[CLSA-2026:1776685000] Fix CVE(s): CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-20 11:36:45 UTC

Description:

   * SECURITY UPDATE: use-after-free in DANE client code
     - debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
       instead of OPENSSL_free() to properly release reference-counted X509
       objects in dane_match()
     - CVE-2026-28387
   * SECURITY UPDATE: NULL pointer dereference in delta CRL processing
     - debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
       delta->crl_number before dereferencing in check_delta_base()
     - CVE-2026-28388
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
       X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
       ecdh_cms_set_shared_info()
     - CVE-2026-28389
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
       X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
       rsa_cms_decrypt()
     - CVE-2026-28390

Updated packages:

alt-openssl_1.1.1w-3.4_amd64.deb
sha:0f511b3b3479d143ac306ea833eaf3d5dfed6898
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:1bd1cfb897d316e1ef2daceb7e4f13edd0a88c4b
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:8b06febdd402446463c83648acbe534147a55dc4
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:6116416ec237981419d73a3ad8a743e1a806d0c3

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.