[CLSA-2026:1783617736] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-09 17:22:39 UTC
Description:
* SECURITY UPDATE: embedded-NUL hostnames -> silent authority rebinding - debian/patches/CVE-2026-48930.patch: reject hostnames containing an embedded NUL byte in dns.lookup(), dnsPromises.lookup() and net.connect()/net.createConnection() before they reach the C resolver, which would otherwise truncate the string at the NUL and resolve/connect to a different authority than the one validated in JavaScript. Adds validateStringWithoutNullBytes() in lib/internal/validators.js (backport of nodejs/node@7dafafa2 adapted to 14.21.3) - CVE-2026-48930 * SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth - debian/patches/CVE-2026-48619.patch: cap the client-side originSet at a configurable maxOriginSetSize (default 128) in lib/internal/http2/core.js; a malicious server sending unlimited ORIGIN frames now trips ERR_HTTP2_TOO_MANY_ORIGINS instead of growing the set without bound (backport of nodejs/node@c79968e1) - CVE-2026-48619 * SECURITY UPDATE: cipher output-length signed-int overflow (~2 GiB input) - debian/patches/CVE-2026-48933.patch: guard the len + block_size output length computation in CipherBase::Update (src/node_crypto.cc) against signed-int overflow that produced a bogus buffer size passed to EVP_CipherUpdate() -> OOB write / crash. Node 14 predates WebCrypto, so the INT_MAX guard from nodejs/node@98fbc892 is adapted to the legacy crypto.createCipheriv().update() path - CVE-2026-48933
Updated packages:
  • alt-nodejs14-docs_14.21.3-25_amd64.deb
    sha:e1bbd33930ed747e022ee6ac0db6f9bc2c5b6382
  • alt-nodejs14-nodejs_14.21.3-25_amd64.deb
    sha:4c22be4a4404e335a041c939fcd921ec3c3999e1
  • alt-nodejs14-nodejs-devel_14.21.3-25_amd64.deb
    sha:eaf85ed9ed547d2074133ee322dc201a702a4e54
  • alt-nodejs14-npm_6.14.18-14.21.3-25_amd64.deb
    sha:e3e5209bdf944adc5c664f3a8e62f5873c8668b6
  • alt-nodejs14-docs_14.21.3-25_arm64.deb
    sha:545706b8b563d25ecb25c5139387462f9f287295
  • alt-nodejs14-nodejs_14.21.3-25_arm64.deb
    sha:d4346ad65f0915944873f549dc48144dfe296478
  • alt-nodejs14-nodejs-devel_14.21.3-25_arm64.deb
    sha:e324f5da6696a502e462509fb93e740184875ca4
  • alt-nodejs14-npm_6.14.18-14.21.3-25_arm64.deb
    sha:0ab19a84b379a5a1a4ea41e85eb050e4dddb2f8f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.