[CLSA-2026:1781345820] Fix of 5 CVEs

Type:

security

Severity:

Critical

Release date:

2026-06-13 10:17:36 UTC

Description:

   * SECURITY UPDATE: Heap buffer overflow in ASN1_mbstring_ncopy() where
     the destination length for BMPSTRING and UNIVERSALSTRING output is
     computed by a signed left shift that can overflow int, producing an
     undersized allocation followed by out-of-bounds writes for oversized
     attacker-controlled inputs reaching ASN1_mbstring_copy() or
     ASN1_mbstring_ncopy() directly.
     - debian/patches/CVE-2026-7383.patch: reject oversized inputs before
       the shifts and in out_utf8() in crypto/asn1/a_mbstr.c.
     - CVE-2026-7383
   * SECURITY UPDATE: Out-of-bounds read in kek_unwrap_key() check-byte
     validation when a CMS PasswordRecipientInfo uses a KEK cipher with a
     block size smaller than 4 octets, making the decrypted buffer smaller
     than the seven octets the check-byte test reads.
     - debian/patches/CVE-2026-9076.patch: reject blocklen < 4 and
       oversized inlen in kek_unwrap_key() in crypto/cms/cms_pwri.c.
     - CVE-2026-9076
   * SECURITY UPDATE: Heap buffer over-read in ASN.1 content parsing: the
     long content length was truncated to int in asn1_ex_c2i(), so
     ASN1_STRING_set() could be called with an inconsistent length.
     - debian/patches/CVE-2026-34180.patch: pass the length as long in
       asn1_ex_c2i() and reject lengths not representable as int in
       crypto/asn1/tasn_dec.c.
     - CVE-2026-34180
   * SECURITY UPDATE: NULL pointer dereference when processing CMS
     PasswordRecipientInfo with the optional keyDerivationAlgorithm field
     absent, allowing a denial of service via crafted CMS messages.
     - debian/patches/CVE-2026-42766.patch: fail cleanly when
       keyDerivationAlgorithm is missing in crypto/cms/cms_pwri.c.
     - CVE-2026-42766
   * SECURITY UPDATE: Use-after-free in PKCS7_verify() where the cleanup
     path can free the caller-owned indata BIO via BIO_free_all() when
     verifying a crafted PKCS#7 structure with an empty digestAlgorithms
     SET, leading to crashes, heap corruption or potentially remote code
     execution.
     - debian/patches/CVE-2026-45447.patch: free the BIO chain explicitly,
       stopping at the caller-owned indata, in crypto/pkcs7/pk7_smime.c.
     - debian/patches/CVE-2026-45447-test.patch: upstream regression test
       (empty digestAlgorithms SET must fail cleanly).
     - CVE-2026-45447

CVEs fixed:

Updated packages:

libssl-dev_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els10_amd64.deb
sha:7025e308906d916dd871fe29d7d6ad5bdb9c2b08
libssl-doc_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els10_all.deb
sha:1b0d7e29d35065d260d76ce30c8e9cfc6d225b91
libssl1.1_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els10_amd64.deb
sha:a6f2167dbd7e1ff0d3c16af50db0a215402fd0b8
openssl_1.1.1-1ubuntu2.1~18.04.23+tuxcare.els10_amd64.deb
sha:a6ea4d1f362b64535291819e2443201949c005b4

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.