unsubscribe

On Wed, Jun 10, 2026 at 9:18 AM FreeBSD Security Advisories <
[email protected]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> =============================================================================
> FreeBSD-SA-26:35.openssl                                    Security
> Advisory
>                                                           The FreeBSD
> Project
>
> Topic:          Multiple vulnerabilities in OpenSSL
>
> Category:       contrib
> Module:         openssl
> Announced:      2026-06-09
> Credits:        See linked vendor advisory in References section
> Affects:        All supported versions of FreeBSD.
> Corrected:      2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE)
>                 2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1)
>                 2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10)
>                 2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE)
>                 2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6)
>                 2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15)
> CVE Name:       CVE-2026-7383, CVE-2026-9076, CVE-2026-34180,
>                 CVE-2026-34181, CVE-2026-34182, CVE-2026-34183,
>                 CVE-2026-42764, CVE-2026-42766, CVE-2026-42767,
>                 CVE-2026-42768, CVE-2026-42769, CVE-2026-42770,
>                 CVE-2026-45445, CVE-2026-45446, CVE-2026-45447
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project
> is a
> collaborative effort to develop a robust, commercial-grade, full-featured
> Open Source toolkit for the Transport Layer Security (TLS) protocol.  It is
> also a general-purpose cryptography library.
>
> II.  Problem Description
>
> Multiple issues have been reported as part of this advisory with different
> issues affecting different OpenSSL versions and therefore different FreeBSD
> versions.  Instead of exhaustively listing detailed writeups for each
> issue,
> please see the referenced advisory from OpenSSL.
>
> Issues affecting FreeBSD 15.x (OpenSSL 3.5):
>   CVE-2026-7383  - Possible heap buffer overflow in ASN.1 string conversion
>   CVE-2026-9076  - Out-of-bounds read in CMS password-based decryption
>   CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing
>   CVE-2026-34181 - PKCS#12 files with PBMAC1 accepted with short HMAC keys
>   CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages
>   CVE-2026-34183 - Unbounded memory growth in the QUIC PATH_CHALLENGE
> handler
>   CVE-2026-42764 - NULL dereference in QUIC server initial packet handling
>   CVE-2026-42766 - Possible NULL dereference in password-based CMS
> decryption
>   CVE-2026-42767 - NULL dereference in CRMF EncryptedValue decryption
>   CVE-2026-42768 - Bleichenbacher oracle in CMS_decrypt() and
> PKCS7_decrypt()
>   CVE-2026-42769 - Trust-anchor substitution in CMP rootCaKeyUpdate
> handling
>   CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q
>   CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path
>   CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV
> modes
>   CVE-2026-45447 - Heap use-after-free in PKCS7_verify()
>
> Issues affecting FreeBSD 14.x (OpenSSL 3.0):
>   CVE-2026-7383  - Possible heap buffer overflow in ASN.1 string conversion
>   CVE-2026-9076  - Out-of-bounds read in CMS password-based decryption
>   CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing
>   CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages
>   CVE-2026-42766 - Possible NULL dereference in password-based CMS
> decryption
>   CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q
>   CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path
>   CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV
> modes
>   CVE-2026-45447 - Heap use-after-free in PKCS7_verify()
>
> III. Impact
>
> The issues include heap buffer overflows and over-reads, NULL pointer
> dereferences, a use-after-free, unbounded memory allocation, and several
> cryptographic flaws permitting message forgery, integrity bypass, or
> recovery of a private key.
>
> Security impact ranges from a Denial of Service to a potential remote code
> execution.  See the OpenSSL advisory for specific details.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> Perform one of the following:
>
> 1) To update your vulnerable system installed from base system packages:
>
> Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
> platforms, which were installed using base system packages, can be updated
> via the pkg(8) utility:
>
> # pkg upgrade -r FreeBSD-base
> # shutdown -r +10min "Rebooting for a security update"
>
> 2) To update your vulnerable system installed from binary distribution
> sets:
>
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64
> platforms
> which were not installed using base system packages can be updated via the
> freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 15.x]
> # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch.asc
> # gpg --verify openssl-15.patch.asc
>
> [FreeBSD 14.x]
> # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch.asc
> # gpg --verify openssl-14.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> Restart all daemons that use the library, or reboot the system.
>
> VI.  Correction details
>
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
>
> Branch/path                             Hash                     Revision
> - -------------------------------------------------------------------------
> stable/15/                              865c8ff56693    stable/15-n283889
> releng/15.1/                            083bb80a125a  releng/15.1-n283559
> releng/15.0/                            0d6ccbb7524f  releng/15.0-n281062
> stable/14/                              ec6bfa889b83    stable/14-n274318
> releng/14.4/                            1929d9e173e5  releng/14.4-n273724
> releng/14.3/                            dd3096b4efe6  releng/14.3-n271524
> - -------------------------------------------------------------------------
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> VII. References
>
> <URL:https://openssl-library.org/news/secadv/20260609.txt>
>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-7383>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-9076>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-34180>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-34181>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-34182>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-34183>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42764>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42766>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42767>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42768>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42769>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-42770>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45445>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45446>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45447>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:35.openssl.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxkbFIAAAAAABAAO
> bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIjEQALlvtT/r8WJ72cw03AZP
> 1qPNWibqFxrMccV/fEtVq2csUzMkSq6PvgK3ZZoKgh8e2whpJkEULxRJ5Th8IEoD
> McbPdU4+zgqcehfmH6mvuv/yshDJLe0U2iLFSTbzgbx8xe0XRyWJlutlNXSZmLvo
> N87HGEtO/gXCXJxZuWFDE4JfO/bECn8wgZ468AD+OMwKRnx13hszmqKnp4cn/bZ8
> 764BqDsyweCBSVbW7AC0A5/BP7e+S+eOGHDSDqm48Jxk8eVsEVvw5wEo7DMLQgQw
> /kHc9BSiQ6HPgMvjDryUzX/FhF3El3sKQxkUXNFGcYk8yChTEVtD1C+zf3FACQJA
> ZTeDNgJelmeJdK7uzrJtX/8Laozma0+x1+2+YrY+Y1aCqOZ0iicmlytZHRHgZc3R
> riEEJdw3nlV6r43WtwBYjJNyOIiqPusYK8K0/RLnMeMtS+mwjjNjGxqcHdFPbSa7
> Xjs4zSAHgkg9NHMwD4S+F+upRZ3yVoZOvIDtqUKO85Mf70OYHHoaZJE4Q7mIPDyE
> CbtpeaNpjSkujTR5/Us4JgxRfDqDGyyER/Ub1yZl8uuhKNU7QuOWRQMTeIXp42Es
> uClHfLQz5Dvmwy7muDfg5cY0R/F9whvpwSOmILrsViBjcygkzFY9lE1ufW685vbH
> 1srvsOXI5oN55cZrX4+H6G17
> =UV/w
> -----END PGP SIGNATURE-----
>
>

Reply via email to