openssl 4.0.1 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).
Major changes:
— OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: — Fixed heap use-after-free in `PKCS7_verify()`. — Fixed CMS `AuthEnvelopedData` processing may accept forged messages. — Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. — Fixed double-free when checking OCSP stapled response. — Fixed NULL pointer dereference in QUIC server initial packet handling. — Fixed AES-OCB IV ignored on `EVP_Cipher()` path. — Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. — Fixed out-of-bounds read in CMS password-based decryption. — Fixed heap buffer over-read in ASN.1 content parsing. — Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. — Fixed NULL dereference in certificate verification with OCSP Checking. — Fixed possible NULL dereference in password-dased CMS decryption. — Fixed NULL pointer dereference in CRMF `EncryptedValue` decryption. — Fixed multi-`RecipientInfo` Bleichenbacher Oracle in `CMS_decrypt()` and `PKCS7_decrypt()`. — Fixed trust anchor substitution via `cert`/`issuer` typo in CMP `rootCaKeyUpdate`. — Fixed FFC-DH peer validation uses attacker-supplied `q`. — Fixed possible out of bounds read in `X509_VERIFY_PARAM_set1_email()`. — Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. — Fixed a regression introduced in 4.0.0 that led to a `openssl pkey` command crash when it was invoked to encrypt a private key with password being provided interactively. — Fixed a regression introduced in 4.0.0 that led to `openssl s_client -adv` command prematurely terminating a session when reading input of 16384 bytes in one `read()` call.
Fixed vulnerabilities:
— CVE-2026-34180 — CVE-2026-34181 — CVE-2026-34182 — CVE-2026-34183 — CVE-2026-35188 — CVE-2026-42764 — CVE-2026-42765 — CVE-2026-42766 — CVE-2026-42767 — CVE-2026-42768 — CVE-2026-42769 — CVE-2026-42770 — CVE-2026-42771 — CVE-2026-45445 — CVE-2026-45446 — CVE-2026-45447 — CVE-2026-7383 — CVE-2026-9076
We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.