Skip to main content

EasyApache4 v25.67 - Security Release for ea-nginx and ea-nodejs22

Pinned
cPRex Jurassic Moderator
  • Edited
We have published EasyApache4 v25.67, a security release addressing vulnerabilities in ea-nginx and ea-nodejs22.
 
---
SECURITY ADVISORY
---
 
  • ea-nginx
    • EA-13466: Update ea-nginx from v1.31.1 to v1.31.2
(CVE-2026-42055) Medium: Buffer overflow in ngx_http_proxy_v2_module and
ngx_http_grpc_module. Affected versions 1.13.10-1.31.1, fixed in 1.31.2.
(CVE-2026-48142) Low: Buffer over-read in ngx_http_charset_module. Affected
versions 0.3.50-1.31.1, fixed in 1.31.2.
 
  • Note: CVE-2026-42530 (HTTP/3 use-after-free) is not applicable -
      ea-nginx is built without --with-http_v3_module.
 
The following packages were also rebuilt against the patched ea-nginx:
 
  • ea-nginx-echo
    • EA-13466: Rebuild ea-nginx-echo against ea-nginx v1.31.2
 
  • ea-nginx-headers-more
    • EA-13466: Rebuild ea-nginx-headers-more against ea-nginx v1.31.2
 
  • ea-nginx-njs
    • EA-13466: Rebuild ea-nginx-njs against ea-nginx v1.31.2
 
  • ea-nginx-passenger
    • EA-13466: Rebuild ea-nginx-passenger against ea-nginx v1.31.2
 
  • ea-modsec30-connector-nginx
    • EA-13466: Rebuild ea-modsec30-connector-nginx against ea-nginx v1.31.2
 
---
 
  • ea-nodejs22
    • EA-13467: Update ea-nodejs22 from v22.22.3 to v22.23.0
      • Node.js June 2026 security release. 11 CVEs total (2 High, 6 Medium, 3 Low):
 
  • (CVE-2026-48618) High: TLS hostname normalization wildcard authentication bypass.
  • (CVE-2026-48933) High: WebCrypto AES integer overflow crash.
  • (CVE-2026-48937) Medium: HTTP/2 GOAWAY session cleanup.
  • (CVE-2026-48930) Medium: DNS/net embedded-NUL hostnames and authority rebinding.
  • (CVE-2026-48619) Medium: HTTP/2 originSet unbounded memory growth.
  • (CVE-2026-48615) Medium: Proxy credentials leaked in ERR_PROXY_TUNNEL.
  • (CVE-2026-48934) Medium: TLS session reuse identity bypass.
  • (CVE-2026-48928) Medium: TLS case-sensitive SNI bypass.
  • (CVE-2026-48617) Low: Permission model writeReport path bypass.
  • (CVE-2026-48931) Low: HTTP agent response queue poisoning TOCTOU.
  • (CVE-2026-48935) Low: FileHandle.utimes read-only bypass.

Comments

0 comments

Post is closed for comments.

Didn't find what you were looking for?

New post