[CLSA-2026:1776684331] Fix CVE(s): CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-20 11:25:37 UTC

Description:

   * SECURITY UPDATE: use-after-free in DANE client code
     - debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
       instead of OPENSSL_free() to properly release reference-counted X509
       objects in dane_match()
     - CVE-2026-28387
   * SECURITY UPDATE: NULL pointer dereference in delta CRL processing
     - debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
       delta->crl_number before dereferencing in check_delta_base()
     - CVE-2026-28388
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
       X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
       ecdh_cms_set_shared_info()
     - CVE-2026-28389
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
       X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
       rsa_cms_decrypt()
     - CVE-2026-28390

Updated packages:

alt-openssl_1.1.1w-3.4_amd64.deb
sha:0954e472ab6f75052775360b3f613ef9c3c59714
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:76311dcd876e6d698f945d21e93d62a17314b4b7
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:ca18ca53335294accaa3ac8b094c761780df4c72
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:2127bab17bc7a8336e20c7e5f55830a3f55b8dab

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.