Release date:
2026-07-09 15:19:29 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option
maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS,
preventing unbounded memory growth from malicious ORIGIN frames
- CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via
new validateStringWithoutNullBytes, preventing silent authority rebinding
from c-string truncation in the resolver bindings
- CVE-2026-48933: guard the WebCrypto AES cipher output length with
TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of
overflowing the signed int buffer length and aborting the process
Updated packages:
-
alt-nodejs18-nodejs-18.20.8-14.el9.x86_64.rpm
sha:2113b3bddb1a24f57c211a0a0104cea71ef1fad38305b18a26ce50a5888d8e06
-
alt-nodejs18-nodejs-devel-18.20.8-14.el9.x86_64.rpm
sha:1f8ccafd42cd67115cfed4a8258e8f52538be18dafa7e4a05b5f9f28ba6645bf
-
alt-nodejs18-nodejs-docs-18.20.8-14.el9.noarch.rpm
sha:2b747cb640552ce823b16167500049a770cb01550be3a0369a7c26c5bc39c4fa
-
alt-nodejs18-npm-10.8.2-18.20.8.14.el9.x86_64.rpm
sha:76d72f91a28e9f57e8f2dfe460d6909824f6effd650b15930581f741785b32f9
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.