chore(deps): update dependency libressl/portable to v4.2.0

[openvpn-inc-ci]

This PR contains the following updates:

Package	Update	Change
libressl/portable	minor	v4.1.0 -> v4.2.0

---

Release Notes

libressl/portable (libressl/portable)

v4.2.0

Compare Source

Portable changes

• Added explicit OpenBSD/ISC license to build system / scripts.
• Fixed compilation on more CPU targets by removing architecture-specific
  definitions from header files.
• Fixed builds in deep paths by using relative paths for linking.
• Fixed Windows builds with Clang and CMake.
• Fixed Windows error handling accepting connections with nc.
• Fixed 32-bit ARM builds on Darwin.

Internal improvements

• Cleaned up code implementing block cipher modes of operation.
  Includes untangling a horrible #ifdef mess and removing a few
  instances of undefined behavior.
• Removed assembly implementations of AES using bit slicing (BS-AES)
  and vector permutation (VP-AES).
• Removed OPENSSL_SMALL_FOOTPRINT and OPENSSL_FIPSAPI.
• Implemented constant time EC field element operations to allow
  elliptic curve operations without bignum arithmetic.
• Implemented an EC method using homogeneous projective coordinates.
  This will allow exception-free elliptic curve arithmetic in
  constant time in future releases.
• Started cleaning up the openssl speed implementation.
• The last SIGILL-based CPU capability detection was removed.
  Instead, capabilities are now detected using a constructor on
  library load, which improves the incomplete coverage by calls
  to OPENSSL_init_crypto() on various entry points.
• Rework and simplify AES handling in EVP. In particular, AES-NI
  is now handled in the AES internal code and no longer requires
  the use of EVP.
• Added a public API for ML-KEM. This is not yet documented in a
  manpage and may not be in its final form. This will be used to
  support X25519MLKEM768 in libssl.

Compatibility changes

• Removed the -msie_hack option from the openssl(1) ca subcommand.
• Removed parameters of the 239-bit prime curves from X9.62, H.5.2:
  prime239v1, prime239v2, prime239v3.
• Increased default MAC salt length used by PKCS12_set_mac(3) to 16
  per recommendation of NIST SP 800-132.
• Encrypted PKCS#8 key files now use a default password-based key
  derivation function that is acceptable in the present millenium.
• const corrected EVP_PKEY_get{0,1}_{DH,DSA,EC_KEY,RSA}().
• X509_CRL_verify() now checks that the AlgorithmIdentifiers in the
  signature and the tbsCertList are identical.
• Of the old *err() only PEMerr(), RSAerr(), and SSLerr() remain.
• Removed BIO_s_log(), X509_PKEY_{new,free}(), PEM_X509_INFO_read()
  and PEM_X509_INFO_write_bio().
• Re-expose the ASN.1 Boolean template items.
• opensslconf.h is now machine-independent.

New features

• Allow specifying ALPN in nc(1) via -Talpn="http/1.1,http:/1.0".

Bug fixes

• Avoid pointer arithmetic on NULL for memory BIOs.
• Fix leaks and use-after-frees in PKCS7 attribute handling.
• Ensure p and q in RSA private key have a minimum distance of
  2^(bits/2 - 100) as specified in NIST SP 800-56B Revision 2.

Security fixes

• Fix out-of-bounds read and write, memory leaks and incorrect
  error check for CMS enveloped data.

Documentation

• Rewrote most of the EC documentation from scratch to be at least
  somewhat accurate and intelligible.
• Updated documentation for SMIME_{read,write}* to match reality.

Testing and proactive security

• Added a testing framework that will help deduplicating lots of
  ad-hoc code in the regression tests.
• Converted the Wycheproof testing framework to use testvectors_v1.
  This in combination with a few new tests significantly increases
  regress coverage.

Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog

v4.1.1

Compare Source

An incorrect length check can result in a 4-byte overwrite and an 8-byte

overread. From Stanislav Fort and Viktor Dukhovni via OpenSSL.
CVE-2025-9230.

Full changelog: https://github.com/libressl/portable/blob/master/ChangeLog

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.