[CLSA-2026:1783615984] alt-nodejs18-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 16:53:22 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS, preventing unbounded memory growth from malicious ORIGIN frames - CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via new validateStringWithoutNullBytes, preventing silent authority rebinding from c-string truncation in the resolver bindings - CVE-2026-48933: guard the WebCrypto AES cipher output length with TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of overflowing the signed int buffer length and aborting the process
Updated packages:
  • alt-nodejs18-nodejs-18.20.8-14.el10.x86_64.rpm
    sha:2d9f5c81e107e348fc6e2e5c4af920ee65277a88a932a0be7d4e830a72781fcf
  • alt-nodejs18-nodejs-devel-18.20.8-14.el10.x86_64.rpm
    sha:2ec34113cd99f6a34a5d0b94839a58122e64dccba22bb6cbcaf56ae86b87a30f
  • alt-nodejs18-nodejs-docs-18.20.8-14.el10.noarch.rpm
    sha:671cb1e1c89ab2115d8769367373c2aa0f63eaf6d754cfc62fe0411f49c965a7
  • alt-nodejs18-npm-10.8.2-18.20.8.14.el10.x86_64.rpm
    sha:61813106cc017000b63e377ef2633d4939e54b40b2e01a2034153fb3f89723ba
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.