Release date:
2026-07-07 16:18:50 UTC
Description:
* SECURITY UPDATE: injection via unvalidated resolved host name in the
mail SMTP proxy, where a host name resolved from the client address
could carry characters outside RFC 1034 Section 3.5 and be reused in
auth_http and smtp proxy requests
- debian/patches/CVE-2026-28753.patch: validate the resolved host name
to only contain RFC 1034 Section 3.5 characters in
src/mail/ngx_mail_smtp_handler.c
- CVE-2026-28753
Updated packages:
-
nginx1.27_1.27.5-1~trixie+tuxcare.els12_amd64.deb
sha:3a41c777b97cbec99b42fa797bbce685e8647159
-
nginx1.27_1.27.5-1~trixie+tuxcare.els12_arm64.deb
sha:7869d4326d4dfcd050bf2222d0a07cdd9fcb1bcc
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.