Release date:
2026-07-15 16:08:02 UTC
Description:
* SECURITY UPDATE: Response injection via unvalidated resolved SMTP host
name in auth_http and smtp proxy
- debian/patches/CVE-2026-28753.patch: validate that the host name
resolved from the client address contains only the characters allowed
by RFC 1034 Section 3.5 before it is used, rejecting other characters
in ngx_mail_smtp_resolve_addr_handler
- CVE-2026-28753
Updated packages:
-
nginx1.25_1.25.5-1~trixie+tuxcare.els15_amd64.deb
sha:1d58d39bd88dac56511dfb946bcaa6df66302f4c
-
nginx1.25_1.25.5-1~trixie+tuxcare.els15_arm64.deb
sha:7f9af6a83b458a4789abab7125bfedc66ba13435
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.