Release date:
2026-04-20 11:49:48 UTC
Description:
* SECURITY UPDATE: use-after-free in DANE client code
- debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
instead of OPENSSL_free() to properly release reference-counted X509
objects in dane_match()
- CVE-2026-28387
* SECURITY UPDATE: NULL pointer dereference in delta CRL processing
- debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
delta->crl_number before dereferencing in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
* SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
- debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
rsa_cms_decrypt()
- CVE-2026-28390
Updated packages:
-
alt-openssl_1.1.1w-3.4_amd64.deb
sha:ea5469de6a6eb7867dc59ca85fac333993a7c725
-
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:b855e824aae32070b45c37fe9b1216a94f9a387c
-
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:51ed600a66c0a385ed111ade2fc5932602caffac
-
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:d9f95823a7e40b89b05edfbab970bea35a923642
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
