[CLSA-2026:1777397374] Fix CVE(s): CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-29 07:00:37 UTC

Description:

   * SECURITY UPDATE: A NULL pointer dereference in rsa_cms_decrypt() when
     processing CMS messages with RSA-OAEP encryption where pSourceFunc is
     present but its parameters field is absent can trigger a crash, leading
     to Denial of Service.
     - debian/patches/CVE-2026-28390.patch: use X509_ALGOR_get0 and
       ASN1_STRING_* accessors to safely parse pSourceFunc; duplicate the
       OAEP label before handing it to EVP_PKEY_CTX_set0_rsa_oaep_label.
     - CVE-2026-28390

Updated packages:

libssl-dev_1.1.1f-1ubuntu2.24+tuxcare.els3_amd64.deb
sha:263f518498cd5570206fffd5a42293fa83f83b89
libssl-doc_1.1.1f-1ubuntu2.24+tuxcare.els3_all.deb
sha:c97187cc230ae6442ae967f8d340f953594ba1f0
libssl1.1_1.1.1f-1ubuntu2.24+tuxcare.els3_amd64.deb
sha:d0784f6a161806a0a3088c7c21c20a61297cd34f
openssl_1.1.1f-1ubuntu2.24+tuxcare.els3_amd64.deb
sha:8e92d12f4502c288607346c26c7a85c4f685bef4

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.