.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,47 +1 @@
-.build*.log
+SOURCES/openssl-1.1.1k-hobbled.tar.xz
-clog
-000*.patch
-*.src.rpm
-openssl-1.0.0a-usa.tar.bz2
-/openssl-1.0.0b-usa.tar.bz2
-/openssl-1.0.0c-usa.tar.bz2
-/openssl-1.0.0d-usa.tar.bz2
-/openssl-1.0.0e-usa.tar.bz2
-/openssl-1.0.0f-usa.tar.bz2
-/openssl-1.0.0g-usa.tar.xz
-/openssl-1.0.1-beta2-usa.tar.xz
-/openssl-1.0.1-beta3-usa.tar.xz
-/openssl-1.0.1-usa.tar.xz
-/openssl-1.0.1a-usa.tar.xz
-/openssl-1.0.1b-usa.tar.xz
-/openssl-1.0.1c-usa.tar.xz
-/openssl-1.0.1e-usa.tar.xz
-/openssl-1.0.1e-hobbled.tar.xz
-/openssl-1.0.1g-hobbled.tar.xz
-/openssl-1.0.1h-hobbled.tar.xz
-/openssl-1.0.1i-hobbled.tar.xz
-/openssl-1.0.1j-hobbled.tar.xz
-/openssl-1.0.1k-hobbled.tar.xz
-/openssl-1.0.2a-hobbled.tar.xz
-/openssl-1.0.2c-hobbled.tar.xz
-/openssl-1.0.2d-hobbled.tar.xz
-/openssl-1.0.2e-hobbled.tar.xz
-/openssl-1.0.2f-hobbled.tar.xz
-/openssl-1.0.2g-hobbled.tar.xz
-/openssl-1.0.2h-hobbled.tar.xz
-/openssl-1.0.2i-hobbled.tar.xz
-/openssl-1.0.2j-hobbled.tar.xz
-/openssl-1.1.0b-hobbled.tar.xz
-/openssl-1.1.0c-hobbled.tar.xz
-/openssl-1.1.0d-hobbled.tar.xz
-/openssl-1.1.0e-hobbled.tar.xz
-/openssl-1.1.0f-hobbled.tar.xz
-/openssl-1.1.0g-hobbled.tar.xz
-/openssl-1.1.0h-hobbled.tar.xz
-/openssl-1.1.1-pre8-hobbled.tar.xz
-/openssl-1.1.1-pre9-hobbled.tar.xz
-/openssl-1.1.1-hobbled.tar.xz
-/openssl-1.1.1b-hobbled.tar.xz
-/openssl-1.1.1c-hobbled.tar.xz
-/openssl-1.1.1g-hobbled.tar.xz
-/openssl-1.1.1k-hobbled.tar.xz

.openssl.metadata

@@ -0,0 +1 @@
+6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz

SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch

@@ -1,13 +1,11 @@
 diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
 --- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg	2021-03-25 14:28:38.000000000 +0100
 +++ openssl-1.1.1k/ssl/statem/extensions.c	2021-06-24 16:16:19.526181743 +0200
-@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
+@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
  #ifndef OPENSSL_NO_SRP
  static int init_srp(SSL *s, unsigned int context);
  #endif
-+#ifndef OPENSSL_NO_EC
 +static int init_ec_point_formats(SSL *s, unsigned int context);
-+#endif
  static int init_etm(SSL *s, unsigned int context);
  static int init_ems(SSL *s, unsigned int context);
  static int final_ems(SSL *s, unsigned int context, int sent);
@@ -20,11 +18,10 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
          tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
          final_ec_pt_formats
      },
-@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
+@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
  }
  #endif
  
-+#ifndef OPENSSL_NO_EC
 +static int init_ec_point_formats(SSL *s, unsigned int context)
 +{
 +	    OPENSSL_free(s->ext.peer_ecpointformats);
@@ -33,7 +30,6 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
 +
 +	    return 1;
 +}
-+#endif
 +
  static int init_etm(SSL *s, unsigned int context)
  {

SOURCES/openssl-1.1.1-cve-2024-4741.patch

@@ -0,0 +1,70 @@
+From adf9a23d1a95c8378a81b720012b2f80aff618e2 Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index b2a7a47..7a67fd3 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -80,6 +80,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index af56206..513ab39 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 21e6c45..82236d8 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5209,6 +5209,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.54.0
+

SOURCES/openssl-1.1.1-cve-2026-45447.patch

@@ -0,0 +1,260 @@
+From 4ae990ae9c7f47ac214527dc5685e5df0c82d6b9 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Tue, 2 Jun 2026 14:55:02 +0200
+Subject: [PATCH] Fix double-free of caller-owned BIO in PKCS7_verify
+
+When PKCS7_dataInit creates no filter BIOs (e.g. empty digestAlgorithms
+SET), it returns p7bio pointing directly to the caller's indata BIO.
+The cleanup code in PKCS7_verify then frees indata via BIO_free_all(p7bio),
+leaving the caller with a dangling pointer and causing a double-free
+when the caller frees its own BIO.
+
+Guard BIO_free_all with a check that p7bio is not the caller's indata BIO.
+
+Add a regression test using a crafted S/MIME message with an empty
+digestAlgorithms SET to verify the fix.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+---
+ crypto/pkcs7/pk7_smime.c                      |   5 +-
+ test/build.info                               |   7 +-
+ test/pkcs7_verify_test.c                      | 104 ++++++++++++++++++
+ test/recipes/25-test_pkcs7_verify.t           |  20 ++++
+ .../pkcs7-empty-digest-set.eml                |  45 ++++++++
+ 5 files changed, 179 insertions(+), 2 deletions(-)
+ create mode 100644 test/pkcs7_verify_test.c
+ create mode 100644 test/recipes/25-test_pkcs7_verify.t
+ create mode 100644 test/recipes/25-test_pkcs7_verify_data/pkcs7-empty-digest-set.eml
+
+diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
+index a95db62178..3e3ceda3cf 100644
+--- a/crypto/pkcs7/pk7_smime.c
++++ b/crypto/pkcs7/pk7_smime.c
+@@ -363,8 +363,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+     if (tmpin == indata) {
+         if (indata)
+             BIO_pop(p7bio);
++        if (p7bio != indata)
++            BIO_free_all(p7bio);
++    } else {
++        BIO_free_all(p7bio);
+     }
+-    BIO_free_all(p7bio);
+     sk_X509_free(signers);
+     return ret;
+ }
+diff --git a/test/build.info b/test/build.info
+index 6357a7f2fe..648be6bbfc 100644
+--- a/test/build.info
++++ b/test/build.info
+@@ -51,7 +51,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
+           recordlentest drbgtest drbg_cavs_test sslbuffertest \
+           time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
+           servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \
+-          sysdefaulttest errtest ssl_ctx_test gosttest
++          sysdefaulttest errtest ssl_ctx_test gosttest \
++          pkcs7_verify_test
+ 
+   SOURCE[versions]=versions.c
+   INCLUDE[versions]=../include
+@@ -574,6 +575,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
+   INCLUDE[ssl_ctx_test]=../include
+   DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a
+ 
++  SOURCE[pkcs7_verify_test]=pkcs7_verify_test.c
++  INCLUDE[pkcs7_verify_test]=../include
++  DEPEND[pkcs7_verify_test]=../libcrypto libtestutil.a
++
+ {-
+    use File::Spec::Functions;
+    use File::Basename;
+diff --git a/test/pkcs7_verify_test.c b/test/pkcs7_verify_test.c
+new file mode 100644
+index 0000000000..932c2589ae
+--- /dev/null
++++ b/test/pkcs7_verify_test.c
+@@ -0,0 +1,104 @@
++/*
++ * Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <openssl/pkcs7.h>
++#include <openssl/bio.h>
++#include <openssl/err.h>
++#include <openssl/objects.h>
++#include "testutil.h"
++
++static const char *emlfile;
++
++/*
++ * Regression test for a double-free of the caller-owned indata BIO in
++ * PKCS7_verify.  When the PKCS7 digestAlgorithms SET is empty,
++ * PKCS7_dataInit creates no digest filter BIOs and returns p7bio == indata.
++ * The cleanup code then frees the caller's BIO via BIO_free_all(p7bio).
++ *
++ * The test uses a crafted S/MIME message whose PKCS7 signature has an empty
++ * digestAlgorithms SET.  The detached content is re-wrapped through a
++ * file-backed BIO to bypass the tmpin memory-BIO optimisation in
++ * PKCS7_verify (which would mask the bug).
++ */
++static int test_pkcs7_verify_empty_md_algs(void)
++{
++    int ret = 0;
++    BIO *bio_eml = NULL;
++    BIO *indata_mem = NULL;
++    BIO *indata = NULL;
++    PKCS7 *p7 = NULL;
++    char *mem_ptr = NULL;
++    long mem_len;
++    FILE *tmpf = NULL;
++
++    if (!TEST_ptr(bio_eml = BIO_new_file(emlfile, "r")))
++        goto err;
++
++    if (!TEST_ptr(p7 = SMIME_read_PKCS7(bio_eml, &indata_mem)))
++        goto err;
++
++    /* Confirm the test data has an empty digestAlgorithms SET */
++    if (!TEST_int_eq(sk_X509_ALGOR_num(p7->d.sign->md_algs), 0))
++        goto err;
++
++    /*
++     * Re-wrap content through a file BIO so BIO_method_type != BIO_TYPE_MEM.
++     * This forces tmpin == indata in PKCS7_verify, hitting the vulnerable path.
++     */
++    mem_len = BIO_get_mem_data(indata_mem, &mem_ptr);
++    if (!TEST_ptr(tmpf = tmpfile()))
++        goto err;
++    if (fwrite(mem_ptr, 1, mem_len, tmpf) != (size_t)mem_len) {
++        fclose(tmpf);
++        TEST_error("failed to write to temp file");
++        goto err;
++    }
++    fflush(tmpf);
++    rewind(tmpf);
++    if (!TEST_ptr(indata = BIO_new_fp(tmpf, BIO_CLOSE)))  {
++        fclose(tmpf);
++        goto err;
++    }
++
++    /*
++     * NOVERIFY: skip cert chain validation
++     * NOSIGS:   skip signature verification
++     * We only care about the BIO lifecycle, not cryptographic validity.
++     */
++    PKCS7_verify(p7, NULL, NULL, indata, NULL,
++                 PKCS7_NOVERIFY | PKCS7_NOSIGS);
++
++    /*
++     * If the bug is present, indata has already been freed by PKCS7_verify.
++     * BIO_free will crash (use-after-free / double-free).  Under ASan this
++     * is detected reliably; without ASan it may silently corrupt the heap.
++     */
++    BIO_free(indata);
++    indata = NULL;
++
++    ret = 1;
++
++err:
++    BIO_free(indata);
++    BIO_free(indata_mem);
++    PKCS7_free(p7);
++    BIO_free(bio_eml);
++    return ret;
++}
++
++int setup_tests(void)
++{
++    if (!TEST_ptr(emlfile = test_get_argument(0))) {
++        TEST_note("usage: pkcs7_verify_test <eml-file>");
++        return 0;
++    }
++
++    ADD_TEST(test_pkcs7_verify_empty_md_algs);
++    return 1;
++}
+diff --git a/test/recipes/25-test_pkcs7_verify.t b/test/recipes/25-test_pkcs7_verify.t
+new file mode 100644
+index 0000000000..7666467f8c
+--- /dev/null
++++ b/test/recipes/25-test_pkcs7_verify.t
+@@ -0,0 +1,20 @@
++#! /usr/bin/env perl
++# Copyright 2026 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the OpenSSL license (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++use strict;
++use warnings;
++
++use OpenSSL::Test qw/:DEFAULT data_file/;
++
++setup("test_pkcs7_verify");
++
++plan tests => 1;
++
++ok(run(test(["pkcs7_verify_test",
++             data_file("pkcs7-empty-digest-set.eml")])),
++   "PKCS7_verify with empty digestAlgorithms does not double-free indata");
+diff --git a/test/recipes/25-test_pkcs7_verify_data/pkcs7-empty-digest-set.eml b/test/recipes/25-test_pkcs7_verify_data/pkcs7-empty-digest-set.eml
+new file mode 100644
+index 0000000000..a6db2c38ad
+--- /dev/null
++++ b/test/recipes/25-test_pkcs7_verify_data/pkcs7-empty-digest-set.eml
+@@ -0,0 +1,45 @@
++MIME-Version: 1.0
++Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0314CC5D732C92AE2D7A3BACDCDCFCE"
++
++This is an S/MIME signed message
++
++------E0314CC5D732C92AE2D7A3BACDCDCFCE
++This is the content to be signed.
++
++------E0314CC5D732C92AE2D7A3BACDCDCFCE
++Content-Type: application/x-pkcs7-signature; name="smime.p7s"
++Content-Transfer-Encoding: base64
++Content-Disposition: attachment; filename="smime.p7s"
++
++MIIFWgYJKoZIhvcNAQcCoIIFSzCCBUcCAQExADALBgkqhkiG9w0BBwGgggLuMIIC
++6jCCAdKgAwIBAgIUL5E46FxyhsT7C3G1NS27OtR7XAowDQYJKoZIhvcNAQELBQAw
++FTETMBEGA1UEAwwKUG9DIFNpZ25lcjAeFw0yNjA1MDgxMDIwNDhaFw0yNzA1MDgx
++MDIwNDhaMBUxEzARBgNVBAMMClBvQyBTaWduZXIwggEiMA0GCSqGSIb3DQEBAQUA
++A4IBDwAwggEKAoIBAQDSSu/gupmIlclvmTMHiqOrCqmB8NRTjAMoI//MPJrnFXYp
++FjDPMk7Y/kCcHztudaIvADkowaFtOm4oMinQFhjwCNCo5K5WrrlAitnpcd5QH2nA
++iVZXjjohQUJEd7n33AGqTwo5EGaCK+alAZL7tA7bdhNi/aZ33L3bUNYqoHbXiNsE
++u1tj8frLfIjduOt0TMPSOrrFjjEsrL3T3tg+HmxpalDHz7E6o9zJu0wlk8bcR2Xk
++mpX8RdYCu7K9m39N1F2WKa9WJh24NQLpWRfwD213jaIFK2EXy/XHePDUeiMYtVOV
++oovCSmY7OqowupA7J+4dcsnRjFqgZECctHhAfk+PAgMBAAGjMjAwMB0GA1UdDgQW
++BBRZlupXNYq4fny0SE76sr/CdQ2DUTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
++DQEBCwUAA4IBAQANOlttTWVz620JNTrPzhiR4x9+5UiF4GSqv8BRJQFj3Xh7fsUp
+++3GDs9M27f4FVh3utJsjt7Sa9ZWLpBVdgjGBwGLAtPsoYMjhnUgZTUvwEk5+aXyv
++zJxn4I7mMbDhlNCMHcVtGdtA+2UOEuvdGfuEilpzPsV8DzM1K3xU5bSWoo0BRFKK
++srHkyEfxCFPAQOcX80ZbMO6zdcXeJjC6mQXGqy2aqeQob0vuSZJ7QHZBlRjY5YHR
++wWlIqG8G3Eist16iTqdX2PQFZT1/QAEQ/LnXARTUUjUroccdci8YNASoeHDpcjRL
++MBrN+QBNZVt5qLhDogwZb2ZwqKfZ8Aqg3oAkMYICPzCCAjsCAQEwLTAVMRMwEQYD
++VQQDDApQb0MgU2lnbmVyAhQvkTjoXHKGxPsLcbU1Lbs61HtcCjANBglghkgBZQME
++AgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
++Fw0yNjA1MDgxMDIwNDhaMC8GCSqGSIb3DQEJBDEiBCAvyoHfycLqb8UzVPizy1uA
++o3h7tza3HebeiJaSnpIJHzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjAL
++BglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMC
++AgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkq
++hkiG9w0BAQEFAASCAQBIpl7U2j4YiU1vdZHyx2dCK41ZahtTVOB4RVJcrmopgans
++fICdkSTfb0dVqc13++bYn4i1b2R2os5YIkoGxdrM5aZB7KF9r1xwgrendTF4/BwP
++gQq2khNtKebv9Yr0kOPynFIsgx5BHk99wrzfwidJUFuJJgQ9W0YOf7EGkbnZvPT+
++hV0aeLmJAb5jjWhbDciqUjR3O23JQhzVj4U3vo2TeN7VYmNJsX+fA4sZzIbYSei9
++ps7GZruiRcKgqgUj1l8HjIGMHqd9lccchk/BYyAGxAbgGisntvfJdPZO09wG8rHh
++eS6FYkkXAKBO49WbhE9aVLJH0zgA6gTfyEvOOOS1
++
++------E0314CC5D732C92AE2D7A3BACDCDCFCE--
++
+-- 
+2.54.0
+

SPECS/openssl.spec

@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1k
-Release: 15%{?dist}
+Release: 16%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -99,14 +99,17 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
 # Backport from OpenSSL 3.2/RHEL 9
 # Proper fix for CVE-2020-25659
 Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
-# Backport from OpenSSL 3.0
+# Backport from OpenSSL 3.2
 # Fix for CVE-2024-5535
 Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
+# Fix for CVE-2025-9230
 Patch110: openssl-1.1.1-cve-2025-9230.patch
 Patch111: openssl-1.1.1-ticket_lifetime_hint.patch
-# Fix for CVE-2025-69419
+# Fix for CVE-2025-69419 (next two)
 Patch112: openssl-1.1.1-hardening-from-openssl-3.0.1.patch
 Patch113: openssl-1.1.1-cve-2025-69419.patch
+Patch114: openssl-1.1.1-cve-2026-45447.patch
+Patch115: openssl-1.1.1-cve-2024-4741.patch
 
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@@ -185,66 +188,68 @@ from other formats to the formats used by the OpenSSL toolkit.
 cp %{SOURCE12} crypto/ec/
 cp %{SOURCE13} test/
 
-%patch1 -p1 -b .build   %{?_rawbuild}
+%patch -P1 -p1 -b .build   %{?_rawbuild}
-%patch2 -p1 -b .defaults
+%patch -P2 -p1 -b .defaults
-%patch3 -p1 -b .no-html  %{?_rawbuild}
+%patch -P3 -p1 -b .no-html  %{?_rawbuild}
-%patch4 -p1 -b .man-rename
+%patch -P4 -p1 -b .man-rename
 
-%patch31 -p1 -b .conf-paths
+%patch -P31 -p1 -b .conf-paths
-%patch32 -p1 -b .version-add-engines
+%patch -P32 -p1 -b .version-add-engines
-%patch33 -p1 -b .dgst
+%patch -P33 -p1 -b .dgst
-%patch36 -p1 -b .no-brainpool
+%patch -P36 -p1 -b .no-brainpool
-%patch37 -p1 -b .curves
+%patch -P37 -p1 -b .curves
-%patch38 -p1 -b .no-weak-verify
+%patch -P38 -p1 -b .no-weak-verify
-%patch40 -p1 -b .sslv3-abi
+%patch -P40 -p1 -b .sslv3-abi
-%patch41 -p1 -b .system-cipherlist
+%patch -P41 -p1 -b .system-cipherlist
-%patch42 -p1 -b .fips
+%patch -P42 -p1 -b .fips
-%patch44 -p1 -b .version-override
+%patch -P44 -p1 -b .version-override
-%patch45 -p1 -b .weak-ciphers
+%patch -P45 -p1 -b .weak-ciphers
-%patch46 -p1 -b .seclevel
+%patch -P46 -p1 -b .seclevel
-%patch47 -p1 -b .ts-sha256-default
+%patch -P47 -p1 -b .ts-sha256-default
-%patch48 -p1 -b .fips-post-rand
+%patch -P48 -p1 -b .fips-post-rand
-%patch49 -p1 -b .evp-kdf
+%patch -P49 -p1 -b .evp-kdf
-%patch50 -p1 -b .ssh-kdf
+%patch -P50 -p1 -b .ssh-kdf
-%patch51 -p1 -b .intel-cet
+%patch -P51 -p1 -b .intel-cet
-%patch52 -p1 -b .s390x-update
+%patch -P52 -p1 -b .s390x-update
-%patch53 -p1 -b .crng-test
+%patch -P53 -p1 -b .crng-test
-%patch55 -p1 -b .arm-update
+%patch -P55 -p1 -b .arm-update
-%patch56 -p1 -b .s390x-ecc
+%patch -P56 -p1 -b .s390x-ecc
-%patch60 -p1 -b .krb5-kdf
+%patch -P60 -p1 -b .krb5-kdf
-%patch61 -p1 -b .edk2-build
+%patch -P61 -p1 -b .edk2-build
-%patch62 -p1 -b .fips-curves
+%patch -P62 -p1 -b .fips-curves
-%patch65 -p1 -b .drbg-selftest
+%patch -P65 -p1 -b .drbg-selftest
-%patch66 -p1 -b .fips-dh
+%patch -P66 -p1 -b .fips-dh
-%patch67 -p1 -b .kdf-selftest
+%patch -P67 -p1 -b .kdf-selftest
-%patch69 -p1 -b .alpn-cb
+%patch -P69 -p1 -b .alpn-cb
-%patch70 -p1 -b .rewire-fips-drbg
+%patch -P70 -p1 -b .rewire-fips-drbg
-%patch74 -p1 -b .addrconfig
+%patch -P74 -p1 -b .addrconfig
-%patch75 -p1 -b .tls13-curves
+%patch -P75 -p1 -b .tls13-curves
-%patch76 -p1 -b .cleanup-reneg
+%patch -P76 -p1 -b .cleanup-reneg
-%patch77 -p1 -b .s390x-aes
+%patch -P77 -p1 -b .s390x-aes
-%patch78 -p1 -b .addr-ipv6
+%patch -P78 -p1 -b .addr-ipv6
-%patch79 -p1 -b .servername-cb
+%patch -P79 -p1 -b .servername-cb
-%patch80 -p1 -b .s390x-test-aes
+%patch -P80 -p1 -b .s390x-test-aes
-%patch81 -p1 -b .read-buff
+%patch -P81 -p1 -b .read-buff
-%patch82 -p1 -b .cve-2022-0778
+%patch -P82 -p1 -b .cve-2022-0778
-%patch83 -p1 -b .replace-expired-certs
+%patch -P83 -p1 -b .replace-expired-certs
-%patch84 -p1 -b .cve-2022-1292
+%patch -P84 -p1 -b .cve-2022-1292
-%patch85 -p1 -b .cve-2022-2068
+%patch -P85 -p1 -b .cve-2022-2068
-%patch86 -p1 -b .cve-2022-2097
+%patch -P86 -p1 -b .cve-2022-2097
-%patch101 -p1 -b .cve-2022-4304
+%patch -P101 -p1 -b .cve-2022-4304
-%patch102 -p1 -b .cve-2022-4450
+%patch -P102 -p1 -b .cve-2022-4450
-%patch103 -p1 -b .cve-2023-0215
+%patch -P103 -p1 -b .cve-2023-0215
-%patch104 -p1 -b .cve-2023-0286
+%patch -P104 -p1 -b .cve-2023-0286
-%patch105 -p1 -b .cve-2023-3446
+%patch -P105 -p1 -b .cve-2023-3446
-%patch106 -p1 -b .cve-2023-3817
+%patch -P106 -p1 -b .cve-2023-3817
-%patch107 -p1 -b .cve-2023-5678
+%patch -P107 -p1 -b .cve-2023-5678
-%patch108 -p1 -b .pkcs15imprejection
+%patch -P108 -p1 -b .pkcs15imprejection
-%patch109 -p1 -b .cve-2024-5535
+%patch -P109 -p1 -b .cve-2024-5535
-%patch110 -p1 -b .cve-2025-9230
+%patch -P110 -p1 -b .cve-2025-9230
-%patch111 -p1 -b .ticket_lifetime_hint
+%patch -P111 -p1 -b .ticket_lifetime_hint
-%patch112 -p1 -b .cve-2025-69419-1
+%patch -P112 -p1 -b .cve-2025-69419-1
-%patch113 -p1 -b .cve-2025-69419-2
+%patch -P113 -p1 -b .cve-2025-69419-2
+%patch -P114 -p1 -b .cve-2026-45447
+%patch -P115 -p1 -b .cve-2024-4741
 
 %build
 # Figure out which flags we want to use.
@@ -528,65 +533,69 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jun 01 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-16
+- Fix CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify()
+  Resolves: RHEL-180978
+- Fix CVE-2024-4741: Use After Free with SSL_free_buffers
+  Resolves: RHEL-180983
+
 * Thu Feb 12 2026 Antonio Vieiro <avieirov@redhat.com> - 1:1.1.1k-15
 - Fix CVE-2025-69419: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
-  Resolves: RHEL-142010
+  ticket_lifetime_hint exceed 1 week in TLSv1.3 and breaks compliant clients
+  Resolves: RHEL-149165
+  Resolves: RHEL-142715
 
-* Mon Dec 08 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14
+* Mon Dec 22 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14.1
-- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap
+- Backport fix for openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
   Fix CVE-2025-9230
-  Resolves: RHEL-128613
+  Resolves: RHEL-128615
-- Fix bug for ticket_lifetime_hint exceed issue
-  Resolves: RHEL-119891
 
-* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
+* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
-- Backport fix SSL_select_next proto from OpenSSL 3.2  
+- Backport fix SSL_select_next proto from OpenSSL 3.2
   Fix CVE-2024-5535 
   Resolves: RHEL-45654
 
 * Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
 - Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
   (a proper fix for CVE-2020-25659)
-  Resolves: RHEL-17696
+  Resolves: RHEL-17694
 
 * Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
 - Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
   excessively long X9.42 DH keys or parameters may be very slow
-  Resolves: RHEL-16538
+  Resolves: RHEL-16536
 
 * Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
 - Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
-  Resolves: RHEL-14245
+  Resolves: RHEL-14243
 - Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
-  Resolves: RHEL-14239
+  Resolves: RHEL-14237
 
-* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
+* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
 - Fixed Timing Oracle in RSA Decryption
   Resolves: CVE-2022-4304
 - Fixed Double free after calling PEM_read_bio_ex
   Resolves: CVE-2022-4450
 - Fixed Use-after-free following BIO_new_NDEF
   Resolves: CVE-2023-0215
+
+* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
 - Fixed X.400 address type confusion in X.509 GeneralName
   Resolves: CVE-2023-0286
 
-* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
-- Fix no-ec build
-  Resolves: rhbz#2071020
-
 * Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
 - Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
   Resolves: CVE-2022-2097
 - Update expired certificates used in the testsuite
-  Resolves: rhbz#2092462
+  Resolves: rhbz#2100554
 - Fix CVE-2022-1292: openssl: c_rehash script allows command injection
-  Resolves: rhbz#2090372
+  Resolves: rhbz#2090371
 - Fix CVE-2022-2068: the c_rehash script allows command injection
-  Resolves: rhbz#2098279
+  Resolves: rhbz#2098278
 
 * Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
 - Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
-- Resolves: rhbz#2067146
+- Resolves: rhbz#2067145
 
 * Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
 - Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

fixpatch

@@ -1,15 +0,0 @@
-#!/bin/sh
-# Fixes patch from upstream tracker view
-gawk '
-BEGIN {
-   dir=""
-}
-/^Index: openssl\// {
-   dir = $2
-}
-/^(---|\+\+\+)/ {
-   $2 = dir
-}
-{
-   print
-}'

gating.yaml

@@ -1,9 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}

openssl-1.1.1-ignore-bound.patch

@@ -1,14 +0,0 @@
-Do not return failure when setting version bound on fixed protocol
-version method.
-diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
---- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
-@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
-          * methods are not subject to controls that disable individual protocol
-          * versions.
-          */
--        return 0;
-+        return 1;
- 
-     case TLS_ANY_VERSION:
-         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

plans/ci.fmf

@@ -1,26 +0,0 @@
-/fips-disabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/openssl
-      name: /Plans/ci/fips-disabled-buildroot-disabled
-
-
-/fips-disabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/openssl
-      name: /Plans/ci/fips-disabled-buildroot-enabled
-
-
-/fips-enabled-buildroot-disabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/openssl
-      name: /Plans/ci/fips-enabled-buildroot-disabled
-
-
-/fips-enabled-buildroot-enabled:
-  plan:
-    import:
-      url: https://pkgs.devel.redhat.com/git/tests/openssl
-      name: /Plans/ci/fips-enabled-buildroot-enabled

sources

@@ -1 +0,0 @@
-SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8