SUSE Package Hub - SUSE-PackageHub-16.0-547

Update Info

SUSE-PackageHub-16.0-547

Security update for openssl-3

Type: security

Severity: important

Issued: 2026-04-13

Description:

This update for openssl-3 fixes the following issues:

Security issues fixed:

- CVE-2026-2673: TLS 1.3 servers may choose unexpected key agreement group (bsc#1259652).
- CVE-2026-28387: potential use-after-free in DANE client code (bsc#1260441).
- CVE-2026-28388: NULL pointer dereference when processing a delta (bsc#1260442).
- CVE-2026-28389: possible NULL pointer dereference when processing CMS KeyAgreeRecipientInfo (bsc#1260443).
- CVE-2026-28390: NULL pointer dereference during processing of a crafted CMS EnvelopedData message with
  KeyTransportRecipientInfo (bsc#1261678).
- CVE-2026-31789: heap buffer overflow in hexadecimal conversion (bsc#1260444).
- CVE-2026-31790: incorrect failure handling in RSA KEM RSASVE encapsulation (bsc#1260445).

Other updates and bugfixes:

- Enable MD2 in legacy provider (jsc#PED-15724).

References

Packages

openssl-3-3.5.0-160000.7.1