[CLSA-2026:1783434980] Fix CVE(s): CVE-2026-28753
Type:
security
Severity:
Moderate
Release date:
2026-07-07 14:36:36 UTC
Description:
* SECURITY UPDATE: CRLF injection in ngx_mail_smtp_module via crafted DNS responses, allowing header injection into auth_http and smtp proxy upstream requests - debian/patches/CVE-2026-28753.patch: add ngx_mail_smtp_validate_host to validate the resolved client hostname against RFC 1034 Section 3.5 in ngx_mail_smtp_resolve_addr_handler before it is used - CVE-2026-28753
CVEs fixed:
Updated packages:
  • nginx1.21_1.21.6-1~trixie+tuxcare.els10_amd64.deb
    sha:9307f02691be861afebd4ae518b74660d8ef30ec
  • nginx1.21_1.21.6-1~trixie+tuxcare.els10_arm64.deb
    sha:14db7279a26520716f5aee6b72371b66ac208c95
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.