Month: February 2026

openssl 3.5.5 rpms released

openssl 3.5.5 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (CVE-2025-11187)

Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)

Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (CVE-2025-15468)

Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB (CVE-2025-15469)

Fixed TLS 1.3 CompressedCertificate excessive memory allocation (CVE-2025-66199)

Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)

Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
function calls (CVE-2025-69418)

Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)

Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response()
function (CVE-2025-69420)

Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function (CVE-2025-69421)

Fixed Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)

Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
function (CVE-2026-22796)

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

NGINX 1.29.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.5 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

*) Security: an attacker might inject plain text data in the                              response from an SSL backend (CVE-2026-1642).

*) Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend.

*) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream.

*) Bugfix: a response with multiple ranges might be larger than the
       source response.

*) Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and    uwsgi backends.

*) Bugfix: fixed warning when compiling with MSVC 2022 x86.

*) Change: the logging level of the "ech_required" SSL error has been        lowered from "crit" to "info".

NGINX 1.28.2 Stable with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.28.2 Stable with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.4 with QUIC support.

    *) Security: an attacker might inject plain text data in the response
       from an SSL backend (CVE-2026-1642).

    *) Bugfix: use-after-free might occur after switching to the next gRPC
       or HTTP/2 backend.

    *) Bugfix: fixed warning when compiling with MSVC 2022 x86.