[CLSA-2026:1783602467] alt-nodejs18-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 16:06:56 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS, preventing unbounded memory growth from malicious ORIGIN frames - CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via new validateStringWithoutNullBytes, preventing silent authority rebinding from c-string truncation in the resolver bindings - CVE-2026-48933: guard the WebCrypto AES cipher output length with TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of overflowing the signed int buffer length and aborting the process
Updated packages:
  • alt-nodejs18-nodejs-18.20.8-14.el7.x86_64.rpm
    sha:9686025fb7e94711ebdc1cf4e2bbf563a43f92f94547ab21fd31924d956e5fd8
  • alt-nodejs18-nodejs-devel-18.20.8-14.el7.x86_64.rpm
    sha:f45c9e17fd210ff58728c08b455c861fef2464ef11e3becfc48a89163b3dd6f9
  • alt-nodejs18-nodejs-docs-18.20.8-14.el7.noarch.rpm
    sha:56423a28d05aea7c2c6cd82ec6e4b91640143d1cfad4fc0776780488a9964bde
  • alt-nodejs18-npm-10.8.2-18.20.8.14.el7.x86_64.rpm
    sha:99332bdb07ca895d1f863ffe97b4bf78d18ef946917d18c97c4fe2274917adb6
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.