[CLSA-2026:1777541792] Fix CVE(s): CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-30 09:36:38 UTC

Description:

   * SECURITY UPDATE: NULL dereference in CMS RSA-OAEP decryption when the
     optional pSourceFunc parameters field is omitted from a
     KeyTransportRecipientInfo, leading to a denial of service.
     - debian/patches/CVE-2026-28390.patch: check plab->parameter for NULL
       before accessing its type field in rsa_cms_decrypt()
     - CVE-2026-28390

Updated packages:

libssl-dev_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els8_amd64.deb
sha:edfba14ed8644b9fe04c3e6fe41130c618f18d2b
libssl-doc_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els8_all.deb
sha:8f7b52cb1ed236677bdf5d729229ba58e6e9fe5b
libssl1.1_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els8_amd64.deb
sha:18c026e3ccf795d90fdafdac7012a5f7abd9a3a8
openssl_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els8_amd64.deb
sha:2be587a210e3cd0243c1d7e0f5f162df4bb2ff9b

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.