[AUTOPATCHER-CORE] Upgrade openssl to 3.3.5 CVEs (microsoft#14772)

Co-authored-by: Tobias Brick <[email protected]>
Co-authored-by: Pawel Winogrodzki <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

Author: 4 people

SPECS/openssl/0008-Add-FIPS_mode-compatibility-macro.patch

@@ -1,7 +1,7 @@
-From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
+From f803c320433fb1663a818a5ce97f39c3cd46fdd9 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Mon, 31 Jul 2023 09:41:27 +0200
-Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
+Subject: [PATCH] 0008-Add-FIPS_mode-compatibility-macro.patch
 
 Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
 Patch-id: 8
@@ -16,7 +16,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
 
 diff --git a/include/openssl/fips.h b/include/openssl/fips.h
 new file mode 100644
-index 0000000000..4162cbf88e
+index 0000000..4162cbf
 --- /dev/null
 +++ b/include/openssl/fips.h
 @@ -0,0 +1,26 @@
@@ -47,10 +47,10 @@ index 0000000000..4162cbf88e
 +# endif
 +#endif
 diff --git a/test/property_test.c b/test/property_test.c
-index 45b1db3e85..8894c1c1cb 100644
+index e62ff24..37489e4 100644
 --- a/test/property_test.c
 +++ b/test/property_test.c
-@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
+@@ -703,6 +703,19 @@ static int test_property_list_to_string_bounds(void)
      return ret;
  }
 
@@ -70,14 +70,14 @@ index 45b1db3e85..8894c1c1cb 100644
  int setup_tests(void)
  {
      ADD_TEST(test_property_string);
-@@ -690,6 +703,7 @@ int setup_tests(void)
+@@ -716,6 +729,7 @@ int setup_tests(void)
      ADD_TEST(test_property);
      ADD_TEST(test_query_cache_stochastic);
      ADD_TEST(test_fips_mode);
 +    ADD_TEST(test_downstream_FIPS_mode);
      ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
+     ADD_TEST(test_property_list_to_string_bounds);
      return 1;
- }
 -- 
-2.41.0
+2.45.4
 

SPECS/openssl/Keep-the-provided-peer-EVP_PKEY-in-the-EVP_PKEY_CTX-too.patch

@@ -5,6 +5,6 @@
     "configuration-prefix.h": "11aba0dcfab381269e7e6ba1fdde1e4e8dfe51e39d8c7a2918f3b28a32cb98fd",
     "configuration-switch.h": "400439d7e8c551e7d5de8bfc648dcc0ddf6f4a7552750af4813449f68941b928",
     "genpatches": "9da7f988d4378adf499b1322e79f29e94c889c4bf10cd6e79e6991b673de2463",
-    "openssl-3.3.3.tar.gz": "712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539"
+    "openssl-3.3.5.tar.gz": "9d62c00a5a6903740c8703f0e006257f429d565d3b91ac1a9bd4a4c700002e01"
   }
 }

SPECS/openssl/openssl.signatures.json

@@ -8,8 +8,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.3.3
-Release: 3%{?dist}
+Version: 3.3.5
+Release: 1%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
@@ -29,7 +29,7 @@ Patch3:   0003-Do-not-install-html-docs.patch
 Patch5:   0005-apps-ca-fix-md-option-help-text.patch
 # # Disable signature verification with totally unsafe hash algorithms
 Patch6:   0006-Disable-signature-verification-with-totally-unsafe-h.patch
-# # Add FIPS_mode() compatibility macro
+# Add FIPS_mode() compatibility macro
 Patch8:   0008-Add-FIPS_mode-compatibility-macro.patch
 # # Add check to see if fips flag is enabled in kernel
 Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
@@ -62,10 +62,6 @@ Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 # # See notes in the patch for details, but this patch will not be needed if
 # # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released.
 Patch80:  0001-Replacing-deprecated-functions-with-NULL-or-highest.patch
-# Fix crashes in openssl speed with providers that don't refcount keys.
-# Upstream: https://github.com/openssl/openssl/pull/26976 has been merged into 3.3, so if we
-# upgrade to 3.3.4 when it comes out, we can remove this patch.
-Patch81:  Keep-the-provided-peer-EVP_PKEY-in-the-EVP_PKEY_CTX-too.patch
 # The Symcrypt provider, which is our default, doesn't support some of the
 # algorithms that are used in the speed tests. This patch skips those tests.
 # If SymCrypt adds support, we should change and eventually remove this patch.
@@ -94,6 +90,7 @@ BuildRequires: sed
 BuildRequires: perl(Math::BigInt)
 BuildRequires: perl(Test::Harness)
 BuildRequires: perl(Test::More)
+BuildRequires: perl(Time::Piece)
 %endif
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -365,6 +362,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Oct 02 2025 CBL-Mariner Servicing Account <[email protected]> - 3.3.5-1
+- Auto-upgrade to 3.3.5 for CVE-2025-9230 and CVE-2025-9232
+
 * Mon Aug 25 2025 Andrew Phelps <[email protected]> - 3.3.3-3
 - Bump to rebuild with build-id fix from toolchain gcc
 

SPECS/openssl/openssl.spec

@@ -15513,8 +15513,8 @@
         "type": "other",
         "other": {
           "name": "openssl",
-          "version": "3.3.3",
-          "downloadUrl": "https://github.com/openssl/openssl/releases/download/openssl-3.3.3/openssl-3.3.3.tar.gz"
+          "version": "3.3.5",
+          "downloadUrl": "https://github.com/openssl/openssl/releases/download/openssl-3.3.5/openssl-3.3.5.tar.gz"
         }
       }
     },
@@ -31316,4 +31316,4 @@
     }
   ],
   "Version": 1
-}
+}

cgmanifest.json

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-3.azl3.aarch64.rpm
-openssl-devel-3.3.3-3.azl3.aarch64.rpm
-openssl-libs-3.3.3-3.azl3.aarch64.rpm
-openssl-perl-3.3.3-3.azl3.aarch64.rpm
-openssl-static-3.3.3-3.azl3.aarch64.rpm
+openssl-3.3.5-1.azl3.aarch64.rpm
+openssl-devel-3.3.5-1.azl3.aarch64.rpm
+openssl-libs-3.3.5-1.azl3.aarch64.rpm
+openssl-perl-3.3.5-1.azl3.aarch64.rpm
+openssl-static-3.3.5-1.azl3.aarch64.rpm
 libcap-2.69-7.azl3.aarch64.rpm
 libcap-devel-2.69-7.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-3.azl3.x86_64.rpm
-openssl-devel-3.3.3-3.azl3.x86_64.rpm
-openssl-libs-3.3.3-3.azl3.x86_64.rpm
-openssl-perl-3.3.3-3.azl3.x86_64.rpm
-openssl-static-3.3.3-3.azl3.x86_64.rpm
+openssl-3.3.5-1.azl3.x86_64.rpm
+openssl-devel-3.3.5-1.azl3.x86_64.rpm
+openssl-libs-3.3.5-1.azl3.x86_64.rpm
+openssl-perl-3.3.5-1.azl3.x86_64.rpm
+openssl-static-3.3.5-1.azl3.x86_64.rpm
 libcap-2.69-7.azl3.x86_64.rpm
 libcap-devel-2.69-7.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -287,12 +287,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
 npth-devel-1.6-4.azl3.aarch64.rpm
 ntsysv-1.25-1.azl3.aarch64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-3.azl3.aarch64.rpm
-openssl-debuginfo-3.3.3-3.azl3.aarch64.rpm
-openssl-devel-3.3.3-3.azl3.aarch64.rpm
-openssl-libs-3.3.3-3.azl3.aarch64.rpm
-openssl-perl-3.3.3-3.azl3.aarch64.rpm
-openssl-static-3.3.3-3.azl3.aarch64.rpm
+openssl-3.3.5-1.azl3.aarch64.rpm
+openssl-debuginfo-3.3.5-1.azl3.aarch64.rpm
+openssl-devel-3.3.5-1.azl3.aarch64.rpm
+openssl-libs-3.3.5-1.azl3.aarch64.rpm
+openssl-perl-3.3.5-1.azl3.aarch64.rpm
+openssl-static-3.3.5-1.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
 p11-kit-devel-0.25.0-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -295,12 +295,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
 npth-devel-1.6-4.azl3.x86_64.rpm
 ntsysv-1.25-1.azl3.x86_64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-3.azl3.x86_64.rpm
-openssl-debuginfo-3.3.3-3.azl3.x86_64.rpm
-openssl-devel-3.3.3-3.azl3.x86_64.rpm
-openssl-libs-3.3.3-3.azl3.x86_64.rpm
-openssl-perl-3.3.3-3.azl3.x86_64.rpm
-openssl-static-3.3.3-3.azl3.x86_64.rpm
+openssl-3.3.5-1.azl3.x86_64.rpm
+openssl-debuginfo-3.3.5-1.azl3.x86_64.rpm
+openssl-devel-3.3.5-1.azl3.x86_64.rpm
+openssl-libs-3.3.5-1.azl3.x86_64.rpm
+openssl-perl-3.3.5-1.azl3.x86_64.rpm
+openssl-static-3.3.5-1.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
 p11-kit-devel-0.25.0-1.azl3.x86_64.rpm