Release date:
2026-07-09 16:35:24 UTC
Description:
* SECURITY UPDATE: http2 client ORIGIN-frame unbounded memory growth
- debian/patches/CVE-2026-48619.patch: cap the http2 client originSet
size (default 128, configurable via the connect() maxOriginSetSize
option) and destroy the session with ERR_HTTP2_TOO_MANY_ORIGINS once
exceeded, so a malicious server can no longer grow originSet without
bound (no upstream Node.js 18 fix exists — 18.x went EOL before
disclosure; adapted from c79968e108, first in v22.23.0)
- CVE-2026-48619
* SECURITY UPDATE: embedded-NUL hostnames cause silent authority rebinding
- debian/patches/CVE-2026-48930.patch: add validateStringWithoutNullBytes
and reject hostnames/hosts containing an embedded NUL byte in
dns.lookup(), dnsPromises.lookup() and net.connect()/createConnection(),
preventing c-string truncation in the resolver bindings from resolving a
different authority than the one validated (adapted from 7dafafa2, first
in v22.23.0)
- CVE-2026-48930
* SECURITY UPDATE: WebCrypto cipher output-length signed integer overflow
- debian/patches/CVE-2026-48933.patch: guard the WebCrypto AES output
length with TryGetIntCipherOutputLength so inputs near 2 GiB fail cleanly
instead of overflowing the signed int buffer length and aborting the
process (adapted from 98fbc89211, first in v22.23.0)
- CVE-2026-48933
Updated packages:
-
alt-nodejs18-docs_18.20.8-14_amd64.deb
sha:659427dbf0d23fd4b5a8982fc7ed7ab4d3823296
-
alt-nodejs18-nodejs_18.20.8-14_amd64.deb
sha:f46c86fdf3971a25299aa1b08f352b0a0d0a61d9
-
alt-nodejs18-nodejs-devel_18.20.8-14_amd64.deb
sha:a139fb06db88f74f9353edb2b7444f2b51ce09ed
-
alt-nodejs18-npm_10.8.2-18.20.8.14_amd64.deb
sha:d6ab62a6ff64e0a9295e47efd9b4dac91d28029c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.