Release date:
2026-05-18 09:01:19 UTC
Description:
* SECURITY UPDATE: NULL pointer dereference in check_delta_base() when a
delta CRL is processed without the required CRL Number extension and
X509_V_FLAG_USE_DELTAS is enabled, leading to a denial of service.
- debian/patches/CVE-2026-28388.patch: add NULL check for
delta->crl_number before ASN1_INTEGER_cmp() in check_delta_base()
- CVE-2026-28388
* SECURITY UPDATE: NULL pointer dereference in dh_cms_set_shared_info()
and ecdh_cms_set_shared_info() when a CMS EnvelopedData message uses
KeyAgreeRecipientInfo with a KeyEncryptionAlgorithmIdentifier whose
optional parameter field is omitted, leading to a denial of service.
- debian/patches/CVE-2026-28389.patch: check alg->parameter for NULL
before accessing its type field in dh_cms_set_shared_info() and
ecdh_cms_set_shared_info()
- CVE-2026-28389
Updated packages:
-
libssl-dev_1.0.2g-1ubuntu4.21+tuxcare.els15_amd64.deb
sha:4cc3ac60949125d3802c15881b23a9a1750045e6
-
libssl-doc_1.0.2g-1ubuntu4.21+tuxcare.els15_all.deb
sha:11fe083edf45104856f095e0d0dbad09f249ba1b
-
libssl1.0.0_1.0.2g-1ubuntu4.21+tuxcare.els15_amd64.deb
sha:8a7e49e3f344acb16bf336e6edff3dc1838f0700
-
openssl_1.0.2g-1ubuntu4.21+tuxcare.els15_amd64.deb
sha:5594af5fe0362115576b4c6ff2f9d421737e22f7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
