Update openssl to 3.6.3

[gominimal-pkgmgr-mgr]

Update openssl 3.6.2 → 3.6.3

Source: github:openssl/openssl:in-series
Release: https://github.com/openssl/openssl/releases/tag/openssl-3.6.3
Changelog: openssl/openssl@openssl-3.6.2...openssl-3.6.3
Released: unknown (non-GitHub source or tag-only fallback)

Pkgscan: clean — diff against the prior version surfaced no newly-introduced suspicious patterns.

Vulnerability impact

Partition analysis at 3.6.3 (uses each advisory's fixed-version, vulnerable-range, affected-ranges, and fix-commit ancestry to decide):

• 17 cleared — the new version is outside the advisory's affected range, OR the tag's lineage includes a known fix-commit. These will drop off the next scan.

Vulnerabilities fixed (17)

This update clears 17 vulnerabilities affecting 3.6.2:

CVE / GHSA	CPE	Severity	Fixed in
CVE-2026-34182	(openssl, openssl)	CRITICAL	3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-34180	(openssl, openssl)	HIGH	1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-34181	(openssl, openssl)	HIGH	3.4.6, 3.5.7, 3.6.3
CVE-2026-34183	(openssl, openssl)	HIGH	3.4.6, 3.5.7, 3.6.3
CVE-2026-42764	(openssl, openssl)	HIGH	3.5.7, 3.6.3
CVE-2026-42765	(openssl, openssl)	HIGH	3.6.3
CVE-2026-45445	(openssl, openssl)	HIGH	3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-45447	(openssl, openssl)	HIGH	1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-7383	(openssl, openssl)	HIGH	1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-9076	(openssl, openssl)	HIGH	1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-35188	(openssl, openssl)	MEDIUM	3.6.3
CVE-2026-42766	(openssl, openssl)	MEDIUM	1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-42767	(openssl, openssl)	MEDIUM	3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-42769	(openssl, openssl)	MEDIUM	3.4.6, 3.5.7, 3.6.3
CVE-2026-45446	(openssl, openssl)	MEDIUM	3.0.21, 3.4.6, 3.5.7, 3.6.3
CVE-2026-42768	(openssl, openssl)	LOW	3.4.6, 3.5.7, 3.6.3
CVE-2026-42770	(openssl, openssl)	LOW	3.0.21, 3.4.6, 3.5.7, 3.6.3

Advisory summaries

• CVE-2026-34182 — Issue Summary: Cryptographic Message Services (CMS) processing fails to perform
  sufficient input validation on the cipher and tag length fields of
  AuthEnvelopedData containers, leading to various pot… (Published 2026-06-09)
• CVE-2026-34180 — Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive
  element whose content exceeds 2 gigabytes in length may cause a heap buffer
  over-read on 64-bit Unix and Unix-like platfo… (Published 2026-06-09)
• CVE-2026-34181 — Issue Summary: The PKCS#12 file processing fails to perform sufficient input
  validation for files that use Password-Based Message Authentication Code 1
  (PBMAC1) integrity mechanism allowing a certifi… (Published 2026-06-09)
• CVE-2026-34183 — Issue summary: Remote peer may exhaust heap memory of the QUIC
  server or client by flooding it with packets containing PATH_CHALLENGE
  frames.

Impact summary: A malicious remote peer can cause an unb… (Published 2026-06-09)

• CVE-2026-42764 — Issue summary: Receiving a QUIC initial packet with an invalid token may
  trigger a NULL pointer dereference in the OpenSSL QUIC server with
  address validation disabled.

Impact summary: NULL pointer … (Published 2026-06-09)

• CVE-2026-42765 — Issue summary: When a partial-chain certificate verification is enabled
  together with OCSP response checking for the whole chain, a NULL dereference
  will happen if the verified chain does not have a … (Published 2026-06-09)
• CVE-2026-45445 — Issue summary: When an application drives an AES-OCB context through the
  public EVP_Cipher() one-shot interface, the application-supplied
  initialisation vector (IV) is silently discarded.

Impact sum… (Published 2026-06-09)

• CVE-2026-45447 — Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
  trigger a use-after-free during PKCS#7 signature verification.

Impact summary: A use-after-free may result in process crashes… (Published 2026-06-09)

• CVE-2026-7383 — Issue summary: A signed integer overflow when sizing the destination
  buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
  buffer overflow.

Impact summary: A heap buffer overflow may… (Published 2026-06-09)

• CVE-2026-9076 — Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
  processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
  cipher can trigger a heap out-of-bounds read in… (Published 2026-06-09)
• CVE-2026-35188 — Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
  a crafted response through the status_request extension, triggering a
  double-free in the client's certificate verificatio… (Published 2026-06-09)
• CVE-2026-42766 — Issue summary: A specially crafted password-encrypted CMS message
  can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application … (Published 2026-06-09)

• CVE-2026-42767 — Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
  server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference ca… (Published 2026-06-09)

• CVE-2026-42769 — Issue Summary: An error in the callback used to verify the certificate
  provided in a Root CA key update Certificate Management Protocol (CMP)
  message response rendered the certificate validation inef… (Published 2026-06-09)
• CVE-2026-45446 — Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV
  (RFC 8452) mishandle the authentication of AAD (Additional Authenticated
  Data) with an empty ciphertext allowing a forgery of … (Published 2026-06-09)
• CVE-2026-42768 — Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to
  Bleichenbacher-style attack when an attacker is able to provide the CMS or
  S/MIME messages and observe the error code and/… (Published 2026-06-09)
• CVE-2026-42770 — Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
  peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which present… (Published 2026-06-09)

Components changed

CycloneDX component delta (declared materials — the package's own version, not a dependency-tree diff)

	Component	Old	New
~	openssl	3.6.2	3.6.3
~	openssl-upstream	3.6.2	3.6.3

Changes

	Old	New
Version	3.6.2	3.6.3
SHA256	bc7dc809d1842e4a...	c5524dd6bfaa8e8f...
Size	55.1 MB	55.1 MB
Source	gs://minimal-staging-archives/openssl/openssl/openssl-3.6.2.tar.gz	gs://minimal-staging-archives/openssl/openssl/openssl-3.6.3.tar.gz

• License: Apache-2.0 ⚠️ GitHub says Apache-2.0, tarball says Pixar

Quality suggestions

• Missing tests block. This package has no standalone tests, so the buildbot will only verify compilation — not functional correctness. Consider adding a minimal smoke test (e.g., a --version or small round-trip invocation) as part of this PR so future bumps catch regressions. See packages/python/build.ncl for a simple example.

---

Created by pkgmgr