[CLSA-2026:1783441112] Fix CVE(s): CVE-2026-28753, CVE-2026-40460
Type:
security
Severity:
Moderate
Release date:
2026-07-07 16:18:50 UTC
Description:
* SECURITY UPDATE: injection via unvalidated resolved host name in the mail SMTP proxy, where a host name resolved from the client address could carry characters outside RFC 1034 Section 3.5 and be reused in auth_http and smtp proxy requests - debian/patches/CVE-2026-28753.patch: validate the resolved host name to only contain RFC 1034 Section 3.5 characters in src/mail/ngx_mail_smtp_handler.c - CVE-2026-28753
Updated packages:
  • nginx1.27_1.27.5-1~trixie+tuxcare.els12_amd64.deb
    sha:3a41c777b97cbec99b42fa797bbce685e8647159
  • nginx1.27_1.27.5-1~trixie+tuxcare.els12_arm64.deb
    sha:7869d4326d4dfcd050bf2222d0a07cdd9fcb1bcc
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.