[CLSA-2026:1783941226] Fix CVE(s): CVE-2026-40701, CVE-2026-42934
Type:
security
Severity:
Moderate
Release date:
2026-07-13 11:14:04 UTC
Description:
* SECURITY UPDATE: use-after-free in ngx_event_openssl_stapling when a client SSL connection is terminated while resolving an OCSP responder, leaving the resolve context un-freed on resolve completion - debian/patches/CVE-2026-40701.patch: track the resolve context on the OCSP context and release it via ngx_resolve_name_done() on connection close in src/event/ngx_event_openssl_stapling.c - CVE-2026-40701
Updated packages:
  • nginx1.27_1.27.5-1~bookworm+tuxcare.els13_amd64.deb
    sha:d0d1a0adf55610f91af4fdee9ddaabc3731b5c99
  • nginx1.27_1.27.5-1~bookworm+tuxcare.els13_arm64.deb
    sha:c2fba3eedd00cbca1e9a4f8a9dd12ae97c7e360f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.