Release date:
2026-04-20 11:18:35 UTC
Description:
* SECURITY UPDATE: use-after-free in DANE client code
- debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
instead of OPENSSL_free() to properly release reference-counted X509
objects in dane_match()
- CVE-2026-28387
* SECURITY UPDATE: NULL pointer dereference in delta CRL processing
- debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
delta->crl_number before dereferencing in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
* SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
rsa_cms_decrypt()
- CVE-2026-28390
Updated packages:
-
alt-openssl_1.1.1w-3.4_amd64.deb
sha:0e4b8e5054fa559086bda0d45b25798747897315
-
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:17ba0d61d3c73e9f9764ce6a3a2ac20024269454
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:8f6f88aaa27ebb32ada103b0bf2a54aea07d5d13
-
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:0b63d87b1a4c57f0528914628ed3ecd7b6f381e2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
