diff --git a/packages/openssl/backport-e96d224.patch b/packages/openssl/backport-e96d224.patch
new file mode 100644
index 0000000000..7ce3103726
--- /dev/null
+++ b/packages/openssl/backport-e96d224.patch
@@ -0,0 +1,61 @@
+From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 20 May 2025 16:34:10 +0200
+Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
+ of rejection
+
+Fixes CVE-2025-4575
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/27672)
+
+(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)
+---
+ apps/x509.c                 |  2 +-
+ test/recipes/25-test_x509.t | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/apps/x509.c b/apps/x509.c
+index fdae8f383a667..0c340c15b321a 100644
+--- a/apps/x509.c
++++ b/apps/x509.c
+@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
+                            prog, opt_arg());
+                 goto opthelp;
+             }
+-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
++            if (!sk_ASN1_OBJECT_push(reject, objtmp))
+                 goto end;
+             trustout = 1;
+             break;
+diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
+index 09b61708ff8a5..dfa0a428f5f0c 100644
+--- a/test/recipes/25-test_x509.t
++++ b/test/recipes/25-test_x509.t
+@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
+ 
+ setup("test_x509");
+ 
+-plan tests => 134;
++plan tests => 138;
+ 
+ # Prevent MSys2 filename munging for arguments that look like file paths but
+ # aren't
+@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
+ && run(app(["openssl", "verify", "-no_check_time",
+             "-trusted", $ca, "-partial_chain", $caout])));
+ 
++# test trust decoration
++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
++            "-out", "ca-trusted.pem"])));
++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
++              1, 'trusted use - E-mail Protection');
++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
++            "-out", "ca-rejected.pem"])));
++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
++              1, 'rejected use - E-mail Protection');
++
+ subtest 'x509 -- x.509 v1 certificate' => sub {
+     tconversion( -type => 'x509', -prefix => 'x509v1',
+                  -in => srctop_file("test", "testx509.pem") );
diff --git a/packages/openssl/build.sh b/packages/openssl/build.sh
index 51723bf639..c8ffaa60c9 100644
--- a/packages/openssl/build.sh
+++ b/packages/openssl/build.sh
@@ -2,9 +2,9 @@ TERMUX_PKG_HOMEPAGE=https://www.openssl.org/
 TERMUX_PKG_DESCRIPTION="Library implementing the SSL and TLS protocols as well as general purpose cryptography functions"
 TERMUX_PKG_LICENSE="Apache-2.0"
 TERMUX_PKG_MAINTAINER="@termux"
-TERMUX_PKG_VERSION=1:3.4.1
+TERMUX_PKG_VERSION=1:3.5.0
 TERMUX_PKG_SRCURL=https://github.com/openssl/openssl/releases/download/openssl-${TERMUX_PKG_VERSION:2}/openssl-${TERMUX_PKG_VERSION:2}.tar.gz
-TERMUX_PKG_SHA256=002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3
+TERMUX_PKG_SHA256=344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0
 TERMUX_PKG_AUTO_UPDATE=false
 TERMUX_PKG_DEPENDS="ca-certificates, zlib"
 TERMUX_PKG_CONFFILES="etc/tls/openssl.cnf"
@@ -17,21 +17,26 @@ TERMUX_PKG_REPLACES="openssl-tool (<< 1.1.1b-1), openssl-dev"
 termux_step_configure() {
 	# Certain packages are not safe to build on device because their
 	# build.sh script deletes specific files in $TERMUX_PREFIX.
-	if $TERMUX_ON_DEVICE_BUILD; then
+	if [[ "$TERMUX_ON_DEVICE_BUILD" == 'true' ]]; then
 		termux_error_exit "Package '$TERMUX_PKG_NAME' is not safe for on-device builds."
 	fi
 
 	CFLAGS+=" -DNO_SYSLOG"
 
-	perl -p -i -e "s@TERMUX_CFLAGS@$CFLAGS@g" Configure
-	rm -Rf $TERMUX_PREFIX/lib/libcrypto.* $TERMUX_PREFIX/lib/libssl.*
-	test $TERMUX_ARCH = "arm" && TERMUX_OPENSSL_PLATFORM="android-arm"
-	test $TERMUX_ARCH = "aarch64" && TERMUX_OPENSSL_PLATFORM="android-arm64"
-	test $TERMUX_ARCH = "i686" && TERMUX_OPENSSL_PLATFORM="android-x86"
-	test $TERMUX_ARCH = "x86_64" && TERMUX_OPENSSL_PLATFORM="android-x86_64"
-	./Configure $TERMUX_OPENSSL_PLATFORM \
-		--prefix=$TERMUX_PREFIX \
-		--openssldir=$TERMUX_PREFIX/etc/tls \
+	sed -i "s@TERMUX_CFLAGS@$CFLAGS@g" Configure
+	rm -rf "$TERMUX_PREFIX/lib"/libcrypto.* "$TERMUX_PREFIX/lib"/libssl.*
+
+	local TERMUX_OPENSSL_PLATFORM="android-${TERMUX_ARCH}"
+	case "$TERMUX_ARCH" in
+		"arm"|"x86_64");;
+		"aarch64") TERMUX_OPENSSL_PLATFORM="android-arm64";;
+		"i686") TERMUX_OPENSSL_PLATFORM="android-x86";;
+		*) termux_error_exit "Unsupported architecture: '$TERMUX_ARCH'"
+	esac
+
+	./Configure "$TERMUX_OPENSSL_PLATFORM" \
+		--prefix="$TERMUX_PREFIX" \
+		--openssldir="$TERMUX_PREFIX/etc/tls" \
 		shared \
 		zlib-dynamic \
 		no-ssl \
@@ -43,19 +48,19 @@ termux_step_configure() {
 
 termux_step_make() {
 	make depend
-	make -j $TERMUX_PKG_MAKE_PROCESSES all
+	make -j"$TERMUX_PKG_MAKE_PROCESSES" all
 }
 
 termux_step_make_install() {
 	# "install_sw" instead of "install" to not install man pages:
-	make -j 1 install_sw MANDIR=$TERMUX_PREFIX/share/man MANSUFFIX=.ssl
+	make -j1 install_sw MANDIR="$TERMUX_PREFIX/share/man" MANSUFFIX=.ssl
 
-	mkdir -p $TERMUX_PREFIX/etc/tls/
+	mkdir -p "$TERMUX_PREFIX/etc/tls/"
 
-	cp apps/openssl.cnf $TERMUX_PREFIX/etc/tls/openssl.cnf
+	cp apps/openssl.cnf "$TERMUX_PREFIX/etc/tls/openssl.cnf"
 
 	sed "s|@TERMUX_PREFIX@|$TERMUX_PREFIX|g" \
-		$TERMUX_PKG_BUILDER_DIR/add-trusted-certificate \
-		> $TERMUX_PREFIX/bin/add-trusted-certificate
-	chmod 700 $TERMUX_PREFIX/bin/add-trusted-certificate
+		"$TERMUX_PKG_BUILDER_DIR/add-trusted-certificate" \
+		> "$TERMUX_PREFIX/bin/add-trusted-certificate"
+	chmod 700 "$TERMUX_PREFIX/bin/add-trusted-certificate"
 }