Update OpenSSL to 3.5.5

adamdelarosa · neomantra · commit b4a6f88bc2f2 · 2026-02-03T07:23:32.000-05:00
Update OpenSSL from 3.4.3 to 3.5.5 to address CVE-2025-15467, a critical stack buffer overflow vulnerability in OpenSSL versions 3.0 through 3.6. Changes: - Update RESTY_OPENSSL_VERSION to 3.5.5 (patched version) - Update RESTY_OPENSSL_PATCH_VERSION to 3.5.5 (new upstream OpenResty patch) - Affected flavors: alpine, bionic, focal, jammy, noble References: - CVE-2025-15467: https://nvd.nist.gov/vuln/detail/CVE-2025-15467 - OpenSSL 3.5.5 Release: https://github.com/openssl/openssl/releases/tag/openssl-3.5.5 Signed-off-by: Evan Wies <evan@neomantra.net>
diff --git a/AUTHORS.md b/AUTHORS.md
@@ -14,3 +14,4 @@ We'd like to thank the following people for their commits:
 - Joel Linn <jl@conductive.de>
 - Kshitij Joshi <kshitijmjoshi@gmail.com>
 - Duncan Schulze <duschulze@gmail.com>
+- Adam Delarosa <gojiradam@gmail.com>
diff --git a/BUILDING.md b/BUILDING.md
@@ -45,8 +45,8 @@ docker build --build-arg RESTY_J=4 -f jammy/Dockerfile .
 | RESTY_IMAGE_TAG                         | "noble" / "3.22.2" | The Debian or Alpine Docker image tag to build `FROM`. |
 | RESTY_VERSION                           | 1.27.1.2 | The version of OpenResty to use. |
 | RESTY_LUAROCKS_VERSION                  | 3.12.2 | The version of LuaRocks to use. |
-| RESTY_OPENSSL_VERSION                   | 3.4.3 | The version of OpenSSL to use. |
-| RESTY_OPENSSL_PATCH_VERSION             | 3.4.1 | The version of OpenSSL to use when patching. |
+| RESTY_OPENSSL_VERSION                   | 3.5.5 | The version of OpenSSL to use. |
+| RESTY_OPENSSL_PATCH_VERSION             | 3.5.5 | The version of OpenSSL to use when patching. |
 | RESTY_OPENSSL_URL_BASE                  | "https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}" | The base of the URL to download OpenSSL from. |
 | RESTY_OPENSSL_BUILD_OPTIONS             | "enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-md2 enable-ktls enable-fips" | Options to tweak Resty's OpenSSL build. |
 | RESTY_PCRE_VERSION                      | 10.44 | The version of PCRE2 to use. |
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,12 @@
 `docker-openresty` Changelog
 ============================
 
-## 1.27.1.2-9 (2026-01-30)
+## 1.27.1.2-9 (2026-02-03)
+
+ * Upgrade OpenSSL to 3.5.5 (fixes CVE-2025-15467) (#291)
+ * ci: Resolve tagged-release issue
+
+## 1.27.1.2-8 (2026-01-11)
 
  * ci: Resolve tagged-release issue
  
diff --git a/alpine/Dockerfile b/alpine/Dockerfile
@@ -14,8 +14,8 @@ ARG RESTY_IMAGE_TAG="3.22.2"
 ARG RESTY_VERSION="1.27.1.2"
 
 # https://github.com/openresty/openresty-packaging/blob/master/alpine/openresty-openssl3/APKBUILD
-ARG RESTY_OPENSSL_VERSION="3.4.3"
-ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1"
+ARG RESTY_OPENSSL_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
diff --git a/bionic/Dockerfile b/bionic/Dockerfile
@@ -15,8 +15,8 @@ ARG RESTY_VERSION="1.27.1.2"
 ARG RESTY_LUAROCKS_VERSION="3.12.2"
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
-ARG RESTY_OPENSSL_VERSION="3.4.3"
-ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1"
+ARG RESTY_OPENSSL_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
diff --git a/focal/Dockerfile b/focal/Dockerfile
@@ -15,8 +15,8 @@ ARG RESTY_VERSION="1.27.1.2"
 ARG RESTY_LUAROCKS_VERSION="3.12.2"
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
-ARG RESTY_OPENSSL_VERSION="3.4.3"
-ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1"
+ARG RESTY_OPENSSL_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
diff --git a/jammy/Dockerfile b/jammy/Dockerfile
@@ -15,8 +15,8 @@ ARG RESTY_VERSION="1.27.1.2"
 ARG RESTY_LUAROCKS_VERSION="3.12.2"
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
-ARG RESTY_OPENSSL_VERSION="3.4.3"
-ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1"
+ARG RESTY_OPENSSL_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
diff --git a/noble/Dockerfile b/noble/Dockerfile
@@ -15,8 +15,8 @@ ARG RESTY_VERSION="1.27.1.2"
 ARG RESTY_LUAROCKS_VERSION="3.12.2"
 
 # https://github.com/openresty/openresty-packaging/blob/master/deb/openresty-openssl3/debian/rules
-ARG RESTY_OPENSSL_VERSION="3.4.3"
-ARG RESTY_OPENSSL_PATCH_VERSION="3.4.1"
+ARG RESTY_OPENSSL_VERSION="3.5.5"
+ARG RESTY_OPENSSL_PATCH_VERSION="3.5.5"
 ARG RESTY_OPENSSL_URL_BASE="https://github.com/openssl/openssl/releases/download/openssl-${RESTY_OPENSSL_VERSION}"
 # LEGACY:  "https://www.openssl.org/source/old/1.1.1"
 ARG RESTY_OPENSSL_BUILD_OPTIONS="enable-camellia enable-seed enable-rfc3779 enable-cms enable-md2 enable-rc5 \
