Release date:
2026-07-09 17:14:18 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option
maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS,
preventing unbounded memory growth from malicious ORIGIN frames
- CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via
new validateStringWithoutNullBytes, preventing silent authority rebinding
from c-string truncation in the resolver bindings
- CVE-2026-48933: guard the WebCrypto AES cipher output length with
TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of
overflowing the signed int buffer length and aborting the process
Updated packages:
-
alt-nodejs18-nodejs-18.20.8-14.el8.x86_64.rpm
sha:96ae639128bb02145b8dbb004f1a4c5d0ad7adc3139abc951127756d5040ab4d
-
alt-nodejs18-nodejs-devel-18.20.8-14.el8.x86_64.rpm
sha:eba12e8bd5ff60d22aef835df6a501e2a83742135e3e3296cbe72e0ba058022d
-
alt-nodejs18-nodejs-docs-18.20.8-14.el8.noarch.rpm
sha:41000718fbc3f9bd1eb61f62d481825718d0f47a0931cfb8d90192b10724a811
-
alt-nodejs18-npm-10.8.2-18.20.8.14.el8.x86_64.rpm
sha:170924fbd6956e4a1b7ac068ac02de79a1b96268820150b6fb65175642969288
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.