[CLSA-2026:1776685471] Fix CVE(s): CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-20 11:44:36 UTC

Description:

   * SECURITY UPDATE: use-after-free in DANE client code
     - debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
       instead of OPENSSL_free() to properly release reference-counted X509
       objects in dane_match()
     - CVE-2026-28387
   * SECURITY UPDATE: NULL pointer dereference in delta CRL processing
     - debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
       delta->crl_number before dereferencing in check_delta_base()
     - CVE-2026-28388
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
       X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
       ecdh_cms_set_shared_info()
     - CVE-2026-28389
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
       X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
       rsa_cms_decrypt()
     - CVE-2026-28390

Updated packages:

alt-openssl_1.1.1w-3.4_amd64.deb
sha:1c1642879d1537dbec7c1423df13836334577832
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:f07730b44e206c94f6aa0db327fec1c4aece2783
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:0d4693b4a96fb77d083e1ba25ba3f502b7456234
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:64c85fd13d03186f7673200dbec932874899d29c
alt-openssl_1.1.1w-3.4_arm64.deb
sha:9f50b1870b11fae74b8a796180072b2615013afa
alt-openssl-dev_1.1.1w-3.4_arm64.deb
sha:560b3ef285e1a313b16495d3186c3856a639f786
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:0d4693b4a96fb77d083e1ba25ba3f502b7456234
alt-openssl-libs_1.1.1w-3.4_arm64.deb
sha:7ab4bff7bb7621af9dcb3c1540d3c0bb3816adcb

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.