[CLSA-2026:1784131667] Fix CVE(s): CVE-2024-35200, CVE-2026-28753
Type:
security
Severity:
Moderate
Release date:
2026-07-15 16:08:02 UTC
Description:
* SECURITY UPDATE: Response injection via unvalidated resolved SMTP host name in auth_http and smtp proxy - debian/patches/CVE-2026-28753.patch: validate that the host name resolved from the client address contains only the characters allowed by RFC 1034 Section 3.5 before it is used, rejecting other characters in ngx_mail_smtp_resolve_addr_handler - CVE-2026-28753
Updated packages:
  • nginx1.25_1.25.5-1~trixie+tuxcare.els15_amd64.deb
    sha:1d58d39bd88dac56511dfb946bcaa6df66302f4c
  • nginx1.25_1.25.5-1~trixie+tuxcare.els15_arm64.deb
    sha:7f9af6a83b458a4789abab7125bfedc66ba13435
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.