[CLSA-2026:1783689031] Fix CVE(s): CVE-2026-33846, CVE-2026-42009, CVE-2026-5260
Type:
security
Severity:
Important
Release date:
2026-07-10 13:10:48 UTC
Description:
* SECURITY UPDATE: heap buffer overflow in DTLS handshake reassembly - debian/patches/CVE-2026-33846.patch: add length-consistency and array bounds checks in merge_handshake_packet in lib/buffers.c to reject DTLS fragments with mismatching or oversized claimed length - CVE-2026-33846 * SECURITY UPDATE: denial of service via non-conforming qsort comparator - debian/patches/CVE-2026-42009.patch: return 0 for equal sequence numbers in handshake_compare in lib/buffers.c so DTLS packet ordering follows the qsort strict-weak-ordering contract - CVE-2026-42009 * SECURITY UPDATE: heap over-read on short RSA ciphertext with PKCS#11 key - debian/patches/CVE-2026-5260.patch: verify ciphertext size matches the RSA modulus in proc_rsa_client_kx and _gnutls_proc_rsa_psk_client_kx (lib/auth/rsa.c, lib/auth/rsa_psk.c) and size the PKCS#11 decrypt buffer with MAX(siglen, plaintext_size) in lib/pkcs11_privkey.c - CVE-2026-5260
Updated packages:
  • gnutls-bin_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:7b66650ea7b40b0118fffef5a2a4237397f8b1a9
  • gnutls-doc_3.6.13-2ubuntu1.12+tuxcare.els5_all.deb
    sha:9eccf24913e0af0ef7b7cb06c7cd60e48417a8ca
  • guile-gnutls_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:ba894c6d5bfcce38bd9312dbcc96c09f1a8942f5
  • libgnutls-dane0_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:facc2482af65026c6b569303f67d401e034dd907
  • libgnutls-openssl27_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:287cb6e57193038bce55993aa16ee20b86b22ca5
  • libgnutls28-dev_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:5e0a36b646607cfa9d25934b83f67c2f4eead730
  • libgnutls30_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:a64dab04282133170054e83bc791afafec8a24c8
  • libgnutlsxx28_3.6.13-2ubuntu1.12+tuxcare.els5_amd64.deb
    sha:940e603c0f948db0029b950a8d6e837fbc34e8a3
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.