git: e2fcde7333a5 - stable/15 - MFV: crypto/openssl: update to 3.5.6
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 12 Apr 2026 02:15:07 UTC
The branch stable/15 has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=e2fcde7333a515907316cf1a4ee4858edc90419d
commit e2fcde7333a515907316cf1a4ee4858edc90419d
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2026-04-09 01:44:24 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2026-04-12 02:14:40 +0000
MFV: crypto/openssl: update to 3.5.6
This change brings in version 3.5.6 of OpenSSL, which features
several security fixes (the highest of which is a MEDIUM severity
issue), as well as some miscellaneous feature updates.
Please see the release notes [1] for more details.
PS Apologies for the confusing merge commits -- I was testing out a
new automated update process and failed to catch the commit message
issues until after I pushed the change.
1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md
MFC after: 1 day (the security issues warrant a quick backport).
Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90'
(cherry picked from commit 10a428653ee7216475f1ddce3fb4cbf1200319f8)
---
crypto/openssl/CHANGES.md | 575 +++++++++------
crypto/openssl/CONTRIBUTING.md | 12 +
crypto/openssl/Configurations/10-main.conf | 3 +-
crypto/openssl/Configurations/unix-Makefile.tmpl | 3 +-
.../openssl/Configurations/windows-makefile.tmpl | 5 +-
crypto/openssl/NEWS.md | 427 +++++------
crypto/openssl/VERSION.dat | 4 +-
crypto/openssl/apps/cmp.c | 18 +-
crypto/openssl/apps/include/cmp_mock_srv.h | 5 +-
crypto/openssl/apps/lib/app_provider.c | 3 +-
crypto/openssl/apps/lib/apps.c | 15 +-
crypto/openssl/apps/lib/cmp_mock_srv.c | 38 +-
crypto/openssl/apps/lib/win32_init.c | 3 +-
crypto/openssl/apps/ocsp.c | 2 +-
crypto/openssl/apps/s_client.c | 6 +-
crypto/openssl/apps/ts.c | 4 +-
crypto/openssl/build.info | 16 +-
crypto/openssl/crypto/aes/asm/aes-riscv32-zkn.pl | 7 +-
crypto/openssl/crypto/aes/asm/aes-riscv64-zkn.pl | 7 +-
.../openssl/crypto/aes/asm/aes-riscv64-zvkned.pl | 13 +-
crypto/openssl/crypto/aes/asm/aes-riscv64.pl | 10 +-
crypto/openssl/crypto/asn1/evp_asn1.c | 4 +-
crypto/openssl/crypto/asn1/n_pkey.c | 4 +-
crypto/openssl/crypto/asn1/p5_scrypt.c | 11 +-
crypto/openssl/crypto/bf/bf_cfb64.c | 4 +-
crypto/openssl/crypto/bf/bf_ofb64.c | 4 +-
crypto/openssl/crypto/bio/bss_dgram.c | 4 +-
crypto/openssl/crypto/bio/bss_file.c | 15 +-
crypto/openssl/crypto/bn/asm/armv4-gf2m.pl | 4 +-
crypto/openssl/crypto/bn/asm/rsaz-2k-avxifma.pl | 105 ++-
crypto/openssl/crypto/bn/asm/rsaz-3k-avxifma.pl | 41 +-
crypto/openssl/crypto/bn/asm/rsaz-4k-avxifma.pl | 41 +-
crypto/openssl/crypto/bn/asm/sparcv9-mont.pl | 4 +-
crypto/openssl/crypto/bn/bn_dh.c | 64 +-
crypto/openssl/crypto/bn/bn_exp.c | 34 +-
crypto/openssl/crypto/bn/bn_local.h | 4 +-
crypto/openssl/crypto/bn/bn_mont.c | 9 +-
crypto/openssl/crypto/bn/bn_ppc.c | 10 +-
crypto/openssl/crypto/bn/bn_prime.c | 4 +-
crypto/openssl/crypto/bn/bn_rsa_fips186_4.c | 4 +-
crypto/openssl/crypto/bn/bn_sparc.c | 16 +-
crypto/openssl/crypto/bsearch.c | 4 +-
crypto/openssl/crypto/cast/c_cfb64.c | 4 +-
crypto/openssl/crypto/cast/c_ofb64.c | 4 +-
crypto/openssl/crypto/cmp/cmp_client.c | 23 +-
crypto/openssl/crypto/cmp/cmp_ctx.c | 4 +-
crypto/openssl/crypto/cmp/cmp_local.h | 4 +-
crypto/openssl/crypto/cmp/cmp_vfy.c | 25 +-
crypto/openssl/crypto/cms/cms_asn1.c | 30 +-
crypto/openssl/crypto/cms/cms_dh.c | 15 +-
crypto/openssl/crypto/cms/cms_ec.c | 16 +-
crypto/openssl/crypto/cms/cms_local.h | 5 +-
crypto/openssl/crypto/cms/cms_rsa.c | 33 +-
crypto/openssl/crypto/cms/cms_smime.c | 6 +-
crypto/openssl/crypto/conf/conf_lib.c | 4 +-
crypto/openssl/crypto/conf/conf_mod.c | 4 +-
crypto/openssl/crypto/des/cfb64ede.c | 4 +-
crypto/openssl/crypto/des/cfb64enc.c | 4 +-
crypto/openssl/crypto/des/ofb64ede.c | 4 +-
crypto/openssl/crypto/des/ofb64enc.c | 4 +-
crypto/openssl/crypto/dh/dh_asn1.c | 7 +-
crypto/openssl/crypto/dh/dh_rfc5114.c | 6 +-
crypto/openssl/crypto/dllmain.c | 4 +-
crypto/openssl/crypto/dsa/dsa_asn1.c | 8 +-
crypto/openssl/crypto/ec/ec_asn1.c | 12 +-
crypto/openssl/crypto/ec/ec_check.c | 4 +-
crypto/openssl/crypto/ec/ec_lib.c | 4 +-
crypto/openssl/crypto/err/err_all.c | 6 +-
crypto/openssl/crypto/err/openssl.txt | 3 +-
crypto/openssl/crypto/ess/ess_asn1.c | 8 +-
crypto/openssl/crypto/evp/digest.c | 7 +-
crypto/openssl/crypto/evp/e_aes.c | 56 +-
crypto/openssl/crypto/evp/e_aria.c | 22 +-
crypto/openssl/crypto/evp/e_camellia.c | 22 +-
crypto/openssl/crypto/evp/e_des.c | 18 +-
crypto/openssl/crypto/evp/e_des3.c | 24 +-
crypto/openssl/crypto/evp/e_idea.c | 6 +-
crypto/openssl/crypto/evp/e_sm4.c | 14 +-
crypto/openssl/crypto/evp/encode.c | 4 +-
crypto/openssl/crypto/evp/evp_enc.c | 12 +-
crypto/openssl/crypto/evp/kem.c | 4 +-
crypto/openssl/crypto/hashtable/hashtable.c | 6 +-
crypto/openssl/crypto/http/http_client.c | 26 +-
crypto/openssl/crypto/http/http_err.c | 4 +-
crypto/openssl/crypto/http/http_lib.c | 8 +-
crypto/openssl/crypto/idea/i_cfb64.c | 3 +-
crypto/openssl/crypto/idea/i_ofb64.c | 3 +-
crypto/openssl/crypto/init.c | 7 +-
crypto/openssl/crypto/initthread.c | 14 +-
crypto/openssl/crypto/modes/asm/aes-gcm-ppc.pl | 5 -
crypto/openssl/crypto/modes/asm/ghash-armv4.pl | 4 +-
crypto/openssl/crypto/modes/build.info | 2 +-
crypto/openssl/crypto/o_str.c | 15 +-
crypto/openssl/crypto/param_build.c | 108 ++-
crypto/openssl/crypto/perlasm/x86_64-xlate.pl | 5 +-
crypto/openssl/crypto/pkcs12/p12_mutl.c | 4 +
crypto/openssl/crypto/pkcs12/p12_utl.c | 4 +-
crypto/openssl/crypto/pkcs7/pk7_doit.c | 8 +
crypto/openssl/crypto/pkcs7/pk7_lib.c | 9 +-
crypto/openssl/crypto/punycode.c | 4 +-
crypto/openssl/crypto/rand/rand_egd.c | 25 +-
crypto/openssl/crypto/rc2/rc2cfb64.c | 4 +-
crypto/openssl/crypto/rc2/rc2ofb64.c | 4 +-
crypto/openssl/crypto/rc5/rc5cfb64.c | 4 +-
crypto/openssl/crypto/rc5/rc5ofb64.c | 4 +-
crypto/openssl/crypto/riscvcap.c | 37 +-
crypto/openssl/crypto/rsa/rsa_backend.c | 4 +-
crypto/openssl/crypto/sha/asm/keccak1600-s390x.pl | 3 +-
crypto/openssl/crypto/slh_dsa/slh_dsa.c | 25 +-
crypto/openssl/crypto/sm4/asm/vpsm4_ex-armv8.pl | 13 +-
crypto/openssl/crypto/store/store_lib.c | 6 +-
crypto/openssl/crypto/threads_none.c | 4 +-
crypto/openssl/crypto/threads_pthread.c | 57 +-
crypto/openssl/crypto/threads_win.c | 4 +-
crypto/openssl/crypto/ts/ts_asn1.c | 14 +-
crypto/openssl/crypto/x509/pcy_tree.c | 14 +-
crypto/openssl/crypto/x509/t_acert.c | 8 +-
crypto/openssl/crypto/x509/v3_ac_tgt.c | 8 +-
crypto/openssl/crypto/x509/v3_cpols.c | 4 +-
crypto/openssl/crypto/x509/v3_prn.c | 6 +-
crypto/openssl/crypto/x509/v3_san.c | 5 +-
crypto/openssl/crypto/x509/v3_timespec.c | 4 +-
crypto/openssl/crypto/x509/v3_utl.c | 9 +-
crypto/openssl/crypto/x509/x509_vfy.c | 7 +-
crypto/openssl/crypto/x509/x_pubkey.c | 6 +-
crypto/openssl/doc/build.info | 6 +
.../doc/internal/man3/OSSL_SAFE_MATH_SIGNED.pod | 4 +-
.../internal/man3/ossl_cmp_msg_check_update.pod | 5 +-
crypto/openssl/doc/internal/man7/deprecation.pod | 4 +-
crypto/openssl/doc/man1/CA.pl.pod | 4 +-
crypto/openssl/doc/man1/openssl-ciphers.pod.in | 777 ++++++++++++---------
crypto/openssl/doc/man1/openssl-cmp.pod.in | 10 +-
crypto/openssl/doc/man1/openssl-cms.pod.in | 2 +-
crypto/openssl/doc/man1/openssl-format-options.pod | 4 +-
crypto/openssl/doc/man1/openssl-pkeyutl.pod.in | 4 +-
.../doc/man1/openssl-verification-options.pod | 8 +-
crypto/openssl/doc/man1/openssl-verify.pod.in | 7 +-
crypto/openssl/doc/man3/ADMISSIONS.pod | 4 +-
crypto/openssl/doc/man3/BIO_get_data.pod | 11 +-
crypto/openssl/doc/man3/BIO_push.pod | 4 +-
crypto/openssl/doc/man3/BIO_read.pod | 6 +-
crypto/openssl/doc/man3/EVP_EncryptInit.pod | 10 +-
crypto/openssl/doc/man3/OPENSSL_malloc.pod | 6 +-
crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod | 11 +-
crypto/openssl/doc/man3/OSSL_HPKE_CTX_new.pod | 6 +-
crypto/openssl/doc/man3/PKCS5_PBE_keyivgen.pod | 13 +-
crypto/openssl/doc/man3/RSA_set_method.pod | 10 +-
crypto/openssl/doc/man3/SSL_CONF_cmd.pod | 18 +-
crypto/openssl/doc/man3/SSL_CTX_set1_curves.pod | 125 +++-
.../doc/man3/SSL_CTX_set_psk_client_callback.pod | 10 +-
crypto/openssl/doc/man3/SSL_get_ciphers.pod | 4 +-
crypto/openssl/doc/man3/X509V3_EXT_print.pod | 51 ++
crypto/openssl/doc/man3/X509_NAME_print_ex.pod | 7 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-DSA.pod | 4 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-ECDSA.pod | 4 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-ED25519.pod | 4 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-HMAC.pod | 4 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod | 6 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-RSA.pod | 4 +-
crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod | 4 +-
crypto/openssl/doc/man7/openssl-env.pod | 9 +-
.../doc/man7/ossl-guide-tls-introduction.pod | 4 +-
crypto/openssl/doc/man7/property.pod | 34 +-
crypto/openssl/doc/man7/provider-base.pod | 5 +-
.../openssl/exporters/cmake/OpenSSLConfig.cmake.in | 1 +
.../exporters/cmake/OpenSSLConfigVersion.cmake.in | 1 +
.../openssl/exporters/pkg-config/libcrypto.pc.in | 1 +
crypto/openssl/exporters/pkg-config/libssl.pc.in | 1 +
crypto/openssl/exporters/pkg-config/openssl.pc.in | 1 +
.../perl/Text-Template-1.56/lib/Text/Template.pm | 4 +-
.../lib/Text/Template/Preprocess.pm | 4 +-
crypto/openssl/include/crypto/aes_platform.h | 4 +-
crypto/openssl/include/crypto/evp.h | 24 +-
crypto/openssl/include/crypto/httperr.h | 2 +-
crypto/openssl/include/crypto/sparc_arch.h | 14 +-
crypto/openssl/include/crypto/sparse_array.h | 4 +-
crypto/openssl/include/internal/time.h | 72 +-
crypto/openssl/include/openssl/cmp.h.in | 4 +-
crypto/openssl/include/openssl/core_dispatch.h | 34 +-
crypto/openssl/include/openssl/httperr.h | 3 +-
crypto/openssl/include/openssl/macros.h | 3 +-
crypto/openssl/include/openssl/rsa.h | 6 +-
crypto/openssl/include/openssl/types.h | 4 +-
crypto/openssl/providers/fips-sources.checksums | 96 +--
crypto/openssl/providers/fips.checksum | 2 +-
crypto/openssl/providers/fips/self_test.c | 4 +-
crypto/openssl/providers/fips/self_test_kats.c | 11 +-
.../ciphers/cipher_aes_gcm_hw_ppc.inc | 8 +-
.../implementations/ciphers/cipher_aes_ocb.c | 4 +-
.../implementations/ciphers/ciphercommon.c | 6 +-
.../include/prov/ciphercommon_ccm.h | 16 +-
.../include/prov/ciphercommon_gcm.h | 14 +-
.../providers/implementations/kdfs/pkcs12kdf.c | 11 +-
.../providers/implementations/kem/rsa_kem.c | 22 +-
.../implementations/keymgmt/ml_kem_kmgmt.c | 4 +-
.../providers/implementations/rands/drbg_hmac.c | 4 +-
.../providers/implementations/signature/dsa_sig.c | 36 +-
.../implementations/signature/ecdsa_sig.c | 47 +-
.../providers/implementations/signature/sm2_sig.c | 10 +-
.../implementations/storemgmt/file_store.c | 11 +-
.../implementations/storemgmt/winstore_store.c | 6 +-
crypto/openssl/ssl/quic/quic_impl.c | 47 +-
crypto/openssl/ssl/quic/quic_lcidm.c | 14 +-
crypto/openssl/ssl/quic/quic_reactor.c | 6 +
crypto/openssl/ssl/quic/quic_rx_depack.c | 3 +-
crypto/openssl/ssl/quic/quic_srtm.c | 7 +-
crypto/openssl/ssl/quic/quic_stream_map.c | 3 +-
crypto/openssl/ssl/quic/uint_set.c | 4 +-
crypto/openssl/ssl/record/methods/tls_common.c | 17 +-
crypto/openssl/ssl/s3_lib.c | 6 +-
crypto/openssl/ssl/ssl_asn1.c | 4 +-
crypto/openssl/ssl/ssl_lib.c | 22 +-
crypto/openssl/ssl/ssl_sess.c | 4 +-
crypto/openssl/ssl/statem/statem_dtls.c | 8 +-
crypto/openssl/ssl/t1_lib.c | 96 +--
crypto/openssl/test/README-external.md | 2 +-
crypto/openssl/test/asn1_decode_test.c | 14 +-
crypto/openssl/test/asn1_encode_test.c | 14 +-
crypto/openssl/test/asn1_internal_test.c | 20 +-
crypto/openssl/test/bntest.c | 49 +-
crypto/openssl/test/certs/cve-2026-28388-ca.pem | 19 +
crypto/openssl/test/certs/cve-2026-28388-crls.pem | 22 +
crypto/openssl/test/certs/cve-2026-28388-leaf.pem | 19 +
.../ext-timeSpecification-periodic-no-second.pem | 14 +
crypto/openssl/test/certs/mkcert.sh | 4 +-
crypto/openssl/test/cmp_client_test.c | 75 +-
crypto/openssl/test/evp_extra_test.c | 110 ++-
crypto/openssl/test/evp_test.c | 4 +-
crypto/openssl/test/fake_rsaprov.c | 5 +-
crypto/openssl/test/http_test.c | 22 +-
crypto/openssl/test/ossl_store_test.c | 9 +-
crypto/openssl/test/pkcs12_api_test.c | 32 +-
crypto/openssl/test/quicapitest.c | 10 +-
.../openssl/test/recipes/10-test_bn_data/bnmod.txt | 10 +-
crypto/openssl/test/recipes/25-test_verify.t | 16 +-
crypto/openssl/test/recipes/25-test_x509.t | 10 +-
.../openssl/test/recipes/61-test_bio_readbuffer.t | 8 +-
.../80-test_cmp_http_data/test_commands.csv | 3 +-
crypto/openssl/test/recipes/80-test_cms.t | 47 +-
.../test/recipes/80-test_cms_data/dh-cert.pem | 31 +
.../test/recipes/80-test_cms_data/dh-key.pem | 15 +
.../test/recipes/80-test_cms_data/dh-malformed.der | Bin 0 -> 558 bytes
.../test/recipes/80-test_cms_data/ecdh-cert.pem | 10 +
.../test/recipes/80-test_cms_data/ecdh-key.pem | 5 +
.../recipes/80-test_cms_data/ecdh-malformed.der | Bin 0 -> 275 bytes
.../recipes/80-test_cms_data/rsa-malformed.der | Bin 0 -> 526 bytes
crypto/openssl/test/recipes/80-test_ocsp.t | 16 +-
crypto/openssl/test/sslapitest.c | 98 ++-
crypto/openssl/test/tls-provider.c | 5 +-
crypto/openssl/test/tls13groupselection_test.c | 39 +-
crypto/openssl/util/checkplatformsyms.pl | 40 +-
crypto/openssl/util/missingcrypto.txt | 2 -
crypto/openssl/util/mkerr.pl | 77 +-
crypto/openssl/util/mkinstallvars.pl | 5 +-
.../util/platform_symbols/windows-symbols.txt | 339 ++++-----
crypto/openssl/util/wrap.pl.in | 1 +
256 files changed, 3690 insertions(+), 2012 deletions(-)
diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md
index 1a65b72b2965..380840deb712 100644
--- a/crypto/openssl/CHANGES.md
+++ b/crypto/openssl/CHANGES.md
@@ -28,6 +28,150 @@ OpenSSL Releases
OpenSSL 3.5
-----------
+### Changes between 3.5.5 and 3.5.6 [7 Apr 2026]
+
+ * Fixed incorrect failure handling in RSA KEM RSASVE encapsulation.
+
+ Severity: Moderate
+
+ Issue summary: Applications using RSASVE key encapsulation to establish
+ a secret encryption key can send contents of an uninitialized memory buffer
+ to a malicious peer.
+
+ Impact summary: The uninitialized buffer might contain sensitive data
+ from the previous execution of the application process which leads
+ to sensitive data leakage to an attacker.
+
+ Reported by: Simo Sorce (Red Hat).
+
+ ([CVE-2026-31790])
+
+ *Nikola Pajkovsky*
+
+ * Fixed loss of key agreement group tuple structure when the `DEFAULT` keyword
+ is used in the server-side configuration of the key-agreement group list.
+
+ Severity: Low
+
+ Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected
+ preferred key exchange group when its key exchange group configuration
+ includes the default by using the 'DEFAULT' keyword.
+
+ Impact summary: A less preferred key exchange may be used even when a more
+ preferred group is supported by both client and server, if the group
+ was not included among the client's initial predicated keyshares.
+ This will sometimes be the case with the new hybrid post-quantum groups,
+ if the client chooses to defer their use until specifically requested by
+ the server.
+ <!-- https://github.com/openssl/openssl/pull/30111 -->
+
+ ([CVE-2026-2673])
+
+ *Viktor Dukhovni*
+
+ * Fixed potential use-after-free in DANE client code.
+
+ Severity: Low
+
+ Issue summary: An uncommon configuration of clients performing DANE
+ TLSA-based server authentication, when paired with uncommon server DANE TLSA
+ records, may result in a use-after-free and/or double-free on the client
+ side.
+
+ Impact summary: A use after free can have a range of potential consequences
+ such as the corruption of valid data, crashes, or execution of arbitrary
+ code.
+
+ Reported by: Igor Morgenstern (Aisle Research).
+
+ ([CVE-2026-28387])
+
+ *Viktor Dukhovni*
+
+ * Fixed NULL pointer dereference when processing a delta CRL.
+
+ Severity: Low
+
+ Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
+ is processed, a NULL pointer dereference might happen if the required CRL
+ Number extension is missing.
+
+ Impact summary: A NULL pointer dereference can trigger a crash which
+ leads to a Denial of Service for an application.
+
+ Reported by: Igor Morgenstern (Aisle Research).
+
+ ([CVE-2026-28388])
+
+ *Igor Morgenstern*
+
+ * Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.
+
+ Severity: Low
+
+ Issue summary: During processing of a crafted CMS EnvelopedData message
+ with KeyAgreeRecipientInfo a NULL pointer dereference can happen.
+
+ Impact summary: Applications that process attacker-controlled CMS data may
+ crash before authentication or cryptographic operations occur resulting in
+ Denial of Service.
+
+ Reported by: Nathan Sportsman (Praetorian), Daniel Rhea,
+ Jaeho Nam (Seoul National University), Muhammad Daffa,
+ Zhanpeng Liu (Tencent Xuanwu Lab), Guannan Wang (Tencent Xuanwu Lab),
+ Guancheng Li (Tencent Xuanwu Lab), and Joshua Rogers.
+
+ ([CVE-2026-28389])
+
+ *Neil Horman*
+
+ * Fixed possible NULL dereference when processing CMS
+ KeyTransportRecipientInfo.
+
+ Severity: Low
+
+ Issue summary: During processing of a crafted CMS EnvelopedData message
+ with KeyTransportRecipientInfo a NULL pointer dereference can happen.
+
+ Impact summary: Applications that process attacker-controlled CMS data may
+ crash before authentication or cryptographic operations occur resulting in
+ Denial of Service.
+
+ Reported by: Muhammad Daffa, Zhanpeng Liu (Tencent Xuanwu Lab),
+ Guannan Wang (Tencent Xuanwu Lab), Guancheng Li (Tencent Xuanwu Lab),
+ Joshua Rogers, and Chanho Kim.
+
+ ([CVE-2026-28390])
+
+ *Neil Horman*
+
+ * Fixed heap buffer overflow in hexadecimal conversion.
+
+ Severity: Low
+
+ Issue summary: Converting an excessively large OCTET STRING value to
+ a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.
+
+ Impact summary: A heap buffer overflow may lead to a crash or possibly
+ an attacker controlled code execution or other undefined behavior.
+
+ Reported by: Quoc Tran (Xint.io - US Team).
+
+ ([CVE-2026-31789])
+
+ *Igor Ustinov*
+
+ * Fixed usage of `openssl s_client -connect HOST -proxy PROXY` with `HOST`
+ containing a raw IPv6 address.
+ <!-- https://github.com/openssl/openssl/pull/30384 -->
+
+ *Peter Zhang*
+
+ * Fixed broken detection of plantext HTTP over TLS.
+ <!-- https://github.com/openssl/openssl/pull/30411 -->
+
+ *Matt Caswell*
+
### Changes between 3.5.4 and 3.5.5 [27 Jan 2026]
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
@@ -3461,7 +3605,7 @@ breaking changes, and mappings for the large list of deprecated functions.
*Richard Levitte*
- * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
+ * Fixed an overflow bug in the x86_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
@@ -21607,216 +21751,223 @@ ndif
<!-- Links -->
-[CVE-2026-22796]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22796
-[CVE-2026-22795]: https://www.openssl.org/news/vulnerabilities.html#CVE-2026-22795
-[CVE-2025-69421]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69421
-[CVE-2025-69420]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69420
-[CVE-2025-69419]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69419
-[CVE-2025-69418]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-69418
-[CVE-2025-68160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-68160
-[CVE-2025-66199]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-66199
-[CVE-2025-15469]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15469
-[CVE-2025-15468]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15468
-[CVE-2025-15467]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-15467
-[CVE-2025-11187]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-11187
-[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
-[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
-[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
-[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
-[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
-[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
-[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
-[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
-[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
-[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
-[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
-[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
-[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
-[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
-[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
-[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
-[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
-[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
-[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
-[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
-[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
-[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
-[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
-[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
-[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
-[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
-[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
-[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
-[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
-[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
-[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
-[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
-[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
-[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
-[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
-[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
-[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
-[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
-[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
-[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
-[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
-[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
-[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
-[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
-[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
-[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
-[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
-[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
-[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
-[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
-[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
-[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
-[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
-[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
-[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
-[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
-[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
-[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
-[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
-[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
-[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
-[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
-[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
-[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
-[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
-[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
-[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
-[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
-[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
-[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
-[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
-[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
-[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
-[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
-[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
-[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
-[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
-[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
-[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
-[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
-[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
-[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
-[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
-[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
-[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
-[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
-[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
-[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
-[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
-[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
-[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
-[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
-[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
-[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
-[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
-[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
-[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
-[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
-[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
-[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
-[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
-[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
-[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
-[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
-[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
-[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
-[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
-[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
-[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
-[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
-[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
-[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
-[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
-[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
-[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
-[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
-[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
-[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
-[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
-[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
-[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
-[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
-[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
-[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
-[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
-[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
-[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
-[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
-[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
-[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
-[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
-[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
-[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
-[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
-[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
-[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
-[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
-[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
-[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
-[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
-[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
-[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
-[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
-[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
-[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
-[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
-[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
-[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
-[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
-[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
-[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
-[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
-[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
-[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
-[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
-[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
-[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
-[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
-[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
-[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
-[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
-[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
-[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
-[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
-[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
-[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
-[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
-[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
-[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
-[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
-[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
-[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
-[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
-[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
-[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
-[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
-[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
-[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
-[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
-[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
-[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
-[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
-[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
-[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
-[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
-[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
-[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
-[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
-[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
-[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
-[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
-[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
-[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
-[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
-[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
-[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
-[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
-[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+[CVE-2002-0655]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0655
+[CVE-2002-0656]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0656
+[CVE-2002-0657]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0657
+[CVE-2002-0659]: https://openssl-library.org/news/vulnerabilities/#CVE-2002-0659
+[CVE-2003-0078]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0078
+[CVE-2003-0543]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0543
+[CVE-2003-0544]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0544
+[CVE-2003-0545]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0545
+[CVE-2003-0851]: https://openssl-library.org/news/vulnerabilities/#CVE-2003-0851
+[CVE-2004-0079]: https://openssl-library.org/news/vulnerabilities/#CVE-2004-0079
+[CVE-2004-0112]: https://openssl-library.org/news/vulnerabilities/#CVE-2004-0112
+[CVE-2005-2969]: https://openssl-library.org/news/vulnerabilities/#CVE-2005-2969
+[CVE-2006-2937]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-2937
+[CVE-2006-2940]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-2940
+[CVE-2006-3738]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-3738
+[CVE-2006-4339]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-4339
+[CVE-2006-4343]: https://openssl-library.org/news/vulnerabilities/#CVE-2006-4343
+[CVE-2007-4995]: https://openssl-library.org/news/vulnerabilities/#CVE-2007-4995
+[CVE-2007-5135]: https://openssl-library.org/news/vulnerabilities/#CVE-2007-5135
+[CVE-2008-0891]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-0891
+[CVE-2008-1672]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-1672
+[CVE-2008-1678]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-1678
+[CVE-2008-5077]: https://openssl-library.org/news/vulnerabilities/#CVE-2008-5077
+[CVE-2009-0590]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0590
+[CVE-2009-0591]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0591
+[CVE-2009-0789]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-0789
+[CVE-2009-1377]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1377
+[CVE-2009-1378]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1378
+[CVE-2009-1379]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1379
+[CVE-2009-1386]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-1386
+[CVE-2009-3245]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-3245
+[CVE-2009-3555]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-3555
+[CVE-2009-4355]: https://openssl-library.org/news/vulnerabilities/#CVE-2009-4355
+[CVE-2010-0433]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-0433
+[CVE-2010-0740]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-0740
+[CVE-2010-1633]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-1633
+[CVE-2010-3864]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-3864
+[CVE-2010-4180]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-4180
+[CVE-2010-4252]: https://openssl-library.org/news/vulnerabilities/#CVE-2010-4252
+[CVE-2011-0014]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-0014
+[CVE-2011-3207]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-3207
+[CVE-2011-3210]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-3210
+[CVE-2011-4108]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4108
+[CVE-2011-4109]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4109
+[CVE-2011-4576]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4576
+[CVE-2011-4577]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4577
+[CVE-2011-4619]: https://openssl-library.org/news/vulnerabilities/#CVE-2011-4619
+[CVE-2012-0027]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0027
+[CVE-2012-0050]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0050
+[CVE-2012-0884]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-0884
+[CVE-2012-2110]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2110
+[CVE-2012-2333]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2333
+[CVE-2012-2686]: https://openssl-library.org/news/vulnerabilities/#CVE-2012-2686
+[CVE-2013-0166]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-0166
+[CVE-2013-0169]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-0169
+[CVE-2013-4353]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-4353
+[CVE-2013-6450]: https://openssl-library.org/news/vulnerabilities/#CVE-2013-6450
+[CVE-2014-0076]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0076
+[CVE-2014-0160]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0160
+[CVE-2014-0195]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0195
+[CVE-2014-0221]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0221
+[CVE-2014-0224]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-0224
+[CVE-2014-3470]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3470
+[CVE-2014-3505]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3505
+[CVE-2014-3506]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3506
+[CVE-2014-3507]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3507
+[CVE-2014-3508]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3508
+[CVE-2014-3509]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3509
+[CVE-2014-3510]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3510
+[CVE-2014-3511]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3511
+[CVE-2014-3512]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3512
+[CVE-2014-3513]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3513
+[CVE-2014-3566]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3566
+[CVE-2014-3567]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3567
+[CVE-2014-3568]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3568
+[CVE-2014-3569]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3569
+[CVE-2014-3570]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3570
+[CVE-2014-3571]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3571
+[CVE-2014-3572]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-3572
+[CVE-2014-5139]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-5139
+[CVE-2014-8275]: https://openssl-library.org/news/vulnerabilities/#CVE-2014-8275
+[CVE-2015-0204]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0204
+[CVE-2015-0205]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0205
+[CVE-2015-0206]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0206
+[CVE-2015-0207]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0207
+[CVE-2015-0208]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0208
+[CVE-2015-0209]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0209
+[CVE-2015-0285]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0285
+[CVE-2015-0286]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0286
+[CVE-2015-0287]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0287
+[CVE-2015-0288]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0288
+[CVE-2015-0289]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0289
+[CVE-2015-0290]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0290
+[CVE-2015-0291]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0291
+[CVE-2015-0293]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-0293
+[CVE-2015-1787]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1787
+[CVE-2015-1788]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1788
+[CVE-2015-1789]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1789
+[CVE-2015-1790]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1790
+[CVE-2015-1791]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1791
+[CVE-2015-1792]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1792
+[CVE-2015-1793]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-1793
+[CVE-2015-3193]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3193
+[CVE-2015-3194]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3194
+[CVE-2015-3195]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3195
+[CVE-2015-3196]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3196
+[CVE-2015-3197]: https://openssl-library.org/news/vulnerabilities/#CVE-2015-3197
+[CVE-2016-0701]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0701
+[CVE-2016-0702]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0702
+[CVE-2016-0705]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0705
+[CVE-2016-0797]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0797
+[CVE-2016-0798]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0798
+[CVE-2016-0799]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0799
+[CVE-2016-0800]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-0800
+[CVE-2016-2105]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2105
+[CVE-2016-2106]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2106
+[CVE-2016-2107]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2107
+[CVE-2016-2109]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2109
+[CVE-2016-2176]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2176
+[CVE-2016-2177]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2177
+[CVE-2016-2178]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2178
+[CVE-2016-2179]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2179
+[CVE-2016-2180]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2180
+[CVE-2016-2181]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2181
+[CVE-2016-2182]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2182
+[CVE-2016-2183]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-2183
+[CVE-2016-6302]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6302
+[CVE-2016-6303]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6303
+[CVE-2016-6304]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6304
+[CVE-2016-6305]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6305
+[CVE-2016-6306]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6306
+[CVE-2016-6307]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6307
+[CVE-2016-6308]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6308
+[CVE-2016-6309]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-6309
+[CVE-2016-7052]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7052
+[CVE-2016-7053]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7053
+[CVE-2016-7054]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7054
+[CVE-2016-7055]: https://openssl-library.org/news/vulnerabilities/#CVE-2016-7055
+[CVE-2017-3730]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3730
+[CVE-2017-3731]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3731
+[CVE-2017-3732]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3732
+[CVE-2017-3733]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3733
+[CVE-2017-3735]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3735
+[CVE-2017-3736]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3736
+[CVE-2017-3737]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3737
+[CVE-2017-3738]: https://openssl-library.org/news/vulnerabilities/#CVE-2017-3738
+[CVE-2018-0732]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0732
+[CVE-2018-0733]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0733
+[CVE-2018-0734]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0734
+[CVE-2018-0735]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0735
+[CVE-2018-0737]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0737
+[CVE-2018-0739]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-0739
+[CVE-2018-5407]: https://openssl-library.org/news/vulnerabilities/#CVE-2018-5407
+[CVE-2019-1543]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1543
+[CVE-2019-1547]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1547
+[CVE-2019-1549]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1549
+[CVE-2019-1551]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1551
+[CVE-2019-1552]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1552
+[CVE-2019-1559]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1559
+[CVE-2019-1563]: https://openssl-library.org/news/vulnerabilities/#CVE-2019-1563
+[CVE-2020-1967]: https://openssl-library.org/news/vulnerabilities/#CVE-2020-1967
+[CVE-2020-1971]: https://openssl-library.org/news/vulnerabilities/#CVE-2020-1971
+[CVE-2022-2097]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-2097
+[CVE-2022-2274]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-2274
+[CVE-2022-3996]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-3996
+[CVE-2022-4203]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4203
+[CVE-2022-4304]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4304
+[CVE-2022-4450]: https://openssl-library.org/news/vulnerabilities/#CVE-2022-4450
+[CVE-2023-0215]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0215
+[CVE-2023-0216]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0216
+[CVE-2023-0217]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0217
+[CVE-2023-0286]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0286
+[CVE-2023-0401]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0401
+[CVE-2023-0464]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0464
+[CVE-2023-0465]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0465
+[CVE-2023-0466]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-0466
+[CVE-2023-1255]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-1255
+[CVE-2023-2650]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-2650
+[CVE-2023-2975]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-2975
+[CVE-2023-3446]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-3446
+[CVE-2023-3817]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-3817
+[CVE-2023-4807]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-4807
+[CVE-2023-5363]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-5363
+[CVE-2023-5678]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-5678
+[CVE-2023-6129]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-6129
+[CVE-2023-6237]: https://openssl-library.org/news/vulnerabilities/#CVE-2023-6237
+[CVE-2024-0727]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-0727
+[CVE-2024-2511]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-2511
+[CVE-2024-4603]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-4603
+[CVE-2024-4741]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-4741
+[CVE-2024-5535]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-5535
+[CVE-2024-6119]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-6119
+[CVE-2024-9143]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-9143
+[CVE-2024-13176]: https://openssl-library.org/news/vulnerabilities/#CVE-2024-13176
+[CVE-2025-4575]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-4575
+[CVE-2025-9230]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9230
+[CVE-2025-9231]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9231
+[CVE-2025-9232]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-9232
+[CVE-2025-11187]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-11187
+[CVE-2025-15467]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
+[CVE-2025-15468]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15468
+[CVE-2025-15469]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-15469
+[CVE-2025-66199]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-66199
+[CVE-2025-68160]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-68160
+[CVE-2025-69418]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69418
+[CVE-2025-69419]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69419
+[CVE-2025-69420]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69420
+[CVE-2025-69421]: https://openssl-library.org/news/vulnerabilities/#CVE-2025-69421
+[CVE-2026-2673]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-2673
+[CVE-2026-22795]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-22795
+[CVE-2026-22796]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-22796
+[CVE-2026-28387]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28387
+[CVE-2026-28388]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28388
+[CVE-2026-28389]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28389
+[CVE-2026-28390]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-28390
+[CVE-2026-31789]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-31789
+[CVE-2026-31790]: https://openssl-library.org/news/vulnerabilities/#CVE-2026-31790
[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
diff --git a/crypto/openssl/CONTRIBUTING.md b/crypto/openssl/CONTRIBUTING.md
index 09416095e64d..06dfbaeff1fe 100644
--- a/crypto/openssl/CONTRIBUTING.md
+++ b/crypto/openssl/CONTRIBUTING.md
@@ -27,6 +27,18 @@ communication before submitting many pull requests. In addition,
contributors should personally evaluate potential patches generated by
automated tools.
+Provide a clear description of the issue or feature being addressed,
+including any relevant implementation details and, for performance
+improvements, benchmark results.
+
+Pull requests and commits should be self-contained, enabling readers to
+understand what changed and why without needing to reference related
+issues or having prior knowledge. Commit messages should include all
+relevant details to help future contributors follow the git history,
+with clear explanations of what is changing and why. Long descriptions
+are encouraged if they aid understanding. Commit message titles (their
+first line) should be kept to 50-70 characters if possible.
+
To make it easier to review and accept your pull request, please follow these
guidelines:
diff --git a/crypto/openssl/Configurations/10-main.conf b/crypto/openssl/Configurations/10-main.conf
index cba57b41273f..692eccbfa1dc 100644
--- a/crypto/openssl/Configurations/10-main.conf
+++ b/crypto/openssl/Configurations/10-main.conf
@@ -5,7 +5,8 @@
my $vc_win64a_info = {};
sub vc_win64a_info {
unless (%$vc_win64a_info) {
- if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) {
+ # Minimum NASM version is 2.09 otherwise SHA3 might be miscompiled
+ if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+)\.([0-9]+)/ && ($1 > 2 || ($1 == 2 && $2 >= 9))) {
$vc_win64a_info = { AS => "nasm",
ASFLAGS => "-g",
asflags => "-Ox -f win64 -DNEAR",
diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl
index 78be4a319964..5bf397eba021 100644
--- a/crypto/openssl/Configurations/unix-Makefile.tmpl
+++ b/crypto/openssl/Configurations/unix-Makefile.tmpl
@@ -72,6 +72,7 @@ OPTIONS={- $config{options} -}
CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
SRCDIR={- $config{sourcedir} -}
BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)/test-runs
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
@@ -642,7 +643,7 @@ clean: libclean ## Clean the workspace, keep the configuration
-find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
$(RM) core
$(RM) tags TAGS doc-nits md-nits
- $(RM) -r test/test-runs
+ $(RM) -r $(RESULT_D)
$(RM) providers/fips*.new
-find . -type l \! -name '.*' -exec $(RM) {} \;
diff --git a/crypto/openssl/Configurations/windows-makefile.tmpl b/crypto/openssl/Configurations/windows-makefile.tmpl
index 894834cfb7ef..e553e8f9fec3 100644
--- a/crypto/openssl/Configurations/windows-makefile.tmpl
+++ b/crypto/openssl/Configurations/windows-makefile.tmpl
@@ -38,6 +38,7 @@
PLATFORM={- $config{target} -}
SRCDIR={- $config{sourcedir} -}
BLDDIR={- $config{builddir} -}
+RESULT_D=$(BLDDIR)\test-runs
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
@@ -222,7 +223,7 @@ OPENSSLDIR_dir={- canonpath($openssldir_dir) -}
LIBDIR={- our $libdir = $config{libdir} || "lib";
file_name_is_absolute($libdir) ? "" : $libdir -}
MODULESDIR_dev={- use File::Spec::Functions qw(:DEFAULT splitpath catpath);
- our $modulesprefix = catdir($prefix,$libdir);
+ our $modulesprefix = file_name_is_absolute($libdir) ? $libdir : catdir($prefix,$libdir);
our ($modulesprefix_dev, $modulesprefix_dir,
$modulesprefix_file) =
splitpath($modulesprefix, 1);
@@ -484,7 +485,7 @@ clean: libclean
-del /Q /S /F engines\*.lib engines\*.exp
-del /Q /S /F apps\*.lib apps\*.rc apps\*.res apps\*.exp
-del /Q /S /F test\*.exp
- -rd /Q /S test\test-runs
+ -@if exist "$(RESULT_D)" rd /Q /S "$(RESULT_D)"
distclean: clean
-del /Q /F include\openssl\configuration.h
diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md
index f4ec14718d71..07f78ae2af17 100644
--- a/crypto/openssl/NEWS.md
+++ b/crypto/openssl/NEWS.md
@@ -23,6 +23,36 @@ OpenSSL Releases
OpenSSL 3.5
-----------
+### Major changes between OpenSSL 3.5.5 and OpenSSL 3.5.6 [7 Apr 2026]
+
+OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this
+release is Medium.
+
*** 11324 LINES SKIPPED ***