From ec623498fa18d9f9ee41409244cb83e7d07ec8fc Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Mon, 17 Nov 2025 20:45:50 -0500
Subject: [PATCH] * Mon Nov 17 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-8

- edk2-openssl-flatten-contents-of-openssl-tarball.patch [RHEL-115922]
- edk2-Bumped-openssl-submodule-to-version-3.0.7-29.1.patch [RHEL-115922]
- Resolves: RHEL-115922
  (CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-9.8])
---
 .gitignore |  1 +
 edk2.spec  | 10 ++++++++--
 sources    |  2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7f6a640..6e3e6e7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@
 /openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz
 /DBXUpdate-20250610.x64.bin
 /DBXUpdate-20251016.x64.bin
+/openssl-rhel-4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19.tar.xz
diff --git a/edk2.spec b/edk2.spec
index 9393faf..39145c6 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -6,7 +6,7 @@ ExclusiveArch: x86_64 aarch64
 %define TOOLCHAIN      GCC
 
 %define OPENSSL_VER    3.0.7
-%define OPENSSL_HASH   0205b589887203b065154ddc8e8107c4ac8625a1
+%define OPENSSL_HASH   4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19
 
 %define DBXDATE        20251016
 
@@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    7%{?dist}
+Release:    8%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -444,6 +444,12 @@ install -m 0644 \
 
 
 %changelog
+* Mon Nov 17 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-8
+- edk2-openssl-flatten-contents-of-openssl-tarball.patch [RHEL-115922]
+- edk2-Bumped-openssl-submodule-to-version-3.0.7-29.1.patch [RHEL-115922]
+- Resolves: RHEL-115922
+  (CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-9.8])
+
 * Mon Nov 17 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-7
 - edk2-make-dbxupdate.sh-get-version-tag-add-to-commit-mess.patch [RHEL-126100]
 - edk2-update-dbx-to-20251016-v1.6.1.patch [RHEL-126100]
diff --git a/sources b/sources
index d958add..f4149c0 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (DBXUpdate-20251016.x64.bin) = 0452d2c302f702eeb2d549fd5ac4b3c3623172de9559a881bc92875590f3c5b65e301b880f5f76786e22b1af145b2aa6e58c74fef00a279950f3d6641aef484e
 SHA512 (dtc-1.7.0.tar.xz) = d3ba6902a9a2f2cdbaff55f12fca3cfe4a1ec5779074a38e3d8b88097c7abc981835957e8ce72971e10c131e05fde0b1b961768e888ff96d89e42c75edb53afb
 SHA512 (edk2-0f3867fa6ef0.tar.xz) = 256280ea6f777d1c0f6b803ec791b28955d6568128f303bbf1447f512dc808c5a72f1e8074d9cebb89605c330569fcdcf2d5fdf5611bf3c442c72c67a5a100e0
-SHA512 (openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz) = 07db9535df29873a3884a411e6ab5c3ea6783b9773cd0923f5b2be1273c0e3e984a2f3a80bd1a637995eda018fa6372b6d1eb41000be07cdf5972938c74f51e9
+SHA512 (openssl-rhel-4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19.tar.xz) = d8799124732c376b1712d571fd41b959d68888205ee31f62cc0aec5af30906346db0bd37fa4e418e5594eda4c03db2d0c4d127b469e946a15de330865b0ac5d2