Skip to content

update openssl to 3.5.5 to fix cve-2025-15467 #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adamdelarosa wants to merge 7 commits into
base: master
Choose a base branch
from
Open

update openssl to 3.5.5 to fix cve-2025-15467 #293

adamdelarosa wants to merge 7 commits into from

Conversation

@adamdelarosa
Copy link

@adamdelarosa adamdelarosa commented Feb 1, 2026

updates openssl from 3.4.3 to 3.5.5 to address cve-2025-15467 - stack buffer overflow in openssl 3.x

the vulnerability affects cms/pkcs7 content processing with aead ciphers and can lead to dos or rce. happens before authentication so no valid keys needed.

changes:

  • resty_openssl_version: 3.4.3 -> 3.5.5
  • resty_openssl_patch_version: 3.4.1 -> 3.5.4 (using closest available patch)
  • updated flavors: alpine, bionic, focal, jammy, noble

verified both the openssl 3.5.5 tarball and openresty 3.5.4 patch are available.

references:
https://nvd.nist.gov/vuln/detail/CVE-2025-15467
https://github.com/openssl/openssl/releases/tag/openssl-3.5.5

@adamdelarosa
Fix CVE-2025-15467: Update OpenSSL to 3.5.5
6a87d76 
Update OpenSSL from 3.4.3 to 3.5.5 to address CVE-2025-15467, a critical
stack buffer overflow vulnerability in OpenSSL versions 3.0 through 3.6.

The vulnerability affects CMS/PKCS#7 content processing with AEAD ciphers
and can lead to denial-of-service or potentially remote code execution.

Changes:
- Update RESTY_OPENSSL_VERSION to 3.5.5 (patched version)
- Update RESTY_OPENSSL_PATCH_VERSION to 3.5.4 (closest available OpenResty patch)
- Affected flavors: alpine, bionic, focal, jammy, noble

References:
- CVE-2025-15467: https://nvd.nist.gov/vuln/detail/CVE-2025-15467
- OpenSSL 3.5.5 Release: https://github.com/openssl/openssl/releases/tag/openssl-3.5.5
@adamdelarosa
add test build workflow for pr validation
b5ce718
@adamdelarosa
remove test workflow - not needed
7f20e17
@adamdelarosa
skip openresty openssl patch for 3.5.5
23a7fbd 
the 3.5.4 patch doesn't apply cleanly to 3.5.5 and openresty works fine without it since the patches only add optional ssl session callback features for advanced lua integration
@adamdelarosa
update docs for openssl 3.5.5 upgrade
9bce8d2 
updated building.md to reflect new openssl version and added changelog entry for cve fix
@neomantra
Copy link
Member

neomantra commented Feb 1, 2026
edited
Loading

Thanks for your concern to this. As noted in #291 , I won't accept skipping the patching, but I'm glad you are sharing a workaround for those who it might not matter. Hopefully it can be resolved soon.

If you wanted to look at why the patches fail and submit a fix for that, I would accept a PR like that. We can include our own patches in this repo that are eventually upstreamed.

@adamdelarosa
fix openresty openssl 3.5.5 patch
7b81f57 
created a fixed version of the openresty openssl patch that works with 3.5.5. the original 3.5.4 patch doesn't apply cleanly due to formatting changes in openssl 3.5.5 (changed from "# define" to "#define").

the fixed patch includes all necessary changes for ssl session lookup callbacks that enable lua-based session management in openresty.

tested and verified working on alpine and ubuntu jammy.
@adamdelarosa
Copy link
Author

adamdelarosa commented Feb 1, 2026

hey, first time contributing here so let me know if i missed anything.

i looked into why the 3.5.4 patch wasn't working with openssl 3.5.5. turns out openssl changed their formatting - they removed the space in "# define" and made it "#define". that's why all the hunks were failing.

so i manually fixed the patch to work with 3.5.5 and added it to the repo in patches/openssl-3.5.5-sess_set_get_cb_yield.patch.

tested it locally on my machine and both alpine and ubuntu jammy are building and running fine with openssl 3.5.5. the openresty ssl session stuff works too.

hope this helps get the cve fixed. let me know if you need me to change anything.

@neomantra
Copy link
Member

neomantra commented Feb 1, 2026

Thanks for diving into that! From first skim this is looking in good shape. If you want to add yourself to AUTHORS.md, feel free. I will review the patch deeper later today. But I suspect this will be rolled out tonight.

@adamdelarosa
Copy link
Author

adamdelarosa commented Feb 1, 2026

Thanks! happy to help. let me know if you need anything else when you do the deeper review.

@adamdelarosa
Copy link
Author

adamdelarosa commented Feb 3, 2026

Hope all is well. Just wanted to check in on this when you get a chance. Let me know if you need anything else from me!

@neomantra
Copy link
Member

neomantra commented Feb 3, 2026
edited
Loading

I have a reviewed and squashed commit rolling through on my fork. GitHub Action Runners were broken yesterday, continuing on today. Hopefully it all goes through today, but the full build takes many hours.
Thanks again for this work. yesterday an identical patch was submitted upstream by another person. committed upstream and I will remove the version check and local patch.

@adamdelarosa
Copy link
Author

adamdelarosa commented Feb 3, 2026

Cool, thanks for this and let me know if I can help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamdelarosa @neomantra