Skip to content

Releases: openssl/openssl

OpenSSL 3.6.1

27 Jan 13:52
@openssl-machine openssl-machine
openssl-3.6.1
c9a9e5b

Choose a tag to compare

View all tags
OpenSSL 3.6.1 Latest
Latest

OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    (CVE-2025-11187)

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
    (CVE-2025-15468)

  • Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
    (CVE-2025-15469)

  • Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
    (CVE-2025-66199)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

  • Fixed a regression in X509_V_FLAG_CRL_CHECK_ALL flag handling by
    restoring its pre-3.6.0 behaviour.

  • Fixed a regression in handling stapled OCSP responses causing handshake
    failures for OpenSSL 3.6.0 servers with various client implementations.

Assets 6
Loading
1 Join discussion

OpenSSL 3.5.5

27 Jan 13:53
@openssl-machine openssl-machine
openssl-3.5.5
67b5686

Choose a tag to compare

View all tags
OpenSSL 3.5.5

OpenSSL 3.5.5 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    (CVE-2025-11187)

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
    (CVE-2025-15468)

  • Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
    (CVE-2025-15469)

  • Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
    (CVE-2025-66199)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

Loading
0 Join discussion

OpenSSL 3.4.4

27 Jan 14:03
@openssl-machine openssl-machine
openssl-3.4.4
565bdcc

Choose a tag to compare

View all tags
OpenSSL 3.4.4

OpenSSL 3.4.4 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
    (CVE-2025-11187)

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
    (CVE-2025-15468)

  • Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
    (CVE-2025-66199)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

Loading
0 Join discussion

OpenSSL 3.3.6

27 Jan 14:09
@openssl-machine openssl-machine
openssl-3.3.6
4601ff2

Choose a tag to compare

View all tags
OpenSSL 3.3.6

OpenSSL 3.3.6 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
    (CVE-2025-15468)

  • Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
    (CVE-2025-66199)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OC
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

Loading
0 Join discussion

OpenSSL 3.0.19

27 Jan 14:17
@openssl-machine openssl-machine
openssl-3.0.19
a22063c

Choose a tag to compare

View all tags
OpenSSL 3.0.19

OpenSSL 3.0.19 is a security patch release. The most severe CVE fixed in this
release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
    (CVE-2025-15467)

  • Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
    (CVE-2025-68160)

  • Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.
    (CVE-2025-69418)

  • Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
    (CVE-2025-69419)

  • Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
    function.
    (CVE-2025-69420)

  • Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
    (CVE-2025-69421)

  • Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
    (CVE-2026-22795)

  • Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.
    (CVE-2026-22796)

Loading
0 Join discussion

OpenSSL 3.6.0

01 Oct 12:18
@openssl-machine openssl-machine
openssl-3.6.0
7b371d8

Choose a tag to compare

View all tags
OpenSSL 3.6.0

OpenSSL 3.6.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible
changes:

  • Added NIST security categories for PKEY objects.

  • Added support for EVP_SKEY opaque symmetric key objects to the key
    derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(),
    EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.

  • Added LMS signature verification support as per [SP 800-208]..
    This support is present in both the FIPS and default providers.

  • An ANSI-C toolchain is no longer sufficient for building OpenSSL.
    The code should be built using compilers supporting C-99 features.

  • Support for the VxWorks platforms has been removed.

  • Added an openssl configutl utility for processing the OpenSSL
    configuration file and dumping the equal configuration file.

  • Added support for FIPS 186-5 deterministic ECDSA signature
    generation to the FIPS provider.

  • Deprecated EVP_PKEY_ASN1_METHOD-related functions.

Loading
0 Join discussion

OpenSSL 3.5.4

30 Sep 12:44
@openssl-machine openssl-machine
openssl-3.5.4
c1eeb94

Choose a tag to compare

View all tags
OpenSSL 3.5.4

OpenSSL 3.5.4 is a security patch release. The most severe CVE fixed in this
release is Moderate.

This release incorporates the following bug fixes and mitigations:

  • Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
    (CVE-2025-9230)

  • Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
    (CVE-2025-9231)

  • Fix Out-of-bounds read in HTTP client no_proxy handling.
    (CVE-2025-9232)

  • Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release
    builds, as it broke some exiting applications that relied on the previous
    3.x semantics, as documented in OpenSSL_version(3).

Loading
0 Join discussion

OpenSSL 3.4.3

30 Sep 12:54
@openssl-machine openssl-machine
openssl-3.4.3
474f0e2

Choose a tag to compare

View all tags
OpenSSL 3.4.3

OpenSSL 3.4.3 is a security patch release. The most severe CVE fixed in this
release is Moderate.

This release incorporates the following bug fixes and mitigations:

  • Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
    (CVE-2025-9230)

  • Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
    (CVE-2025-9231)

  • Fix Out-of-bounds read in HTTP client no_proxy handling.
    (CVE-2025-9232)

Loading
0 Join discussion

OpenSSL 3.3.5

30 Sep 13:01
@openssl-machine openssl-machine
openssl-3.3.5
f10934c

Choose a tag to compare

View all tags
OpenSSL 3.3.5

OpenSSL 3.3.5 is a security patch release. The most severe CVE fixed in this
release is Moderate.

This release incorporates the following bug fixes and mitigations:

  • Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
    (CVE-2025-9230)

  • Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
    (CVE-2025-9231)

  • Fix Out-of-bounds read in HTTP client no_proxy handling.
    (CVE-2025-9232)

Loading
0 Join discussion

OpenSSL 3.2.6

30 Sep 13:09
@openssl-machine openssl-machine
openssl-3.2.6
86874e2

Choose a tag to compare

View all tags
OpenSSL 3.2.6

OpenSSL 3.2.6 is a security patch release. The most severe CVE fixed in this
release is Moderate.

This release incorporates the following bug fixes and mitigations:

  • Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
    (CVE-2025-9230)

  • Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
    (CVE-2025-9231)

  • Fix Out-of-bounds read in HTTP client no_proxy handling.
    (CVE-2025-9232)

Loading
0 Join discussion