Release date:
2026-07-13 11:27:01 UTC
Description:
* SECURITY UPDATE: use-after-free in ngx_event_openssl_stapling when a
client SSL connection is terminated while resolving an OCSP responder,
leaving the resolve context un-freed on resolve completion
- debian/patches/CVE-2026-40701.patch: track the resolve context on the
OCSP context and release it via ngx_resolve_name_done() on connection
close in src/event/ngx_event_openssl_stapling.c
- CVE-2026-40701
Updated packages:
-
nginx1.27_1.27.5-1~trixie+tuxcare.els13_amd64.deb
sha:c0f6c4f5151d22dbd983d083f0badf859c82d126
-
nginx1.27_1.27.5-1~trixie+tuxcare.els13_arm64.deb
sha:4d16df757415fbd840620f3adec494d35517b7c1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.