Release date:
2026-07-09 15:36:31 UTC
Description:
* SECURITY UPDATE: embedded-NUL hostnames -> silent authority rebinding
- debian/patches/CVE-2026-48930.patch: reject hostnames containing an
embedded NUL byte in dns.lookup(), dnsPromises.lookup() and
net.connect()/net.createConnection() before they reach the C resolver,
which would otherwise truncate the string at the NUL and resolve/connect
to a different authority than the one validated in JavaScript. Adds
validateStringWithoutNullBytes() in lib/internal/validators.js (backport
of nodejs/node@7dafafa2 adapted to 14.21.3)
- CVE-2026-48930
* SECURITY UPDATE: HTTP/2 client ORIGIN-frame unbounded memory growth
- debian/patches/CVE-2026-48619.patch: cap the client-side originSet at a
configurable maxOriginSetSize (default 128) in lib/internal/http2/core.js;
a malicious server sending unlimited ORIGIN frames now trips
ERR_HTTP2_TOO_MANY_ORIGINS instead of growing the set without bound
(backport of nodejs/node@c79968e1)
- CVE-2026-48619
* SECURITY UPDATE: cipher output-length signed-int overflow (~2 GiB input)
- debian/patches/CVE-2026-48933.patch: guard the len + block_size output
length computation in CipherBase::Update (src/node_crypto.cc) against
signed-int overflow that produced a bogus buffer size passed to
EVP_CipherUpdate() -> OOB write / crash. Node 14 predates WebCrypto, so
the INT_MAX guard from nodejs/node@98fbc892 is adapted to the legacy
crypto.createCipheriv().update() path
- CVE-2026-48933
Updated packages:
-
alt-nodejs14-docs_14.21.3-25_amd64.deb
sha:e1bbd33930ed747e022ee6ac0db6f9bc2c5b6382
-
alt-nodejs14-nodejs_14.21.3-25_amd64.deb
sha:4c3e9c7633d9a489bbe6f02e817ee09e734f0612
-
alt-nodejs14-nodejs-devel_14.21.3-25_amd64.deb
sha:9a9d17c9334b7076029457e28c68da90df190c7b
-
alt-nodejs14-npm_6.14.18-14.21.3-25_amd64.deb
sha:11d9ec4a324868f41c1f7cd0e1d035c9bb3f2b5c
-
alt-nodejs14-docs_14.21.3-25_arm64.deb
sha:545706b8b563d25ecb25c5139387462f9f287295
-
alt-nodejs14-nodejs_14.21.3-25_arm64.deb
sha:1d139546ed146c5ab5bbba8813dce55014b58847
-
alt-nodejs14-nodejs-devel_14.21.3-25_arm64.deb
sha:950b6d056d4b2a1c9fe01b36a5cad85eb2bb898e
-
alt-nodejs14-npm_6.14.18-14.21.3-25_arm64.deb
sha:13fc93771c4d583259f89f0a3cd6388128062a92
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.