[CLSA-2026:1784130502] Fix CVE(s): CVE-2024-35200, CVE-2026-28753
Type:
security
Severity:
Moderate
Release date:
2026-07-15 15:48:37 UTC
Description:
* SECURITY UPDATE: Response injection via unvalidated resolved SMTP host name in auth_http and smtp proxy - debian/patches/CVE-2026-28753.patch: validate that the host name resolved from the client address contains only the characters allowed by RFC 1034 Section 3.5 before it is used, rejecting other characters in ngx_mail_smtp_resolve_addr_handler - CVE-2026-28753
Updated packages:
  • nginx1.25_1.25.5-1~bookworm+tuxcare.els15_amd64.deb
    sha:8c96e89de86879f2e5c011c5aa4243aaa67858c3
  • nginx1.25_1.25.5-1~bookworm+tuxcare.els15_arm64.deb
    sha:070021c98ff1a4d32f9f3f69403187f689323e0b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.