Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted nghttp2 1.43.0-1+deb11u3 (source) into oldoldstable-security
Date: Wed, 13 May 2026 19:30:17 +0000
Signed by: Lukas Märdian <slyon@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 May 2026 20:41:28 +0200
Source: nghttp2
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 1.43.0-1+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Tomasz Buchert <tomasz@debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Closes: 1131369
Changes:
 nghttp2 (1.43.0-1+deb11u3) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
   * d/control: Add tzdata to Build-Depends (<!nocheck>)
     The util_localtime_date upstream unit test relies on
     Pacific/Auckland being resolvable via tzdata.
Checksums-Sha1:
 241ba0aff42028cbc0ec0003356874ad19ec33bb 2574 nghttp2_1.43.0-1+deb11u3.dsc
 cf95821d4f5afe5b69911eb98fb1f4681c8c86d0 4521786 nghttp2_1.43.0.orig.tar.bz2
 82a05420caa0081054dd6711725d2991fc8ff400 25252 nghttp2_1.43.0-1+deb11u3.debian.tar.xz
 b010d98fee32efb661df2b3cd0a55cf7c7104ac3 8253 nghttp2_1.43.0-1+deb11u3_source.buildinfo
Checksums-Sha256:
 60ec7decf7fa548fb56f2079c282e163e5b939b392b5da2450dd9a57c3647952 2574 nghttp2_1.43.0-1+deb11u3.dsc
 556f24653397c71ebb8270b3c5e5507f0893e6eac2c6eeda6be2ecf6e1f50f62 4521786 nghttp2_1.43.0.orig.tar.bz2
 2e5c0d70838b1349d000102f84c2fc6535801b3be82fbb25c226ca031d7a82ab 25252 nghttp2_1.43.0-1+deb11u3.debian.tar.xz
 1e517684cadf66c3196f1b8f854e72ce15c6a5feb70da2b34be00e8b8dec3522 8253 nghttp2_1.43.0-1+deb11u3_source.buildinfo
Files:
 c236235526a03676737f095fcd518e6a 2574 httpd optional nghttp2_1.43.0-1+deb11u3.dsc
 d7d7d01fd9c5d30c2960ae4349e6b6b7 4521786 httpd optional nghttp2_1.43.0.orig.tar.bz2
 bef2454ef12bb51c49b18dd90bc81e4f 25252 httpd optional nghttp2_1.43.0-1+deb11u3.debian.tar.xz
 d924b56d552880e472b57efa15d03614 8253 httpd optional nghttp2_1.43.0-1+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEco7DU8UfXhRO0oCBM4dveyhIiTsFAmoEzX4ACgkQM4dveyhI
iTu9BA/+IClnu5CdvJMd4NV5tNt2klOnvKPYZrjgkK5JVpPBVTgNX7l1YQbS893g
+5D8C26GCVG+off3VsSZffcEt3dvdxcoYr9TzZrw03Hpuh7p5DEqU1RBTKqFNeO9
jHqiIoplP+traXN2ZWkNXgohRU9k7IcTAq0NL3lrcc9BytadFgA8mXgYgNjv7aQw
O4PUiJH37aRz6tO2ituWEzGKCWqsoJX8omUyfTr6bh0OQHbFuPYFta5MqBvZiOYt
dn83lJgVZs6vAJ7Bl0b5tUbB8opWzWjL/bPHbu4BBL6AdYOSSErkHJ4w/bgMFjoo
Ts0gp0sPsH1MWseVSQ1fQ8I1t26j1PEv5MkBZ2MhVpNcHyIjGOstauts0mhSWnsN
/A9oVYUvQJcrWR9fri80Zvj9hgLhsYSMV+z3XLVImAeT44DorxK2TgmDVx0nRNtv
mKagre4P3UyK+VWL0smmnu/GqyR9wdobjpPRTk6qhvxyrs+hB2xlnBQFceLaFxzJ
CI5lAlsP28al5bN+CTb7hHKfw0LYTdKpMj2Mj33ufgVChCqqG7PUTnoY+yoiZ4Fd
Ckewwqoemn47G66j3goiFhI37jG/WkyKP/EYXstSU2StR43FhgJR7BRGLC1SgSwz
TbK1ykl0lMDYxRlXKPiykEG8fLY1b6lgFQpa8KHFEZg3xgc8Do0=
=+UTg
-----END PGP SIGNATURE-----

News for package nghttp2