Release date:
2026-04-20 17:17:23 UTC
Description:
- CVE-2026-28387: fix use-after-free in DANE client code by using X509_free()
instead of OPENSSL_free() to properly release reference-counted X509 objects
- CVE-2026-28388: fix NULL pointer dereference when processing a delta CRL
that has a Delta CRL Indicator but lacks a CRL Number extension
- CVE-2026-28389: fix NULL pointer dereference in CMS KeyAgreeRecipientInfo
processing when KeyEncryptionAlgorithmIdentifier omits the optional
parameter field, by using safe X509_ALGOR_get0() extraction
- CVE-2026-28390: fix NULL pointer dereference in CMS KeyTransportRecipientInfo
processing when RSA-OAEP SourceFunc parameters are missing, by using safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data
Updated packages:
-
alt-openssl11-1.1.1w-3.3.el7.x86_64.rpm
sha:839ed86e4915d4a78a8f5d9614fb69eddb352855caa2f8ab0e14861363b4bd01
-
alt-openssl11-devel-1.1.1w-3.3.el7.x86_64.rpm
sha:386764aa70cd8f2c2c715d12956784f86638ec1109048f51b3cac1cdd9adb3e9
-
alt-openssl11-libs-1.1.1w-3.3.el7.x86_64.rpm
sha:14a15ab1da7dbf9178f24c5ab05048ee8eca1349abeef7f483cf11ab8fbab1e5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
