diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index d402284977bc35fba2462b2d52e3bc9dea20610f..a5796bc62d3fbf3a199e831b8a7e6807ee00e196 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssl
pkgver=3.3.1
_abiver=${pkgver%.*.*}
-pkgrel=0
+pkgrel=1
pkgdesc="Toolkit for Transport Layer Security (TLS)"
url="https://www.openssl.org/"
arch="all"
@@ -16,11 +16,16 @@ makedepends="$makedepends_host $makedepends_build"
subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
$pkgname-misc::noarch libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
+ CVE-2024-5535.patch
+ fix-memleak.patch
+ fix-tserver.patch
man-section.patch
"
builddir="$srcdir/openssl-$pkgver"
# secfixes:
+# 3.3.1-r1:
+# - CVE-2024-5535
# 3.3.0-r3:
# - CVE-2024-4741
# 3.3.0-r2:
@@ -232,5 +237,8 @@ _libssl() {
sha512sums="
d3682a5ae0721748c6b9ec2f1b74d2b1ba61ee6e4c0d42387b5037a56ef34312833b6abb522d19400b45d807dd65cc834156f5e891cb07fbaf69fcf67e1c595d openssl-3.3.1.tar.gz
+a208a2b43cb7a26367d380b4f68832392f38102fe811a3ec5772a2a69197c6441d48446db004aad891995f9b3cab7d1a96044b316e1c823596987fe1ca259d95 CVE-2024-5535.patch
+489f76eb9d96bee98182094dc10e8148f412876d9a6a3cbc230a0f1266c1f1972a401e10f7b4bad6cdfad02fbb9faffee457da3711b9e136b871f7e33aefb685 fix-memleak.patch
+8e3fc2f77294cc75e74b4210be37f2b277ac0612baee4cbc5e709b96af5cc37c09ceb3fa0103e3cff70e163bc3b67320a3331cd9309086f22c7cc2ca7a0dc985 fix-tserver.patch
8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809 man-section.patch
"
diff --git a/main/openssl/CVE-2024-5535.patch b/main/openssl/CVE-2024-5535.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2d0f822b25eea6c4625c91cffc4c9190835dd2e3
--- /dev/null
+++ b/main/openssl/CVE-2024-5535.patch
@@ -0,0 +1,108 @@
+From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:14:33 +0100
+Subject: [PATCH] Fix SSL_select_next_proto
+
+Ensure that the provided client list is non-NULL and starts with a valid
+entry. When called from the ALPN callback the client list should already
+have been validated by OpenSSL so this should not cause a problem. When
+called from the NPN callback the client list is locally configured and
+will not have already been validated. Therefore SSL_select_next_proto
+should not assume that it is correctly formatted.
+
+We implement stricter checking of the client protocol list. We also do the
+same for the server list while we are about it.
+
+CVE-2024-5535
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24716)
+
+(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e)
+---
+ ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 5ec6ac4b63dc5..4c20ac4bf1fe7 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+ unsigned int server_len,
+ const unsigned char *client, unsigned int client_len)
+ {
+- unsigned int i, j;
+- const unsigned char *result;
+- int status = OPENSSL_NPN_UNSUPPORTED;
++ PACKET cpkt, csubpkt, spkt, ssubpkt;
++
++ if (!PACKET_buf_init(&cpkt, client, client_len)
++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
++ || PACKET_remaining(&csubpkt) == 0) {
++ *out = NULL;
++ *outlen = 0;
++ return OPENSSL_NPN_NO_OVERLAP;
++ }
++
++ /*
++ * Set the default opportunistic protocol. Will be overwritten if we find
++ * a match.
++ */
++ *out = (unsigned char *)PACKET_data(&csubpkt);
++ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
+
+ /*
+ * For each protocol in server preference order, see if we support it.
+ */
+- for (i = 0; i < server_len;) {
+- for (j = 0; j < client_len;) {
+- if (server[i] == client[j] &&
+- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+- /* We found a match */
+- result = &server[i];
+- status = OPENSSL_NPN_NEGOTIATED;
+- goto found;
++ if (PACKET_buf_init(&spkt, server, server_len)) {
++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
++ if (PACKET_remaining(&ssubpkt) == 0)
++ continue; /* Invalid - ignore it */
++ if (PACKET_buf_init(&cpkt, client, client_len)) {
++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
++ PACKET_remaining(&ssubpkt))) {
++ /* We found a match */
++ *out = (unsigned char *)PACKET_data(&ssubpkt);
++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
++ return OPENSSL_NPN_NEGOTIATED;
++ }
++ }
++ /* Ignore spurious trailing bytes in the client list */
++ } else {
++ /* This should never happen */
++ return OPENSSL_NPN_NO_OVERLAP;
+ }
+- j += client[j];
+- j++;
+ }
+- i += server[i];
+- i++;
++ /* Ignore spurious trailing bytes in the server list */
+ }
+
+- /* There's no overlap between our protocols and the server's list. */
+- result = client;
+- status = OPENSSL_NPN_NO_OVERLAP;
+-
+- found:
+- *out = (unsigned char *)result + 1;
+- *outlen = result[0];
+- return status;
++ /*
++ * There's no overlap between our protocols and the server's list. We use
++ * the default opportunistic protocol selected earlier
++ */
++ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ #ifndef OPENSSL_NO_NEXTPROTONEG
diff --git a/main/openssl/fix-memleak.patch b/main/openssl/fix-memleak.patch
new file mode 100644
index 0000000000000000000000000000000000000000..db5a2eb08a343b499ae3a240f1b05f99c41cd1ac
--- /dev/null
+++ b/main/openssl/fix-memleak.patch
@@ -0,0 +1,31 @@
+From fbd6609bb21b125c9454d07c484d166a33b4815b Mon Sep 17 00:00:00 2001
+From: sgzmd <sigizmund@gmail.com>
+Date: Tue, 25 Jun 2024 15:53:32 +0100
+Subject: [PATCH] Free appname if it was set after initializing crypto.
+
+Fixes #24729
+
+CLA: trivial
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24730)
+---
+ crypto/conf/conf_sap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c
+index 3019bcf31af81..bfe3a5f6f4d5e 100644
+--- a/crypto/conf/conf_sap.c
++++ b/crypto/conf/conf_sap.c
+@@ -38,6 +38,8 @@ void OPENSSL_config(const char *appname)
+ settings.appname = strdup(appname);
+ settings.flags = DEFAULT_CONF_MFLAGS;
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
++
++ free(settings.appname);
+ }
+ #endif
+
diff --git a/main/openssl/fix-tserver.patch b/main/openssl/fix-tserver.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aebe2f01fe1088f1509aa78f01bc13c677a48c82
--- /dev/null
+++ b/main/openssl/fix-tserver.patch
@@ -0,0 +1,31 @@
+From fc8ff75814767d6c55ea78d05adc72cd346d0f0a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:22:13 +0100
+Subject: [PATCH] Use correctly formatted ALPN data in tserver
+
+The QUIC test server was using incorrectly formatted ALPN data. With the
+previous implementation of SSL_select_next_proto this went unnoticed. With
+the new stricter implemenation it was failing.
+
+Follow on from CVE-2024-5535
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24716)
+---
+ ssl/quic/quic_tserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
+index b9de60aea15fc..4f30eb14cec8d 100644
+--- a/ssl/quic/quic_tserver.c
++++ b/ssl/quic/quic_tserver.c
+@@ -63,7 +63,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
+
+ if (srv->args.alpn == NULL) {
+ alpn = alpndeflt;
+- alpnlen = sizeof(alpn);
++ alpnlen = sizeof(alpndeflt);
+ } else {
+ alpn = srv->args.alpn;
+ alpnlen = srv->args.alpnlen;