Release date:
2026-07-15 15:48:37 UTC
Description:
* SECURITY UPDATE: Response injection via unvalidated resolved SMTP host
name in auth_http and smtp proxy
- debian/patches/CVE-2026-28753.patch: validate that the host name
resolved from the client address contains only the characters allowed
by RFC 1034 Section 3.5 before it is used, rejecting other characters
in ngx_mail_smtp_resolve_addr_handler
- CVE-2026-28753
Updated packages:
-
nginx1.25_1.25.5-1~bookworm+tuxcare.els15_amd64.deb
sha:8c96e89de86879f2e5c011c5aa4243aaa67858c3
-
nginx1.25_1.25.5-1~bookworm+tuxcare.els15_arm64.deb
sha:070021c98ff1a4d32f9f3f69403187f689323e0b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.