Release date:
2026-07-07 16:09:45 UTC
Description:
* SECURITY UPDATE: injection via unvalidated resolved host name in the
mail SMTP proxy, where a host name resolved from the client address
could carry characters outside RFC 1034 Section 3.5 and be reused in
auth_http and smtp proxy requests
- debian/patches/CVE-2026-28753.patch: validate the resolved host name
to only contain RFC 1034 Section 3.5 characters in
src/mail/ngx_mail_smtp_handler.c
- CVE-2026-28753
Updated packages:
-
nginx1.27_1.27.5-1~bookworm+tuxcare.els12_amd64.deb
sha:8c2d5adc0450153a733c00a95616a92e2251d899
-
nginx1.27_1.27.5-1~bookworm+tuxcare.els12_arm64.deb
sha:e7c5d05377e8885b247091ec03d46b7d32a3d629
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.