[CLSA-2026:1783440562] Fix CVE(s): CVE-2026-28753, CVE-2026-40460
Type:
security
Severity:
Moderate
Release date:
2026-07-07 16:09:45 UTC
Description:
* SECURITY UPDATE: injection via unvalidated resolved host name in the mail SMTP proxy, where a host name resolved from the client address could carry characters outside RFC 1034 Section 3.5 and be reused in auth_http and smtp proxy requests - debian/patches/CVE-2026-28753.patch: validate the resolved host name to only contain RFC 1034 Section 3.5 characters in src/mail/ngx_mail_smtp_handler.c - CVE-2026-28753
Updated packages:
  • nginx1.27_1.27.5-1~bookworm+tuxcare.els12_amd64.deb
    sha:8c2d5adc0450153a733c00a95616a92e2251d899
  • nginx1.27_1.27.5-1~bookworm+tuxcare.els12_arm64.deb
    sha:e7c5d05377e8885b247091ec03d46b7d32a3d629
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.