openssl 4.0.1 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, Red Hat Enterprise Linux RHEL, Oracle Linux).
Major changes:
– OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: – Fixed heap use-after-free in `PKCS7_verify()`. – Fixed CMS `AuthEnvelopedData` processing may accept forged messages. – Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. – Fixed double-free when checking OCSP stapled response. – Fixed NULL pointer dereference in QUIC server initial packet handling. – Fixed AES-OCB IV ignored on `EVP_Cipher()` path. – Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. – Fixed out-of-bounds read in CMS password-based decryption. – Fixed heap buffer over-read in ASN.1 content parsing. – Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. – Fixed NULL dereference in certificate verification with OCSP Checking. – Fixed possible NULL dereference in password-dased CMS decryption. – Fixed NULL pointer dereference in CRMF `EncryptedValue` decryption. – Fixed multi-`RecipientInfo` Bleichenbacher Oracle in `CMS_decrypt()` and `PKCS7_decrypt()`. – Fixed trust anchor substitution via `cert`/`issuer` typo in CMP `rootCaKeyUpdate`. – Fixed FFC-DH peer validation uses attacker-supplied `q`. – Fixed possible out of bounds read in `X509_VERIFY_PARAM_set1_email()`. – Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. – Fixed a regression introduced in 4.0.0 that led to a `openssl pkey` command crash when it was invoked to encrypt a private key with password being provided interactively. – Fixed a regression introduced in 4.0.0 that led to `openssl s_client -adv` command prematurely terminating a session when reading input of 16384 bytes in one `read()` call.
Fixed vulnerabilities:
– CVE-2026-34180 – CVE-2026-34181 – CVE-2026-34182 – CVE-2026-34183 – CVE-2026-35188 – CVE-2026-42764 – CVE-2026-42765 – CVE-2026-42766 – CVE-2026-42767 – CVE-2026-42768 – CVE-2026-42769 – CVE-2026-42770 – CVE-2026-42771 – CVE-2026-45445 – CVE-2026-45446 – CVE-2026-45447 – CVE-2026-7383 – CVE-2026-9076
We continue to build libs with QUIC support as a separate non-conflicting package openssl-quic-libs, with separate .so.81.4 suffixing to avoid conflicts with the official .so.X.