Release date:
2026-07-14 16:15:49 UTC
Description:
* SECURITY UPDATE: Heap buffer overflow via crafted HTML attribute encoding
- debian/patches/CVE-2026-58472.patch: use size_t with INT_ADD_OK overflow
checks when accumulating the encoded output size in html_quote_string()
in src/convert.c, aborting on overflow instead of under-allocating
- CVE-2026-58472
* SECURITY UPDATE: Heap buffer overflow in filename charset conversion
- debian/patches/CVE-2026-58471.patch: correctly recompute the remaining
output space on the iconv E2BIG reallocation path in convert_fname() in
src/url.c
- CVE-2026-58471
* SECURITY UPDATE: Heap buffer underread via all-whitespace Metalink URL
- debian/patches/CVE-2026-58469.patch: add an end > beg bounds check in
clean_metalink_string() in src/metalink.c to avoid decrementing the
pointer before the start of the buffer
- CVE-2026-58469
Updated packages:
-
wget_1.20.3-1ubuntu2.1+tuxcare.els1_amd64.deb
sha:503352a089eaf619f60d86a099047128e7e6d3b5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.