Release date:
2026-04-20 11:55:37 UTC
Description:
* SECURITY UPDATE: use-after-free in DANE client code
- debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
instead of OPENSSL_free() to properly release reference-counted X509
objects in dane_match()
- CVE-2026-28387
* SECURITY UPDATE: NULL pointer dereference in delta CRL processing
- debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
delta->crl_number before dereferencing in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
* SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
rsa_cms_decrypt()
- CVE-2026-28390
Updated packages:
-
alt-openssl_1.1.1w-3.4_amd64.deb
sha:f58e043c5c005b93e1b2a443ae3777df4a0929bd
-
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:583b3aaa229c5ccc9b1b3123323d33ec93a61dbd
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:b3a6dc980de17003efd1495a7267d49cf256064c
-
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:f8214c393a215d9e60f9c7b6c4a9f452e1351737
-
alt-openssl_1.1.1w-3.4_arm64.deb
sha:00fdd62f6f8317619a4e7607d3a61d9854dcd66e
-
alt-openssl-dev_1.1.1w-3.4_arm64.deb
sha:95bef4238fa42a35065923fc04db1765e51440ad
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:b3a6dc980de17003efd1495a7267d49cf256064c
-
alt-openssl-libs_1.1.1w-3.4_arm64.deb
sha:5738ed5370a57b59837401469e88fc799f9ec676
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
