[CLSA-2026:1783420708] Fix CVE(s): CVE-2026-48619, CVE-2026-48930, CVE-2026-48933
Type:
security
Severity:
Critical
Release date:
2026-07-07 10:38:48 UTC
Description:
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth - debian/patches/CVE-2026-48619.patch: cap the client-side originSet (maxOriginSetSize, default 128) in lib/internal/http2/core.js and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS - CVE-2026-48619 * SECURITY UPDATE: embedded-NUL hostnames cause silent authority rebinding - debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes in lib/internal/validators.js and reject embedded-NUL hostnames in lib/dns.js, lib/internal/dns/promises.js and lib/net.js - CVE-2026-48930 * SECURITY UPDATE: WebCrypto cipher output-length integer overflow - debian/patches/CVE-2026-48933.patch: add TryGetIntCipherOutputLength in src/crypto/crypto_cipher.h and guard the AES_Cipher output length in src/crypto/crypto_aes.cc against signed int overflow - CVE-2026-48933
Updated packages:
  • alt-nodejs20-docs_20.20.2-3_amd64.deb
    sha:37a718a733409756dcd487254ca8c9c52977f370
  • alt-nodejs20-nodejs_20.20.2-3_amd64.deb
    sha:9d312e7b4365443d0d0430dc7948d6f168f57171
  • alt-nodejs20-nodejs-devel_20.20.2-3_amd64.deb
    sha:f7d8d4cca89029771dac58c1fffd5b6cd615f55b
  • alt-nodejs20-npm_10.8.2-20.20.2-3_amd64.deb
    sha:5a67247f80a5a72eaf9f9e6d1abcbddf7289093c
  • alt-nodejs20-docs_20.20.2-3_arm64.deb
    sha:c0cf8ba4827480d0efec4b4a5edcedeeeffbeb85
  • alt-nodejs20-nodejs_20.20.2-3_arm64.deb
    sha:5123eb13325f959f9c0094af2a57286240ab4654
  • alt-nodejs20-nodejs-devel_20.20.2-3_arm64.deb
    sha:499b77889bd93f0aa019f7e977143e4b5b90f479
  • alt-nodejs20-npm_10.8.2-20.20.2-3_arm64.deb
    sha:ab4f3d1b3253233e56f28fdebeaa8446fb298fef
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.