[CLSA-2026:1783610644] alt-nodejs16-nodejs: Fix of 3 CVEs
Type:
security
Severity:
Critical
Release date:
2026-07-09 15:24:23 UTC
Description:
- CVE-2026-48619: http2 client OOM via unbounded ORIGIN frames. Backport upstream c79968e108 (first in v22.23.0): cap the client-side originSet (default 128, configurable via options.maxOriginSetSize on connect) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once exceeded. Node 16 is EOL, no upstream 16.x fix; vulnerable onOrigin() loop present. - CVE-2026-48930: TLS/DNS embedded-NUL hostname authority rebinding. Backport upstream 7dafafa242 (first in v22.23.0): add validateStringWithoutNullBytes() and reject embedded NUL bytes in the hostname/options.host arguments of dns.lookup, dnsPromises.lookup and net.connect before they reach the NUL-terminated C resolver. - CVE-2026-48933: WebCrypto AES cipher output-length integer overflow. Backport upstream 98fbc89211 (first in v22.23.0): add TryGetIntCipherOutputLength() guard in crypto_cipher.h and use it in AES_Cipher() so an input length near 2 GiB fails cleanly instead of overflowing the signed int buffer length and aborting the process.
Updated packages:
  • alt-nodejs16-nodejs-16.20.2-23.el9.x86_64.rpm
    sha:e585583d7551c8e5ce3b8b79ec9b4ff7a8330b5a703b53e1b8468404220a411a
  • alt-nodejs16-nodejs-devel-16.20.2-23.el9.x86_64.rpm
    sha:56d691e21a08e8436cb4d585cbb2ffa7a4aa31e590c9a3121573ffb65120070e
  • alt-nodejs16-nodejs-docs-16.20.2-23.el9.noarch.rpm
    sha:bd5611face3a5f8a5088e0f0a590ff6b6a9f278386af20bd32cb2f443436b54d
  • alt-nodejs16-npm-8.19.4-16.20.2.23.el9.x86_64.rpm
    sha:74ef17fd8d314504b503f3318a0d1339b3a4fb8b50ca199123dea3933ad52d55
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.