{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0253",
  "published": "2026-07-15T17:33:12Z",
  "modified": "2026-07-15T16:28:31Z",
  "summary": "Updated openssl packages fix security vulnerabilities",
  "details": "The updated packages fix security vulnerabilities:\nPossible Heap Buffer Overflow in ASN.1 Multibyte String Conversion.\n(CVE-2026-7383)\nOut-of-Bounds Read in CMS Password-Based Decryption. (CVE-2026-9076)\nHeap Buffer Over-read in ASN.1 Content Parsing. (CVE-2026-34180)\nPKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys.\n(CVE-2026-34181)\nCMS AuthEnvelopedData Processing May Accept Forged Messages.\n(CVE-2026-34182)\nUnbounded Memory Growth in the QUIC PATH_CHALLENGE Handler.\n(CVE-2026-34183)\nNULL Pointer Dereference in QUIC Server Initial Packet Handling.\n(CVE-2026-42764)\nPossible NULL Dereference in Password-Based CMS Decryption.\n(CVE-2026-42766)\nNULL Pointer Dereference in CRMF EncryptedValue Decryption.\n(CVE-2026-42767)\nMulti-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and\nPKCS7_decrypt(). (CVE-2026-42768)\nTrust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate.\n(CVE-2026-42769)\nFFC-DH Peer Validation Uses Attacker-Supplied q. (CVE-2026-42770)\nAES-OCB IV Ignored on EVP_Cipher() Path. (CVE-2026-45445)\nIncorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV\nmodes. (CVE-2026-45446)\nHeap Use-After-Free in the PKCS7_verify(). (CVE-2026-45447)\n",
  "upstream": [
    "CVE-2026-7383",
    "CVE-2026-9076",
    "CVE-2026-34180",
    "CVE-2026-34181",
    "CVE-2026-34182",
    "CVE-2026-34183",
    "CVE-2026-42764",
    "CVE-2026-42766",
    "CVE-2026-42767",
    "CVE-2026-42768",
    "CVE-2026-42769",
    "CVE-2026-42770",
    "CVE-2026-45445",
    "CVE-2026-45446",
    "CVE-2026-45447"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0253.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35662"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/06/09/15"
    },
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8414-1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-security-announce/2026/msg00245.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6FSVWKLYXUHNRSEKJHJA6OVPW64N45U/"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260609.txt"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YTQ27HDP33LD6AS24REY2JEVD6LKVTQQ/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "openssl",
        "purl": "pkg:rpm/mageia/openssl?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "openssl",
        "purl": "pkg:rpm/mageia/openssl?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.21-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
