Release date:
2026-07-07 10:44:08 UTC
Description:
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth
- debian/patches/CVE-2026-48619.patch: cap the client-side originSet
(maxOriginSetSize, default 128) in lib/internal/http2/core.js and
destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS
- CVE-2026-48619
* SECURITY UPDATE: embedded-NUL hostnames cause silent authority rebinding
- debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes
in lib/internal/validators.js and reject embedded-NUL hostnames in
lib/dns.js, lib/internal/dns/promises.js and lib/net.js
- CVE-2026-48930
* SECURITY UPDATE: WebCrypto cipher output-length integer overflow
- debian/patches/CVE-2026-48933.patch: add TryGetIntCipherOutputLength
in src/crypto/crypto_cipher.h and guard the AES_Cipher output length
in src/crypto/crypto_aes.cc against signed int overflow
- CVE-2026-48933
Updated packages:
-
alt-nodejs20-docs_20.20.2-3_amd64.deb
sha:37a718a733409756dcd487254ca8c9c52977f370
-
alt-nodejs20-nodejs_20.20.2-3_amd64.deb
sha:ec41fd9a150373679d448417588c44cf145bc5d8
-
alt-nodejs20-nodejs-devel_20.20.2-3_amd64.deb
sha:99ae786f69abe01efe7e5589b02adfc6c9f4e5c1
-
alt-nodejs20-npm_10.8.2-20.20.2-3_amd64.deb
sha:5a67247f80a5a72eaf9f9e6d1abcbddf7289093c
-
alt-nodejs20-docs_20.20.2-3_arm64.deb
sha:c0cf8ba4827480d0efec4b4a5edcedeeeffbeb85
-
alt-nodejs20-nodejs_20.20.2-3_arm64.deb
sha:a779fe69e47e3b18ee234bd1b0515d2b592b9e3e
-
alt-nodejs20-nodejs-devel_20.20.2-3_arm64.deb
sha:b276116572566ab6cd784e194cb1479f964b363f
-
alt-nodejs20-npm_10.8.2-20.20.2-3_arm64.deb
sha:ab4f3d1b3253233e56f28fdebeaa8446fb298fef
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.