Release date:
2026-07-09 16:06:56 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option
maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS,
preventing unbounded memory growth from malicious ORIGIN frames
- CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via
new validateStringWithoutNullBytes, preventing silent authority rebinding
from c-string truncation in the resolver bindings
- CVE-2026-48933: guard the WebCrypto AES cipher output length with
TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of
overflowing the signed int buffer length and aborting the process
Updated packages:
-
alt-nodejs18-nodejs-18.20.8-14.el7.x86_64.rpm
sha:9686025fb7e94711ebdc1cf4e2bbf563a43f92f94547ab21fd31924d956e5fd8
-
alt-nodejs18-nodejs-devel-18.20.8-14.el7.x86_64.rpm
sha:f45c9e17fd210ff58728c08b455c861fef2464ef11e3becfc48a89163b3dd6f9
-
alt-nodejs18-nodejs-docs-18.20.8-14.el7.noarch.rpm
sha:56423a28d05aea7c2c6cd82ec6e4b91640143d1cfad4fc0776780488a9964bde
-
alt-nodejs18-npm-10.8.2-18.20.8.14.el7.x86_64.rpm
sha:99332bdb07ca895d1f863ffe97b4bf78d18ef946917d18c97c4fe2274917adb6
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.