Advisories ยป MGASA-2026-0257

Updated nodejs packages fix security vulnerabilities

Publication date: 18 Jul 2026
Modification date: 18 Jul 2026
Type: security
Affected Mageia releases : 10 , 9
CVE: CVE-2026-48615 , CVE-2026-48617 , CVE-2026-48618 , CVE-2026-48619 , CVE-2026-48928 , CVE-2026-48930 , CVE-2026-48931 , CVE-2026-48933 , CVE-2026-48934 , CVE-2026-48935 , CVE-2026-48937

Description

lib,test: redact proxy credentials in tunnel errors. (CVE-2026-48615)
permission: handle process.chdir on writereport. (CVE-2026-48617)
tls: normalize hostname for server identity checks. (CVE-2026-48618)
http2: cap originSet size to prevent unbounded memory growth.
(CVE-2026-48619)
tls: fix case-sensitive SNI context matching. (CVE-2026-48928)
dns,net: reject hostnames with embedded NUL bytes. (CVE-2026-48930)
http: fix response queue poisoning in http.Agent. (CVE-2026-48931)
crypto: guard WebCrypto cipher output length. (CVE-2026-48933)
tls: bind reusable sessions to authenticated host. (CVE-2026-48934)
permission: disable FileHandle utimes with permission model.
(CVE-2026-48935)
deps: fix integration issues with the latest nghttp2. (CVE-2026-48937)
                

References

SRPMS

10/core

9/core