Release date:
2026-04-20 11:40:25 UTC
Description:
* SECURITY UPDATE: use-after-free in DANE client code
- debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
instead of OPENSSL_free() to properly release reference-counted X509
objects in dane_match()
- CVE-2026-28387
* SECURITY UPDATE: NULL pointer dereference in delta CRL processing
- debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
delta->crl_number before dereferencing in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
* SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
rsa_cms_decrypt()
- CVE-2026-28390
Updated packages:
-
alt-openssl_1.1.1w-3.4_amd64.deb
sha:41e6ffb2008fe6c555b2a43b86abc827a393507f
-
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:9852ef2e4512ed8005f21651af50a6edd33c2fa5
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:4b119e631adc5b8d2b07d6ba1e6b18477ceabe30
-
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:26206bb360b18a9e45e468fdee6c40c00310f406
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
