Skip to content

[v26.1.x] build/deps: upgrade openssl to 3.5.7#30811

Closed
vbotbuildovich wants to merge 1 commit into
redpanda-data:v26.1.xfrom
vbotbuildovich:ai-backport-pr-30797-v26.1.x-1781545316
Closed

[v26.1.x] build/deps: upgrade openssl to 3.5.7#30811
vbotbuildovich wants to merge 1 commit into
redpanda-data:v26.1.xfrom
vbotbuildovich:ai-backport-pr-30797-v26.1.x-1781545316

Conversation

@vbotbuildovich

@vbotbuildovich vbotbuildovich commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Backport of PR #30797

  • Command: git cherry-pick -x 5532af6 43de174 c94e77d 28126a4
  • Commits backported: 4
  • Conflicts resolved: 1
  • Commits skipped (already on target): 3
  • Backport branch: ai-backport-pr-30797-v26.1.x-1781545316

Conflict details

  • 5532af6 (bazel/repositories.bzl): the openssl http_archive diverged — target branch had 3.5.6, the commit upgrades to 3.5.7 and adds the openssl-reproducible-buildinf.patch. Took the incoming side to apply the upgrade.
  • 5532af6 (MODULE.bazel.lock): generated lockfile conflict, accepted theirs.

Skipped commits

  • 43de174: empty after cherry-pick (changes already present on target).
  • c94e77d: empty after cherry-pick (changes already present on target).
  • 28126a4: a "Merge branch 'dev' into fix/upgrade-openssl-3.5.7" merge commit. It carries only unrelated dev-integration changes (65 files, none touching openssl/repositories.bzl/MODULE.bazel) and no PR-specific conflict resolution, so it was not backported onto the release branch. The PR's openssl upgrade is fully captured by 5532af6.

⚠️ Generated files

The following files were cherry-picked and may need regeneration:

  • MODULE.bazel.lock

These files were accepted as-is from the source branch. Before merging,
regenerate them on the target branch to ensure they're correct. For example:

  • MODULE.bazel.lock: run bazel mod deps --lockfile_mode=update

@tyson-redpanda @vbotbuildovich
build/deps: upgrade openssl to 3.5.7
e1c9c54 
Fixes 10 CVEs present in 3.5.6, all resolved in 3.5.7:
CVE-2026-45447, CVE-2026-45446, CVE-2026-45445, CVE-2026-42770,
CVE-2026-42769, CVE-2026-42766, CVE-2026-42764, CVE-2026-34183,
CVE-2026-34182, CVE-2026-34180.

Only the non-FIPS build is affected. The FIPS provider remains
pinned to OpenSSL 3.1.2 (CMVP cert redpanda-data#4985).

(cherry picked from commit 5532af6)
@vbotbuildovich vbotbuildovich added this to the v26.1.x-next milestone Jun 15, 2026
@vbotbuildovich vbotbuildovich added the kind/backport PRs targeting a stable branch label Jun 15, 2026
@tyson-redpanda

tyson-redpanda commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Superseded by a new PR from origin with the corrected MODULE.bazel.lock (regenerated via bazel mod tidy on v26.1.x).

@tyson-redpanda tyson-redpanda mentioned this pull request Jun 15, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tyson-redpanda tyson-redpanda Awaiting requested review from tyson-redpanda

Assignees

No one assigned

Labels

area/build kind/backport PRs targeting a stable branch

Projects

None yet

Milestone

v26.1.x-next

Development

Successfully merging this pull request may close these issues.

2 participants

@vbotbuildovich @tyson-redpanda