIO *p7bio = NULL;
BIO *tmpout = NULL;
+ BIO *next = NULL;
const PKCS7_CTX *p7_ctx;

if (p7 == NULL) {
@@ -345,9 +346,11 @@ err:
BIO_free(tmpout);
X509_STORE_CTX_free(cert_ctx);
OPENSSL_free(buf);
- if (indata != NULL)
- BIO_pop(p7bio);
- BIO_free_all(p7bio);
+ while (p7bio != NULL && p7bio != indata) {
+ next = BIO_pop(p7bio);
+ BIO_free(p7bio);
+ p7bio = next;
+ }
sk_X509_free(signers);
return ret;
}
--
2.45.4

8 changes: 7 additions & 1 deletion SPECS/openssl/openssl.spec
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.3.7
Release: 3%{?dist}
Release: 4%{?dist}
Vendor: Microsoft Corporation
Distribution: Azure Linux
Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
Expand Down Expand Up @@ -78,6 +78,9 @@ Patch107: CVE-2026-45446.patch
Patch108: CVE-2026-7383.patch
Patch109: CVE-2026-9076.patch
Patch110: CVE-2026-42767.patch
Patch111: CVE-2026-45447.patch
Patch112: CVE-2026-42769.patch
Patch113: CVE-2026-42770.patch

License: Apache-2.0
URL: http://www.openssl.org/
Expand Down Expand Up @@ -374,6 +377,9 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs

%changelog
* Thu Jul 16 2026 Kanishk Bansal <kanbansal@microsoft.com> - 3.3.7-4
- Patch CVE-2026-45447, CVE-2026-42769, CVE-2026-42770

* Wed Jun 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.3.7-3
- Patch for CVE-2026-9076, CVE-2026-7383, CVE-2026-45446, CVE-2026-45445, CVE-2026-42768, CVE-2026-42766, CVE-2026-34183, CVE-2026-34180, CVE-2026-42767

Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
autoconf-2.72-2.azl3.noarch.rpm
automake-1.16.5-2.azl3.noarch.rpm
ocaml-srpm-macros-9-4.azl3.noarch.rpm
openssl-3.3.7-3.azl3.aarch64.rpm
openssl-devel-3.3.7-3.azl3.aarch64.rpm
openssl-libs-3.3.7-3.azl3.aarch64.rpm
openssl-perl-3.3.7-3.azl3.aarch64.rpm
openssl-static-3.3.7-3.azl3.aarch64.rpm
openssl-3.3.7-4.azl3.aarch64.rpm
openssl-devel-3.3.7-4.azl3.aarch64.rpm
openssl-libs-3.3.7-4.azl3.aarch64.rpm
openssl-perl-3.3.7-4.azl3.aarch64.rpm
openssl-static-3.3.7-4.azl3.aarch64.rpm
libcap-2.69-15.azl3.aarch64.rpm
libcap-devel-2.69-15.azl3.aarch64.rpm
debugedit-5.0-2.azl3.aarch64.rpm
Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
autoconf-2.72-2.azl3.noarch.rpm
automake-1.16.5-2.azl3.noarch.rpm
ocaml-srpm-macros-9-4.azl3.noarch.rpm
openssl-3.3.7-3.azl3.x86_64.rpm
openssl-devel-3.3.7-3.azl3.x86_64.rpm
openssl-libs-3.3.7-3.azl3.x86_64.rpm
openssl-perl-3.3.7-3.azl3.x86_64.rpm
openssl-static-3.3.7-3.azl3.x86_64.rpm
openssl-3.3.7-4.azl3.x86_64.rpm
openssl-devel-3.3.7-4.azl3.x86_64.rpm
openssl-libs-3.3.7-4.azl3.x86_64.rpm
openssl-perl-3.3.7-4.azl3.x86_64.rpm
openssl-static-3.3.7-4.azl3.x86_64.rpm
libcap-2.69-15.azl3.x86_64.rpm
libcap-devel-2.69-15.azl3.x86_64.rpm
debugedit-5.0-2.azl3.x86_64.rpm
Expand Down
12 changes: 6 additions & 6 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -287,12 +287,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
npth-devel-1.6-4.azl3.aarch64.rpm
ntsysv-1.25-1.azl3.aarch64.rpm
ocaml-srpm-macros-9-4.azl3.noarch.rpm
openssl-3.3.7-3.azl3.aarch64.rpm
openssl-debuginfo-3.3.7-3.azl3.aarch64.rpm
openssl-devel-3.3.7-3.azl3.aarch64.rpm
openssl-libs-3.3.7-3.azl3.aarch64.rpm
openssl-perl-3.3.7-3.azl3.aarch64.rpm
openssl-static-3.3.7-3.azl3.aarch64.rpm
openssl-3.3.7-4.azl3.aarch64.rpm
openssl-debuginfo-3.3.7-4.azl3.aarch64.rpm
openssl-devel-3.3.7-4.azl3.aarch64.rpm
openssl-libs-3.3.7-4.azl3.aarch64.rpm
openssl-perl-3.3.7-4.azl3.aarch64.rpm
openssl-static-3.3.7-4.azl3.aarch64.rpm
p11-kit-0.25.0-1.azl3.aarch64.rpm
p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
p11-kit-devel-0.25.0-1.azl3.aarch64.rpm
Expand Down
12 changes: 6 additions & 6 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -295,12 +295,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
npth-devel-1.6-4.azl3.x86_64.rpm
ntsysv-1.25-1.azl3.x86_64.rpm
ocaml-srpm-macros-9-4.azl3.noarch.rpm
openssl-3.3.7-3.azl3.x86_64.rpm
openssl-debuginfo-3.3.7-3.azl3.x86_64.rpm
openssl-devel-3.3.7-3.azl3.x86_64.rpm
openssl-libs-3.3.7-3.azl3.x86_64.rpm
openssl-perl-3.3.7-3.azl3.x86_64.rpm
openssl-static-3.3.7-3.azl3.x86_64.rpm
openssl-3.3.7-4.azl3.x86_64.rpm
openssl-debuginfo-3.3.7-4.azl3.x86_64.rpm
openssl-devel-3.3.7-4.azl3.x86_64.rpm
openssl-libs-3.3.7-4.azl3.x86_64.rpm
openssl-perl-3.3.7-4.azl3.x86_64.rpm
openssl-static-3.3.7-4.azl3.x86_64.rpm
p11-kit-0.25.0-1.azl3.x86_64.rpm
p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
p11-kit-devel-0.25.0-1.azl3.x86_64.rpm
Expand Down
Loading