[CLSA-2026:1781799388] Fix CVE(s): CVE-2026-45447

Type:

security

Severity:

Critical

Release date:

2026-06-18 16:16:45 UTC

Description:

   * SECURITY UPDATE: use-after-free in PKCS7_verify
     - debian/patches/openssl-1.1.1-cve-2026-45447.patch: free the BIO chain
       explicitly and stop at the caller-supplied indata BIO so a crafted
       PKCS#7 / S-MIME message with an empty digestAlgorithms ASN.1 SET can no
       longer make OpenSSL free a caller-owned BIO in PKCS7_verify()
     - CVE-2026-45447

CVEs fixed:

CVE-2026-45447

Updated packages:

alt-openssl_1.1.1w-3.5_amd64.deb
sha:49e0cde777d9982d01bb76d1bcdc292491322b5f
alt-openssl-dev_1.1.1w-3.5_amd64.deb
sha:dbc04ff5bea40b66ba79ecd43adeee76c82e86a8
alt-openssl-doc_1.1.1w-3.5_all.deb
sha:b67d052ccf575bf4536ce8c53bfa2190ca4c0d0e
alt-openssl-libs_1.1.1w-3.5_amd64.deb
sha:0cee9f9ba7a3e37a41c6ee3d64d087210d38ff4f

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.