Release date:
2026-04-20 17:20:50 UTC
Description:
- CVE-2026-28387: fix use-after-free in DANE client code by using X509_free()
instead of OPENSSL_free() to properly release reference-counted X509 objects
- CVE-2026-28388: fix NULL pointer dereference when processing a delta CRL
that has a Delta CRL Indicator but lacks a CRL Number extension
- CVE-2026-28389: fix NULL pointer dereference in CMS KeyAgreeRecipientInfo
processing when KeyEncryptionAlgorithmIdentifier omits the optional
parameter field, by using safe X509_ALGOR_get0() extraction
- CVE-2026-28390: fix NULL pointer dereference in CMS KeyTransportRecipientInfo
processing when RSA-OAEP SourceFunc parameters are missing, by using safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data
Updated packages:
-
alt-openssl11-1.1.1w-3.3.el8.x86_64.rpm
sha:7cb9c76a871b36469dc13fcae7e5e774739e7dcb67f768ebba97f4ab9dd53f18
-
alt-openssl11-devel-1.1.1w-3.3.el8.x86_64.rpm
sha:28e3c29fa7a3e15cfeab9bc0c267a0832ba11d7d634061ea9d112d718964b26c
-
alt-openssl11-libs-1.1.1w-3.3.el8.x86_64.rpm
sha:627ffd24ca643e203b5d8d3e66f38f2c5e9ec2492f6ba6c13d666f19f12476fb
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
