Release date:
2026-06-13 10:02:27 UTC
Description:
* SECURITY UPDATE: HTTP/2 Rapid Reset (CVE-2023-44487) — a peer can cause a
denial of service by rapidly opening and cancelling HTTP/2 streams
(HEADERS immediately followed by RST_STREAM) without bound; the flaw is in
the bundled nghttp2 library (1.47.0)
- debian/patches/CVE-2023-44487.patch: minimal backport of the upstream
nghttp2 RST_STREAM rate-limit mitigation (token bucket, burst=1000
rate=33/s) to deps/nghttp2; once the per-connection budget is exhausted
a GOAWAY is sent. Cherry-pick of nghttp2 commit 72b4af6143 (shipped in
1.57.0), no wholesale version bump (Node 16 went EOL before the upstream
fix, so no fixed 16.x exists)
- CVE-2023-44487
Updated packages:
-
alt-nodejs16-docs_16.20.2-21_amd64.deb
sha:4dfb0aae54c08c9200c7a5380ae003c9143ded42
-
alt-nodejs16-nodejs_16.20.2-21_amd64.deb
sha:6ca28ea9189904ae40c8032fdbc16a84ee587446
-
alt-nodejs16-nodejs-devel_16.20.2-21_amd64.deb
sha:d0b9fb4ba5392a8deb9c04b33ae6c8492a60dc44
-
alt-nodejs16-npm_8.19.4-16.20.2-21_amd64.deb
sha:459f24a6dc429d0b5f4ba22db05313d9c3e1ff4e
-
alt-nodejs16-docs_16.20.2-21_arm64.deb
sha:b7ee2317981f2c4ad19a6ba668e6dfafafd10dc5
-
alt-nodejs16-nodejs_16.20.2-21_arm64.deb
sha:fac2117c7e22fa18b2ee38eab8b06dbf2462b617
-
alt-nodejs16-nodejs-devel_16.20.2-21_arm64.deb
sha:5340c6b974709bf057adb89de71ebb089fa04b66
-
alt-nodejs16-npm_8.19.4-16.20.2-21_arm64.deb
sha:fe190d784e952e4ce154dafab6549da7c959262e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
