Release date:
2026-07-09 11:33:50 UTC
Description:
* SECURITY UPDATE: HTTP/2 client unbounded ORIGIN-frame memory growth
- debian/patches/CVE-2026-48619.patch: cap the HTTP/2 client originSet
at 128 entries (new maxOriginSetSize connect option) so a malicious
server can no longer drive unbounded memory growth by sending repeated
ORIGIN frames; the session is destroyed with the new
ERR_HTTP2_TOO_MANY_ORIGINS error once the cap is exceeded
(backport of nodejs/node c79968e108)
- CVE-2026-48619
* SECURITY UPDATE: embedded-NUL hostname authority rebinding
- debian/patches/CVE-2026-48930.patch: reject hostnames containing an
embedded NUL byte in dns.lookup(), dnsPromises.lookup() and
net.connect()/net.createConnection() by adding
validateStringWithoutNullBytes, preventing silent authority rebinding
caused by C-string truncation in the resolver bindings
(backport of nodejs/node 7dafafa2)
- CVE-2026-48930
* SECURITY UPDATE: cipher output-length signed integer overflow
- debian/patches/CVE-2026-48933.patch: guard the legacy
CipherBase::Update() output-length computation against signed-int
overflow (reject when len + block_size > INT_MAX), turning ~2 GiB
one-shot crypto.createCipheriv().update() inputs into a clean failure
instead of an out-of-bounds write; legacy-path analog of the WebCrypto
fix in nodejs/node 98fbc89211 (Node 12 has no WebCrypto)
- CVE-2026-48933
Updated packages:
-
alt-nodejs12-docs_12.22.12-23_amd64.deb
sha:eaff1f20106220584de93eb64d371ba5a25fcf3d
-
alt-nodejs12-nodejs_12.22.12-23_amd64.deb
sha:c1a4462c4fe978754a679a4a923e9b4a621979aa
-
alt-nodejs12-nodejs-devel_12.22.12-23_amd64.deb
sha:63cbedd74b7e0a5f8683555fb1cb390645cdfe5c
-
alt-nodejs12-npm_6.14.16-12.22.12.23_amd64.deb
sha:c8dad65e9031978a977ce96fbb285ab4f0c2ef9b
-
alt-nodejs12-docs_12.22.12-23_arm64.deb
sha:da3230a5b4e8a50c7d00d95d3d55ef45cb46e85c
-
alt-nodejs12-nodejs_12.22.12-23_arm64.deb
sha:3914ff6cfeb7bef34587853bf3535e1d8b908c37
-
alt-nodejs12-nodejs-devel_12.22.12-23_arm64.deb
sha:748a6719e717ae66f7025d52f703d90c572f4b73
-
alt-nodejs12-npm_6.14.16-12.22.12.23_arm64.deb
sha:017b2f011c0dd7c95f419a8823bef315fe7c7859
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.