Release date:
2026-07-13 11:14:04 UTC
Description:
* SECURITY UPDATE: use-after-free in ngx_event_openssl_stapling when a
client SSL connection is terminated while resolving an OCSP responder,
leaving the resolve context un-freed on resolve completion
- debian/patches/CVE-2026-40701.patch: track the resolve context on the
OCSP context and release it via ngx_resolve_name_done() on connection
close in src/event/ngx_event_openssl_stapling.c
- CVE-2026-40701
Updated packages:
-
nginx1.27_1.27.5-1~bookworm+tuxcare.els13_amd64.deb
sha:d0d1a0adf55610f91af4fdee9ddaabc3731b5c99
-
nginx1.27_1.27.5-1~bookworm+tuxcare.els13_arm64.deb
sha:c2fba3eedd00cbca1e9a4f8a9dd12ae97c7e360f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.