-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2026 17:04:15 +0200 Source: nghttp2 Binary: libnghttp2-14 libnghttp2-14-dbgsym libnghttp2-dev nghttp2-client nghttp2-client-dbgsym nghttp2-proxy nghttp2-proxy-dbgsym nghttp2-server nghttp2-server-dbgsym Architecture: amd64 Version: 1.64.0-1.1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Lukas Märdian Description: libnghttp2-14 - library implementing HTTP/2 protocol (shared library) libnghttp2-dev - library implementing HTTP/2 protocol (development files) nghttp2-client - client implementing HTTP/2 protocol nghttp2-proxy - reverse proxy implementing HTTP/2 protocol nghttp2-server - server implementing HTTP/2 protocol Closes: 1131369 Changes: nghttp2 (1.64.0-1.1+deb13u1) trixie-security; urgency=medium . * Non-maintainer upload by the Security Team. * CVE-2026-27135 (Closes: #1131369) Fix missing iframe->state validations to avoid assertion failure. * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b) Checksums-Sha1: ce7246d48230cf376edc662abd3f46e44c9d1e99 228024 libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 5e221d7a3f04f19acb50ae187d26aa7bbcf0d924 76188 libnghttp2-14_1.64.0-1.1+deb13u1_amd64.deb 26c38f7eb7c93b85135fff86b150114ea8f905aa 116548 libnghttp2-dev_1.64.0-1.1+deb13u1_amd64.deb e0986798ad5dfbf01b4522f5fb3271cc10a98076 2234692 nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_amd64.deb df64b05d15a5676c6602c03b24738dc5bb099e4f 190984 nghttp2-client_1.64.0-1.1+deb13u1_amd64.deb 833309c66a141fc8b11a9f4b96d1263c5a440f30 6290064 nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 28f393720539e84383173f0f121c3cda6e1aae76 429588 nghttp2-proxy_1.64.0-1.1+deb13u1_amd64.deb 79d47ba185d5083ca95391ebc240fb2ea18809ad 1147068 nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_amd64.deb ba804aa09fd66eaa43c11f91da85058a77af3adc 112132 nghttp2-server_1.64.0-1.1+deb13u1_amd64.deb 00dabf34417b580816529190529f1b769bcd56b7 8709 nghttp2_1.64.0-1.1+deb13u1_amd64-buildd.buildinfo Checksums-Sha256: cf273c8ce0340e50751fd784e125ea69d49b5a13aedb87e90beaa7499e656a97 228024 libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 896cb217537c09251fb909b8541349010ac279d802d871e98c06a62a2c67ce2c 76188 libnghttp2-14_1.64.0-1.1+deb13u1_amd64.deb 8729ae4b34c3884ecd068c66a7643a1c7a5a89597b9d8879bac85ec335df6179 116548 libnghttp2-dev_1.64.0-1.1+deb13u1_amd64.deb 3f7704de0cc7bd1cfece1356b97c780025e051e804c508897a413fd0007cb290 2234692 nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 6314da27e84536d5b48915c289ca79395358add3fcef228e3064c37dbb9c5149 190984 nghttp2-client_1.64.0-1.1+deb13u1_amd64.deb ada45f273f2e0aa7d1d1c201218334038387e8d27125f459d174c9e737bf163d 6290064 nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_amd64.deb a0608c185fa851e6cbb8a47f90ab260f1626b47848d2f7f7cc4a1387d71500b2 429588 nghttp2-proxy_1.64.0-1.1+deb13u1_amd64.deb e2580713d84f56fa88df7753f97feb9ad7e018266b5e649175cc90315e9d2df0 1147068 nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_amd64.deb c8fa0464aa67f958450c6894f7dd5b773a962ee21d0f8617d77ab5573b07552a 112132 nghttp2-server_1.64.0-1.1+deb13u1_amd64.deb e077e59a64c70629d016c2a3347f03e68a7d3bec9f3094c9b2d1f89eaebb6559 8709 nghttp2_1.64.0-1.1+deb13u1_amd64-buildd.buildinfo Files: cb57c5a2da73dc39b347cc899d2c496f 228024 debug optional libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 3650643a734bbd58529afd0493d181b2 76188 libs optional libnghttp2-14_1.64.0-1.1+deb13u1_amd64.deb 4f577fbe487d0e32999c00d69caa9c11 116548 libdevel optional libnghttp2-dev_1.64.0-1.1+deb13u1_amd64.deb d0be41ee38fc57f49ef1876c6a824df5 2234692 debug optional nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_amd64.deb abfd545955fb64a325493cd59e8187d7 190984 httpd optional nghttp2-client_1.64.0-1.1+deb13u1_amd64.deb c5b9156d6924f387ab33cdcb7bd05a64 6290064 debug optional nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 25d6319fd1f11ac89d2cdd49d2f56df2 429588 httpd optional nghttp2-proxy_1.64.0-1.1+deb13u1_amd64.deb 8c26d0e179031283920877968e247afd 1147068 debug optional nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_amd64.deb 4c307d0d4cd30baaec0c0af55ab26131 112132 httpd optional nghttp2-server_1.64.0-1.1+deb13u1_amd64.deb 2a0b82fc6c83af8f2405fbd4c7ad7756 8709 httpd optional nghttp2_1.64.0-1.1+deb13u1_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmoEbiwACgkQTwt/65ON 6zf7Aw//bG66RMp9DuMIxAVN+G6O0NquIQ6T0kxy6t2WQF0sZ8nUg54X+NdlQjDB WsuOHipyJnJxAs1E+Ul0SlEOQzifBqhwWcfuXnquxzUXuFFHVgs1sN0NsBQPOc5J PavS+Aq16JIufpzoD+6lTFo0wm4gb4TR8s7wxNLszti6Oib0uAbOCpxQ4wyXcYje gGsOzDPJ5/KxMMZgqMCBhmqUvi4X7xJ/CKkWg3WSO1nUljFHkeWygQBusWKEtWQI S/Cniiwe9WFN8Q+SPCXqUVUDYkXhw7wABVZJfxxifxoefBHuW8n8dJIfwhPjw0Sa Mw/4Y9bRJcF5YV9opX8aGjZZN5K3J88u/HiT2uiAjxu8yRChASDQnwYvNwlkbY5C U6uCrPAb+gdITmkxOi/YNfoLq7mD1A5xtKOsfmImR5qHKArJjAOjdz5wapFgsIv8 wZM5zl3MM6tlRR/gcCFWpWmizWgMWVib71qQUs2lhJx+2pvhcPkY93KTpO43A6fw zkbcp2jdhreuQu2BWQzhbaGebo0lEQ5Ak9N4r+X2tpXXjU/XOORkA6vt/2bdiQUZ yUgU5vkHZdVBC1lu17IFJ3dyz6LJfL4gM3HFy589JDybfSwF5CuivJZzTiDp8bIq Z9zOdi1BpK1qRNcuEdTeMJlseK5HzVm+pKmoFg5aCDYAvEEh7g8= =Sqnj -----END PGP SIGNATURE-----