Release date:
2026-07-09 16:53:22 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option
maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS,
preventing unbounded memory growth from malicious ORIGIN frames
- CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via
new validateStringWithoutNullBytes, preventing silent authority rebinding
from c-string truncation in the resolver bindings
- CVE-2026-48933: guard the WebCrypto AES cipher output length with
TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of
overflowing the signed int buffer length and aborting the process
Updated packages:
-
alt-nodejs18-nodejs-18.20.8-14.el10.x86_64.rpm
sha:2d9f5c81e107e348fc6e2e5c4af920ee65277a88a932a0be7d4e830a72781fcf
-
alt-nodejs18-nodejs-devel-18.20.8-14.el10.x86_64.rpm
sha:2ec34113cd99f6a34a5d0b94839a58122e64dccba22bb6cbcaf56ae86b87a30f
-
alt-nodejs18-nodejs-docs-18.20.8-14.el10.noarch.rpm
sha:671cb1e1c89ab2115d8769367373c2aa0f63eaf6d754cfc62fe0411f49c965a7
-
alt-nodejs18-npm-10.8.2-18.20.8.14.el10.x86_64.rpm
sha:61813106cc017000b63e377ef2633d4939e54b40b2e01a2034153fb3f89723ba
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.