Release date:
2026-04-20 17:24:02 UTC
Description:
- CVE-2026-28387: fix use-after-free in DANE client code by using X509_free()
instead of OPENSSL_free() to properly release reference-counted X509 objects
- CVE-2026-28388: fix NULL pointer dereference when processing a delta CRL
that has a Delta CRL Indicator but lacks a CRL Number extension
- CVE-2026-28389: fix NULL pointer dereference in CMS KeyAgreeRecipientInfo
processing when KeyEncryptionAlgorithmIdentifier omits the optional
parameter field, by using safe X509_ALGOR_get0() extraction
- CVE-2026-28390: fix NULL pointer dereference in CMS KeyTransportRecipientInfo
processing when RSA-OAEP SourceFunc parameters are missing, by using safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data
Updated packages:
-
alt-openssl11-1.1.1w-3.3.el9.x86_64.rpm
sha:cd70ef19caa37a0497f8e1843f33526fced8112670fa17f941cdbd6be36d3412
-
alt-openssl11-devel-1.1.1w-3.3.el9.x86_64.rpm
sha:6e32a6f66a0981aa242a78317d82877be12b07684fdb2b62e10890416935733a
-
alt-openssl11-libs-1.1.1w-3.3.el9.x86_64.rpm
sha:89262e6d37216b5f72aff85853ad32baed0c9adeb38738fa7f6ffaf0f75c54e7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
