[CLSA-2026:1783434317] Fix CVE(s): CVE-2026-28753
Type:
security
Severity:
Moderate
Release date:
2026-07-07 14:25:33 UTC
Description:
* SECURITY UPDATE: CRLF injection in ngx_mail_smtp_module via crafted DNS responses, allowing header injection into auth_http and smtp proxy upstream requests - debian/patches/CVE-2026-28753.patch: add ngx_mail_smtp_validate_host to validate the resolved client hostname against RFC 1034 Section 3.5 in ngx_mail_smtp_resolve_addr_handler before it is used - CVE-2026-28753
CVEs fixed:
Updated packages:
  • nginx1.21_1.21.6-1~bookworm+tuxcare.els10_amd64.deb
    sha:95b1b2c1b6719cb5be90b4c9fd63a4cb2f108c44
  • nginx1.21_1.21.6-1~bookworm+tuxcare.els10_arm64.deb
    sha:edaf48f9a4983f901dc68ee2be5bb6eec12949fd
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.