[CLSA-2026:1783591410] alt-nodejs12-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 10:03:50 UTC
Description:
- CVE-2026-48619: cap the HTTP/2 client originSet at 128 entries so a malicious server can no longer drive unbounded memory growth via repeated ORIGIN frames; the session is destroyed with ERR_HTTP2_TOO_MANY_ORIGINS once the cap is exceeded (backport of nodejs/node c79968e108) - CVE-2026-48930: reject dns.lookup()/dnsPromises.lookup()/net.connect() hostnames that contain an embedded NUL byte, preventing silent authority rebinding caused by C-string truncation in the resolver bindings; adds validateStringWithoutNullBytes (backport of nodejs/node 7dafafa2) - CVE-2026-48933: guard the legacy CipherBase::Update() output-length computation against signed-int overflow (len + block_size > INT_MAX), turning ~2 GiB one-shot cipher inputs into a clean failure instead of an out-of-bounds write; the legacy analog of the WebCrypto fix in nodejs/node 98fbc89211 (Node 12 has no WebCrypto)
Updated packages:
  • alt-nodejs12-nodejs-12.22.12-22.el8.x86_64.rpm
    sha:5cd1dac363267c0f641889c5fce031c4bfd4f29e8b85e3d5b4d389c4da3c1c25
  • alt-nodejs12-nodejs-devel-12.22.12-22.el8.x86_64.rpm
    sha:1685d24e0e4f0931ee9fc709073f9a821be8549d0eb36e05075a7e53e91cff95
  • alt-nodejs12-nodejs-docs-12.22.12-22.el8.noarch.rpm
    sha:920fce4dca4d7dd3515ecc16908873a69abbea95b4e26aa75e92c955b6a72bf1
  • alt-nodejs12-npm-6.14.16-12.22.12.22.el8.x86_64.rpm
    sha:ccaa6795fd2f391a6862ff31082963f6984e5de445ae6154a462de4b790ae62a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.