Skip to content

chore(deps): update dependency openssl/openssl to v3.6.3#41

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/openssl-openssl-3.x
Open

chore(deps): update dependency openssl/openssl to v3.6.3#41
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/openssl-openssl-3.x

Conversation

@renovate

@renovate renovate Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
openssl/openssl patch 3.6.23.6.3

Release Notes

openssl/openssl (openssl/openssl)

v3.6.3: OpenSSL 3.6.3

Compare Source

OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed
in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify().
    (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages.
    (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler.
    (CVE-2026-34183)

  • Fixed double-free when checking OCSP stapled response.
    (CVE-2026-35188)

  • Fixed NULL pointer dereference in QUIC server initial packet handling.
    (CVE-2026-42764)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path.
    (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion.
    (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption.
    (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing.
    (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys.
    (CVE-2026-34181)

  • Fixed NULL dereference in certificate verification with OCSP Checking.
    (CVE-2026-42765)

  • Fixed possible NULL dereference in password-dased CMS decryption.
    (CVE-2026-42766)

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption.
    (CVE-2026-42767)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()
    and PKCS7_decrypt().
    (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP
    rootCaKeyUpdate.
    (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q.
    (CVE-2026-42770)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV
    and AES-SIV modes.
    (CVE-2026-45446)

Configuration

📅 Schedule: (in timezone Europe/Paris)

  • Branch creation
    • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
    • Only on Sunday and Saturday (* * * * 0,6)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file. label Jun 13, 2026
Copilot AI review requested due to automatic review settings June 13, 2026 15:47
@renovate renovate Bot added filigran team Item from the Filigran team. dependencies Pull requests that update a dependency file. labels Jun 13, 2026
Copilot AI reviewed Jun 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file. filigran team Item from the Filigran team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant