[CLSA-2026:1781799076] Fix CVE(s): CVE-2026-45447

Type:

security

Severity:

Critical

Release date:

2026-06-18 16:11:34 UTC

Description:

   * SECURITY UPDATE: use-after-free in PKCS7_verify
     - debian/patches/openssl-1.1.1-cve-2026-45447.patch: free the BIO chain
       explicitly and stop at the caller-supplied indata BIO so a crafted
       PKCS#7 / S-MIME message with an empty digestAlgorithms ASN.1 SET can no
       longer make OpenSSL free a caller-owned BIO in PKCS7_verify()
     - CVE-2026-45447

CVEs fixed:

CVE-2026-45447

Updated packages:

alt-openssl_1.1.1w-3.5_amd64.deb
sha:b4672e838d77bd2c2c0cdc1029e928bff84b364f
alt-openssl-dev_1.1.1w-3.5_amd64.deb
sha:bf31fa6e6c9f16d4f9c66bc10f9b7dc46f0180a3
alt-openssl-doc_1.1.1w-3.5_all.deb
sha:98b45c1125cc426be5cfa6475d1779c839287b16
alt-openssl-libs_1.1.1w-3.5_amd64.deb
sha:900533142ee49c5c68e176ea4422c9609b0133a6

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.