Skip to content

OpenSSL 3.6.1

Latest
Latest

Choose a tag to compare

View all tags
@openssl-machine openssl-machine released this 27 Jan 13:52
· 1015 commits to master since this release
openssl-3.6.1
c9a9e5b

OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    (CVE-2025-11187)

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
    (CVE-2025-15468)

  • Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
    (CVE-2025-15469)

  • Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
    (CVE-2025-66199)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

  • Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by
    restoring its pre-3.6.0 behaviour.

  • Fixed a regression in handling stapled OCSP responses causing handshake
    failures for OpenSSL 3.6.0 servers with various client implementations.

Assets 6
Loading
1 Join discussion