Skip to content

Upgrade openssl to 3.3.7#16518

Merged
Kanishk-Bansal merged 6 commits intomicrosoft:3.0-devfrom
Kanishk-Bansal:topic_openssl-3.0
Apr 22, 2026
Merged

Upgrade openssl to 3.3.7#16518
Kanishk-Bansal merged 6 commits intomicrosoft:3.0-devfrom
Kanishk-Bansal:topic_openssl-3.0

Conversation

@jykanase
Copy link
Copy Markdown
Contributor

@jykanase jykanase commented Apr 8, 2026
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Upgrade openssl to 3.3.7

Change Log
  • openssl.spec
  • openssl.signatures.json
  • cgmanifest.json
  • patches.
Does this affect the toolchain?

YES

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Local Build
Screenshot 2026-04-08 230608

@jykanase jykanase requested a review from a team as a code owner April 8, 2026 17:43
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Apr 8, 2026
Kanishk-Bansal
Kanishk-Bansal reviewed Apr 8, 2026
View reviewed changes
Comment thread SPECS/openssl/0004-Override-default-paths-for-the-CA-directory-tree.patch Outdated
Comment thread SPECS/openssl/openssl.spec Outdated
Kanishk-Bansal
Kanishk-Bansal requested changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kanishk-Bansal Kanishk-Bansal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 — 0001-Replacing-deprecated-functions patch reversal: The rebased patch now removes SSLv3 NULL-return guards and reverts DTLS from DTLS_method() back to dtlsv1_method(). If 3.3.7 handles this internally, it's fine — but needs confirmation is it expected

Kanishk-Bansal
Kanishk-Bansal requested changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kanishk-Bansal Kanishk-Bansal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Month is missing from changelog

@jykanase jykanase force-pushed the topic_openssl-3.0 branch from 28800ff to fee4bdf Compare April 9, 2026 05:42
Kanishk-Bansal
Kanishk-Bansal approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kanishk-Bansal Kanishk-Bansal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM , all review comments are now addressed.

This version bump (3.3.5 → 3.3.7) contains only security fixes and makes the package more maintainable by dropping 11 CVE patches that are now included upstream.

@jykanase jykanase force-pushed the topic_openssl-3.0 branch from e0d46d7 to 642729c Compare April 13, 2026 08:13
@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Apr 13, 2026
@tobiasb-ms
Copy link
Copy Markdown
Contributor

tobiasb-ms commented Apr 13, 2026

Given that this is a core toolchain package, can we get a full build with toolchain build?

@tobiasb-ms
Copy link
Copy Markdown
Contributor

tobiasb-ms commented Apr 13, 2026

Have you explicitly tested with this SymCrypt?

@Kanishk-Bansal
Copy link
Copy Markdown
Contributor

Kanishk-Bansal commented Apr 13, 2026

Full Build

@corvus-callidus
Copy link
Copy Markdown
Contributor

corvus-callidus commented Apr 15, 2026

Have you explicitly tested with this SymCrypt?
@jykanase @Kanishk-Bansal

@jykanase
Copy link
Copy Markdown
Contributor Author

jykanase commented Apr 16, 2026
edited
Loading

Have you explicitly tested with this SymCrypt?
@jykanase @Kanishk-Bansal

  1. Installed openssl-3.3.7 when SymCrypt-OpenSSL is installed by default. Tried the following command, it loaded SymCrypt providers: openssl list -digest-algorith
Screenshot 2026-04-16 123114
  1. Removed SymCrypt-OpenSSL package and tried if openssl works:
Screenshot 2026-04-16 123528
  1. When SymCrypt-OpenSSL is not installed, it did not load the providers:
Screenshot 2026-04-16 123650

@jykanase jykanase force-pushed the topic_openssl-3.0 branch from 642729c to e40c972 Compare April 17, 2026 05:01
Kanishk-Bansal
Kanishk-Bansal reviewed Apr 17, 2026
View reviewed changes
Comment thread SPECS/openssl/openssl.spec Outdated
Patch115: CVE-2026-31791.patch
Patch116: CVE-2026-31790.patch

patch100: CVE-2026-31791.patch
Copy link
Copy Markdown
Contributor

@Kanishk-Bansal Kanishk-Bansal Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
patch100: CVE-2026-31791.patch
Patch100: CVE-2026-31791.patch

@jykanase jykanase force-pushed the topic_openssl-3.0 branch from e40c972 to 562d08e Compare April 17, 2026 06:37
@Kanishk-Bansal
Copy link
Copy Markdown
Contributor

Kanishk-Bansal commented Apr 20, 2026

Full Build

corvus-callidus
corvus-callidus approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@corvus-callidus corvus-callidus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Kanishk-Bansal Kanishk-Bansal merged commit 4c95610 into microsoft:3.0-dev Apr 22, 2026
17 checks passed
jslobodzian added a commit that referenced this pull request Apr 25, 2026
@jslobodzian
Revert "Upgrade openssl to 3.3.7 (#16518)"
6bbc0f2 
This reverts commit 4c95610.
AkarshHCL pushed a commit to AkarshHCL/azurelinux that referenced this pull request Apr 27, 2026
@jykanase @AkarshHCL
Upgrade openssl to 3.3.7 (microsoft#16518)
9442d57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kanishk-Bansal Kanishk-Bansal Kanishk-Bansal approved these changes

@christopherco christopherco christopherco approved these changes

@corvus-callidus corvus-callidus corvus-callidus approved these changes

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jykanase @tobiasb-ms @Kanishk-Bansal @corvus-callidus @christopherco