[CLSA-2026:1783587203] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-09 08:53:44 UTC
Description:
* SECURITY UPDATE: HTTP/2 client unbounded ORIGIN-frame memory growth - debian/patches/CVE-2026-48619.patch: cap the HTTP/2 client originSet at 128 entries (new maxOriginSetSize connect option) so a malicious server can no longer drive unbounded memory growth by sending repeated ORIGIN frames; the session is destroyed with the new ERR_HTTP2_TOO_MANY_ORIGINS error once the cap is exceeded (backport of nodejs/node c79968e108) - CVE-2026-48619 * SECURITY UPDATE: embedded-NUL hostname authority rebinding - debian/patches/CVE-2026-48930.patch: reject hostnames containing an embedded NUL byte in dns.lookup(), dnsPromises.lookup() and net.connect()/net.createConnection() by adding validateStringWithoutNullBytes, preventing silent authority rebinding caused by C-string truncation in the resolver bindings (backport of nodejs/node 7dafafa2) - CVE-2026-48930 * SECURITY UPDATE: cipher output-length signed integer overflow - debian/patches/CVE-2026-48933.patch: guard the legacy CipherBase::Update() output-length computation against signed-int overflow (reject when len + block_size > INT_MAX), turning ~2 GiB one-shot crypto.createCipheriv().update() inputs into a clean failure instead of an out-of-bounds write; legacy-path analog of the WebCrypto fix in nodejs/node 98fbc89211 (Node 12 has no WebCrypto) - CVE-2026-48933
Updated packages:
  • alt-nodejs12-docs_12.22.12-23_amd64.deb
    sha:eaff1f20106220584de93eb64d371ba5a25fcf3d
  • alt-nodejs12-nodejs_12.22.12-23_amd64.deb
    sha:d0678262c15bd36b89a3ca00bc4fcf5b5000056d
  • alt-nodejs12-nodejs-devel_12.22.12-23_amd64.deb
    sha:73fc38a7e26aa9b6fd56bff41a7df07631370053
  • alt-nodejs12-npm_6.14.16-12.22.12.23_amd64.deb
    sha:c8dad65e9031978a977ce96fbb285ab4f0c2ef9b
  • alt-nodejs12-docs_12.22.12-23_arm64.deb
    sha:da3230a5b4e8a50c7d00d95d3d55ef45cb46e85c
  • alt-nodejs12-nodejs_12.22.12-23_arm64.deb
    sha:bdd85890deb74cba3a89d16d8de5e8681207e040
  • alt-nodejs12-nodejs-devel_12.22.12-23_arm64.deb
    sha:ea68b2c900cb5c064953eb804dcddaec4db3b719
  • alt-nodejs12-npm_6.14.16-12.22.12.23_arm64.deb
    sha:017b2f011c0dd7c95f419a8823bef315fe7c7859
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.