[CLSA-2026:1784045729] Fix CVE(s): CVE-2026-58469, CVE-2026-58471, CVE-2026-58472
Type:
security
Severity:
Important
Release date:
2026-07-14 16:15:49 UTC
Description:
* SECURITY UPDATE: Heap buffer overflow via crafted HTML attribute encoding - debian/patches/CVE-2026-58472.patch: use size_t with INT_ADD_OK overflow checks when accumulating the encoded output size in html_quote_string() in src/convert.c, aborting on overflow instead of under-allocating - CVE-2026-58472 * SECURITY UPDATE: Heap buffer overflow in filename charset conversion - debian/patches/CVE-2026-58471.patch: correctly recompute the remaining output space on the iconv E2BIG reallocation path in convert_fname() in src/url.c - CVE-2026-58471 * SECURITY UPDATE: Heap buffer underread via all-whitespace Metalink URL - debian/patches/CVE-2026-58469.patch: add an end > beg bounds check in clean_metalink_string() in src/metalink.c to avoid decrementing the pointer before the start of the buffer - CVE-2026-58469
Updated packages:
  • wget_1.20.3-1ubuntu2.1+tuxcare.els1_amd64.deb
    sha:503352a089eaf619f60d86a099047128e7e6d3b5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.