[CLSA-2026:1783610349] alt-nodejs18-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 15:19:29 UTC
Description:
- CVE-2026-48619: cap http2 client originSet size (default 128, option maxOriginSetSize) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS, preventing unbounded memory growth from malicious ORIGIN frames - CVE-2026-48930: reject dns/net hostnames containing embedded NUL bytes via new validateStringWithoutNullBytes, preventing silent authority rebinding from c-string truncation in the resolver bindings - CVE-2026-48933: guard the WebCrypto AES cipher output length with TryGetIntCipherOutputLength so ~2 GiB inputs fail cleanly instead of overflowing the signed int buffer length and aborting the process
Updated packages:
  • alt-nodejs18-nodejs-18.20.8-14.el9.x86_64.rpm
    sha:2113b3bddb1a24f57c211a0a0104cea71ef1fad38305b18a26ce50a5888d8e06
  • alt-nodejs18-nodejs-devel-18.20.8-14.el9.x86_64.rpm
    sha:1f8ccafd42cd67115cfed4a8258e8f52538be18dafa7e4a05b5f9f28ba6645bf
  • alt-nodejs18-nodejs-docs-18.20.8-14.el9.noarch.rpm
    sha:2b747cb640552ce823b16167500049a770cb01550be3a0369a7c26c5bc39c4fa
  • alt-nodejs18-npm-10.8.2-18.20.8.14.el9.x86_64.rpm
    sha:76d72f91a28e9f57e8f2dfe460d6909824f6effd650b15930581f741785b32f9
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.