-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 16:23:22 +0200 Source: nghttp2 Architecture: source Version: 1.52.0-1+deb12u3 Distribution: bookworm-security Urgency: high Maintainer: Tomasz Buchert <tomasz@debian.org> Changed-By: Lukas Märdian <slyon@debian.org> Closes: 1131369 Changes: nghttp2 (1.52.0-1+deb12u3) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2026-27135 (Closes: #1131369) Fix missing iframe->state validations to avoid assertion failure. * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b) Checksums-Sha1: 8aef9f684058d7652e4bec0042d1fd0651d9baf8 2196 nghttp2_1.52.0-1+deb12u3.dsc 9a3ef41846254f6ddbe541b50fe47065beb9cad9 21112 nghttp2_1.52.0-1+deb12u3.debian.tar.xz e3b298b5894d57b17fc203c379891bce74d73d9f 5991 nghttp2_1.52.0-1+deb12u3_source.buildinfo Checksums-Sha256: d4fcb364e461616ef63cb0653a71f08a9ae23703d497745e90160ed7d1eda393 2196 nghttp2_1.52.0-1+deb12u3.dsc 57aee32be437d31753cb36e6a518a48693f129cb884c17b0dcf323426331001d 21112 nghttp2_1.52.0-1+deb12u3.debian.tar.xz 892fb79ca6aa9f3ace0d65b1b36ba8ebebd1b811a00006b9b85ec773d9e4e77f 5991 nghttp2_1.52.0-1+deb12u3_source.buildinfo Files: eee52f14871a08e943752f298dd91381 2196 httpd optional nghttp2_1.52.0-1+deb12u3.dsc 978bc18ebadd4573e163a21bfe977a57 21112 httpd optional nghttp2_1.52.0-1+deb12u3.debian.tar.xz dcba13d9a7cdd8a023312dc18a61f08a 5991 httpd optional nghttp2_1.52.0-1+deb12u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoEaLkACgkQ+GQ1dHE8 m67Buwf+M8c4mqIC5LgiKwM6my0W1T3xH+oz7MeI6gOwrE7QQnR7vYoiFN7NoCVy yLgLzfpaIOzHvy0MGsflu0GXTWIFkASf4JD6/p04eiFfuz0/ikNNJzbTaJfkMOHT vbwPXvfOH7aiWeRAKC8iD8EO4/ta9JHHaB7y1M061minBhhJBt0QTxpIK0phadbr Ik9wo9FS4xRiaT97A1UT+fr1sNkw7IXzl5gmMKe1DLFLe3dhWgmvlkIpHS98eCQL /XhQMSd4ULVa/RH1n542UWCUlwejI53wGt4D7MX/wJ5fl8eDjoRVSOoMOH7HOR70 0xW5CmACWu512L7mu7W/JOv3UBZK+g== =f1zz -----END PGP SIGNATURE-----
