openssl-3-3.5.0-160000.7.1

- Security fixes:
  * CVE-2026-28387: Potential use-after-free in DANE client code
    (bsc#1260441)
  * CVE-2026-28388: NULL Pointer Dereference When Processing a
    Delta (bsc#1260442)
  * CVE-2026-28389: Possible NULL dereference when processing CMS
    KeyAgreeRecipientInfo (bsc#1260443)
  * CVE-2026-31789: Heap buffer overflow in hexadecimal conversion
    (bsc#1260444)
  * CVE-2026-31790: Incorrect failure handling in RSA KEM RSASVE
    encapsulation (bsc#1260445)
  * CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS
    EnvelopedData message with KeyTransportRecipientInfo (bsc#1261678)
  * Add	patches: openssl-CVE-2026-28387.patch
    openssl-CVE-2026-28388.patch openssl-CVE-2026-28388-tests.patch
    openssl-CVE-2026-28389.patch openssl-CVE-2026-31789.patch
    openssl-CVE-2026-31790.patch openssl-CVE-2026-31790-tests.patch
    openssl-CVE-2026-28390.patch
- Fix NULL pointer dereference when processing an OCSP response
  * Add patch openssl-NULL-pointer-dereference-in-ocsp_find_signer_sk.patch

- Security fix:
  * CVE-2026-2673: TLS 1.3 servers may choose unexpected key agreement group (bsc#1259652)
    Added patch openssl-CVE-2026-2673.patch
    Added patch openssl-crypto-mem.c-factor-out-memory-allocation-failure-reporting.patch
    Added patch openssl-Add-array-memory-allocation-routines.patch

- Enable MD2 in legacy provider ( jsc#PED-15724 )

- Security fixes:
  * Missing ASN1_TYPE validation in PKCS#12 parsing
  - openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
  * ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
  - openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
  * Missing ASN1_TYPE validation in TS_RESP_verify_response() function
  - openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
  * NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
  - openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
  * Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
  - openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
  * TLS 1.3 CompressedCertificate excessive memory allocation
  - openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199]
  * Heap out-of-bounds write in BIO_f_linebuffer on short writes
  - openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
  * Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
  - openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
  * 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB
  - openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469]
  * Stack buffer overflow in CMS AuthEnvelopedData parsing
  - openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
  - openssl-CVE-2025-15467-comments.patch
  - openssl-CVE-2025-15467-test.patch
  * Improper validation of PBMAC1 parameters in PKCS#12 MAC verification
  - openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187]
  * NULL dereference in SSL_CIPHER_find() function on unknown cipher ID
  - openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468]
- Enable livepatching support for ppc64le [bsc#1257274]

- Security fix: [bsc#1250232 CVE-2025-9230]
  * Fix out-of-bounds read & write in RFC 3211 KEK unwrap
  * Add patch openssl3-CVE-2025-9230.patch
- Security fix: [bsc#1250233 CVE-2025-9231]
  * Fix timing side-channel in SM2 algorithm on 64 bit ARM
  * Add patch openssl3-CVE-2025-9231.patch
- Security fix: [bsc#1250234 CVE-2025-9232]
  * Fix out-of-bounds read in HTTP client no_proxy handling
  * Add patch openssl3-CVE-2025-9232.patch

- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES

- Disable LTO for userspace livepatching [jsc#PED-13245]

- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014]
  * Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]

- Security fix: [bsc#1243564, CVE-2025-4575]
  * Fix the x509 application adding trusted use instead of rejected use
  * Add openssl-CVE-2025-4575.patch

- FIPS: Fix the speed command in FIPS mode for KMAC
  * Add openssl-FIPS-Fix-openssl-speed-KMAC.patch