SUSE-SU-2026:2393-1

Details

Description of the patch:

This update for openssl-3 fixes the following issues

CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion (bsc#1266340).
CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption (bsc#1266341).
CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing (bsc#1266342).
CVE-2026-34182: CMS AuthEnvelopedData Processing May Accept Forged Messages (bsc#1266344).
CVE-2026-42766: Possible NULL Dereference in Password-Based CMS Decryption (bsc#1266349).
CVE-2026-42770: FFC-DH Peer Validation Uses Attacker-Supplied q (bsc#1266353).
CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path (bsc#1266355).
CVE-2026-45446: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (bsc#1266356).
CVE-2026-45447: Heap Use-After-Free in OpenSSL PKCS7_verify() (bsc#1266357).

Affected Packages

libopenssl-3-devel

SUSE Linux Enterprise Server 15 SP6SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6

Fixed in:

3.1.4-150600.5.53.1

libopenssl-3-fips-provider

SUSE Linux Enterprise Server 15 SP6SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6

Fixed in:

3.1.4-150600.5.53.1

libopenssl-3-fips-provider-32bit

SUSE Linux Enterprise Server 15 SP6SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6

Fixed in: