[CLSA-2026:1783617240] alt-nodejs18-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 17:14:18 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS, preventing unbounded memory growth from malicious ORIGIN frames - CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via new validateStringWithoutNullBytes, preventing silent authority rebinding from c-string truncation in the resolver bindings - CVE-2026-48933: guard the WebCrypto AES cipher output length with TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of overflowing the signed int buffer length and aborting the process
Updated packages:
  • alt-nodejs18-nodejs-18.20.8-14.el8.x86_64.rpm
    sha:96ae639128bb02145b8dbb004f1a4c5d0ad7adc3139abc951127756d5040ab4d
  • alt-nodejs18-nodejs-devel-18.20.8-14.el8.x86_64.rpm
    sha:eba12e8bd5ff60d22aef835df6a501e2a83742135e3e3296cbe72e0ba058022d
  • alt-nodejs18-nodejs-docs-18.20.8-14.el8.noarch.rpm
    sha:41000718fbc3f9bd1eb61f62d481825718d0f47a0931cfb8d90192b10724a811
  • alt-nodejs18-npm-10.8.2-18.20.8.14.el8.x86_64.rpm
    sha:170924fbd6956e4a1b7ac068ac02de79a1b96268820150b6fb65175642969288
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.