Release date:
2026-05-29 13:55:57 UTC
Description:
* SECURITY UPDATE: NULL pointer dereference in CMS EnvelopedData processing
when a KeyAgreeRecipientInfo message omits the optional parameters field of
KeyEncryptionAlgorithmIdentifier. Both dh_cms_set_shared_info() and
ecdh_cms_set_shared_info() dereference alg->parameter without a NULL check,
allowing a remote attacker to crash applications that process untrusted CMS
data (e.g. S/MIME decryption), causing Denial of Service before any
authentication or cryptographic operations occur.
- debian/patches/CVE-2026-28389.patch: use X509_ALGOR_get0() to safely
extract algorithm OID and parameter type/value in dh_cms_set_shared_info()
in crypto/dh/dh_ameth.c and ecdh_cms_set_shared_info() in
crypto/ec/ec_ameth.c instead of dereferencing alg->parameter directly
- CVE-2026-28389
Updated packages:
-
libssl-dev_1.1.1f-1ubuntu2.24+tuxcare.els5_amd64.deb
sha:3428bf824a77e75879a268ca6741015a32b877bf
-
libssl-doc_1.1.1f-1ubuntu2.24+tuxcare.els5_all.deb
sha:45a593f754e444e754dfc7f474a4f3faf547fd9d
-
libssl1.1_1.1.1f-1ubuntu2.24+tuxcare.els5_amd64.deb
sha:6b49b2031f712b953af8596049925affdeea5500
-
openssl_1.1.1f-1ubuntu2.24+tuxcare.els5_amd64.deb
sha:305c280e9c63070109362721b52fdb18450a9681
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
