[CLSA-2026:1784018158] Fix CVE(s): CVE-2026-33846, CVE-2026-42009, CVE-2026-5260
Type:
security
Severity:
Important
Release date:
2026-07-14 08:36:17 UTC
Description:
* SECURITY UPDATE: heap buffer overflow in DTLS handshake reassembly - debian/patches/CVE-2026-33846.patch: add length-consistency and array bounds checks in merge_handshake_packet in lib/buffers.c to reject DTLS fragments with mismatching or oversized claimed length - CVE-2026-33846 * SECURITY UPDATE: denial of service via non-conforming qsort comparator - debian/patches/CVE-2026-42009.patch: return 0 for equal sequence numbers in handshake_compare in lib/buffers.c so DTLS packet ordering follows the qsort strict-weak-ordering contract - CVE-2026-42009 * SECURITY UPDATE: heap over-read on short RSA-PSK ciphertext with PKCS#11 key - debian/patches/CVE-2026-5260.patch: verify ciphertext size matches the RSA modulus in _gnutls_proc_rsa_psk_client_kx in lib/auth/rsa_psk.c and size the PKCS#11 decrypt buffer with MAX(siglen, plaintext_size) in lib/pkcs11_privkey.c (the RSA path uses the allocating decrypt API and is not affected) - CVE-2026-5260
Updated packages:
  • gnutls-bin_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:87954656ea3ebe90f346b1093302fe797d1f4444
  • gnutls-doc_3.5.18-1ubuntu1.6+tuxcare.els4_all.deb
    sha:99f6637a4dd145a135574f54483ed72709ece8a9
  • libgnutls-dane0_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:01157c1266a1db06284f813265e44098e06344a5
  • libgnutls-openssl27_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:8eb2520b268220ff6917f7e4e143a9a208e46dea
  • libgnutls28-dev_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:ac5982a629962d5bc11173f12b0e1cbd0bbe4b94
  • libgnutls30_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:754393e9132d6a94a14266b14cfced4a7ccf7400
  • libgnutlsxx28_3.5.18-1ubuntu1.6+tuxcare.els4_amd64.deb
    sha:b6325a1217a70c330c581f5d19cebeb093ccd60a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.