[CLSA-2026:1778169830] Fix CVE(s): CVE-2026-21710

Type:

security

Severity:

Important

Release date:

2026-05-07 16:03:55 UTC

Description:

   * SECURITY UPDATE: HTTP server crash on __proto__ header
     - debian/patches/CVE-2026-21710.patch: initialise headersDistinct and
       trailersDistinct destination maps with { __proto__: null } so a
       __proto__ request header no longer resolves to Object.prototype and
       cause an uncaught TypeError when req.headersDistinct or
       req.trailersDistinct is accessed
     - CVE-2026-21710

Updated packages:

alt-nodejs16-docs_16.20.2-17_amd64.deb
sha:32a3af98dc470e4c9833a9add7b286c784c42139
alt-nodejs16-nodejs_16.20.2-17_amd64.deb
sha:bd416b1c9bd1f4f7b18c22569f42481c24acf133
alt-nodejs16-nodejs-devel_16.20.2-17_amd64.deb
sha:071a25414d7ddacce17f2e759d1df3c16ff8cee2
alt-nodejs16-npm_8.19.4-16.20.2-17_amd64.deb
sha:34eeb898d7c51873102424a46de842252c6c3737

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.