Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted nghttp2 1.64.0-1.1+deb13u1 (source) into stable-security
Date: Thu, 14 May 2026 08:43:21 +0000
Signed by: Aron Xu <aron@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 17:04:15 +0200
Source: nghttp2
Architecture: source
Version: 1.64.0-1.1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Tomasz Buchert <tomasz@debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Closes: 1131369
Changes:
 nghttp2 (1.64.0-1.1+deb13u1) trixie-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
Checksums-Sha1:
 2bace9a54aa2669f85232c8967da5895d06e9127 2201 nghttp2_1.64.0-1.1+deb13u1.dsc
 422ab3102d4d22ff363fbababe9f66e2ae38db45 1069782 nghttp2_1.64.0.orig.tar.gz
 3edbadb61b38b529ba29b86c566523d8f778c36d 42120 nghttp2_1.64.0-1.1+deb13u1.debian.tar.xz
 ae6aebd23ed337656be8bbbf9827bfc6681c51c1 5999 nghttp2_1.64.0-1.1+deb13u1_source.buildinfo
Checksums-Sha256:
 11f4603a9f417bc3d195be36cb462bb9df0657f52b72dd9276453a31bc0227c7 2201 nghttp2_1.64.0-1.1+deb13u1.dsc
 b452dc69a1fcbc9375389b8b154175d8b7b125cdd713fc426774c2b79a1ebd77 1069782 nghttp2_1.64.0.orig.tar.gz
 e16478701c5c007aa8761dc30c01090b2217199558bd1017b1d237db463d758c 42120 nghttp2_1.64.0-1.1+deb13u1.debian.tar.xz
 c8de19cabf5ffc01984ac11f3cbdf605b81946e4a9347859b01db6ec539a0dc0 5999 nghttp2_1.64.0-1.1+deb13u1_source.buildinfo
Files:
 88930e7f6370ca921c65239fdf5b0807 2201 httpd optional nghttp2_1.64.0-1.1+deb13u1.dsc
 a4c2bb361820eedd872af2a4192070b7 1069782 httpd optional nghttp2_1.64.0.orig.tar.gz
 d3feb46ee34764f33cda071b42ba46f0 42120 httpd optional nghttp2_1.64.0-1.1+deb13u1.debian.tar.xz
 77df3490bc876015032c4c557c95c61a 5999 httpd optional nghttp2_1.64.0-1.1+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoEZCkACgkQ+GQ1dHE8
m67EPAgAnBi9BFFN1PM861wDhbVTTARhWm6qJzrnaPgosI2eeOt9vCqsBkQFvE14
PX/EBAppuctrWBlvbYQi7qWU0wvbV/VcOyMTFuu1rSGN7D/Cu/gZE5HctHeiDUt3
oRVVshk5ejKqNVIA/b2pj6TAN7oGUVe6fwVRiC0MvrL4QWwvdoHYV36zEssJPOLX
7MNuSlLPzKSN4XUvRoEw+Nk46ZZmHLGzCNk/Mmb7EU+rcpGdt5RQHXqJrgq5SpP3
a0JEF9hFV0ICwzwRUTZGdLO4uP2yVXAz/Sfj/XwjJG7yj//HfTvbpos8dpnz91rL
+S2JrSUKLlQGdlySrpS68MduVin8Ag==
=PvmV
-----END PGP SIGNATURE-----

News for package nghttp2