openssl (3.5.5-ok6) huanghe; urgency=medium

  * CVE-2026-34180, Heap Buffer Over-read in ASN.1 Content Parsing
  * CVE-2026-34181, PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys
  * CVE-2026-34182, CMS AuthEnvelopedData Processing May Accept Forged Messages
  * CVE-2026-34183, Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler
  * CVE-2026-42764, NULL pointer dereference in QUIC server initial packet handling
  * CVE-2026-42766, Possible NULL Dereference in Password-Based CMS Decryption
  * CVE-2026-42767, NULL Pointer Dereference in CRMF EncryptedValue Decryption
  * CVE-2026-42768, Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
  * CVE-2026-42769, Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
  * CVE-2026-42770, FFC-DH Peer Validation Uses Attacker-Supplied q
  * CVE-2026-45445, AES-OCB IV Ignored on EVP_Cipher() Path
  * CVE-2026-45446, Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
  * CVE-2026-45447, Heap Use-After-Free in OpenSSL PKCS7_verify()
  * CVE-2026-7383, Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion
  * CVE-2026-9076, Out-of-Bounds Read in CMS Password-Based Decryption

 -- songjuntao <songjuntao@kylinos.cn>  Wed, 17 Jun 2026 13:28:16 +0800

openssl (3.5.5-ok5) huanghe; urgency=medium

  * Fix CVE-2026-28388, fix NULL dereference when delta crl lacks crl number
    extension.
  * Fix CVE-2026-28389, fix NULL deref in [ec]dh_cms_set_shared_info.
  * Fix CVE-2026-28390, fix NULL deref in rsa_cms_decrypt.
  * Fix CVE-2026-31790, rsa_kem: validate RSA_public_encrypt() result in
    RSASVE.

 -- songjuntao <songjuntao@kylinos.cn>  Thu, 14 May 2026 13:50:24 +0800

openssl (3.5.5-ok4) huanghe; urgency=medium

  * Fix CVE-2026-28387, dane_match_cert() should X509_free() on ->mcert
    instead of OPENSSL_free().
  * Fix CVE-2026-31789, avoid possible buffer overflow in buf2hex conversion

 -- songjuntao <songjuntao@kylinos.cn>  Sat, 09 May 2026 10:20:37 +0800

openssl (3.5.5-ok3) huanghe; urgency=medium

  * Fix CVE-2026-2673, openssl tls1.3 server may fail to negoticate the
    expected preferred key exchange group.

 -- songjuntao <songjuntao@kylinos.cn>  Fri, 08 May 2026 16:41:48 +0800

openssl (3.5.5-ok2) huanghe; urgency=medium

  * set DEB_BUILD_OPTIONS to nocheck for riscv64 platform

 -- songjuntao <songjuntao@kylinos.cn>  Fri, 17 Apr 2026 11:13:49 +0800

openssl (3.5.5-ok1) huanghe; urgency=medium

  * rebuild source for openkylin

 -- songjuntao <songjuntao@kylinos.cn>  Fri, 03 Apr 2026 18:07:02 +0800
