Release date:
2026-04-20 11:21:56 UTC
Description:
* SECURITY UPDATE: use-after-free in DANE client code
- debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
instead of OPENSSL_free() to properly release reference-counted X509
objects in dane_match()
- CVE-2026-28387
* SECURITY UPDATE: NULL pointer dereference in delta CRL processing
- debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
delta->crl_number before dereferencing in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
* SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
rsa_cms_decrypt()
- CVE-2026-28390
Updated packages:
-
alt-openssl_1.1.1w-3.4_amd64.deb
sha:c00c49ffc9170a2be002f4d7160687c48586a16f
-
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:6c2aee6e7167af74aa1fb525e65886dda54483f6
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:c5bbf636a22b780093149d77ab3c3975d1bcf7fb
-
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:a8f257747cf5815229f77cfda74e39bcf876f33a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
