-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 16:23:22 +0200
Source: nghttp2
Binary: libnghttp2-14 libnghttp2-14-dbgsym libnghttp2-dev nghttp2-client nghttp2-client-dbgsym nghttp2-proxy nghttp2-proxy-dbgsym nghttp2-server nghttp2-server-dbgsym
Architecture: amd64
Version: 1.52.0-1+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Description:
 libnghttp2-14 - library implementing HTTP/2 protocol (shared library)
 libnghttp2-dev - library implementing HTTP/2 protocol (development files)
 nghttp2-client - client implementing HTTP/2 protocol
 nghttp2-proxy - reverse proxy implementing HTTP/2 protocol
 nghttp2-server - server implementing HTTP/2 protocol
Closes: 1131369
Changes:
 nghttp2 (1.52.0-1+deb12u3) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
Checksums-Sha1:
 f401db68b5eb99ca968d454e6045891fcff75053 218752 libnghttp2-14-dbgsym_1.52.0-1+deb12u3_amd64.deb
 e35bcaf0ddc405d51b4ce9db24957bfa3084dc96 72404 libnghttp2-14_1.52.0-1+deb12u3_amd64.deb
 0496e5ffea8732c983efac0f4b2476d502182bd1 110824 libnghttp2-dev_1.52.0-1+deb12u3_amd64.deb
 13da06b04c5da4a849498f464e9a0e16b35a6b2f 2011188 nghttp2-client-dbgsym_1.52.0-1+deb12u3_amd64.deb
 4f2023d831c27eac33ec17ade5e41177efdb5dfa 171548 nghttp2-client_1.52.0-1+deb12u3_amd64.deb
 9364a62c65857ba6975d8471eae5061f980524f5 5885108 nghttp2-proxy-dbgsym_1.52.0-1+deb12u3_amd64.deb
 3ab17849873c4b807226d52b7adb69e14104ab98 398356 nghttp2-proxy_1.52.0-1+deb12u3_amd64.deb
 5dd6f4b15d19351755b107203e20df9537a1e63f 954752 nghttp2-server-dbgsym_1.52.0-1+deb12u3_amd64.deb
 0eff44b930a95fc0733dab6d59b9ba7b248ee018 98412 nghttp2-server_1.52.0-1+deb12u3_amd64.deb
 2d1f5681558ed393a59a27538cd05d7a35bb7468 9067 nghttp2_1.52.0-1+deb12u3_amd64-buildd.buildinfo
Checksums-Sha256:
 b7538dabcb197468c11bf5d191615a2ddb199ca57fe9171d08b51a4eeb0fc05d 218752 libnghttp2-14-dbgsym_1.52.0-1+deb12u3_amd64.deb
 5a5736cee57e51c1baed869979e6ecdbc6495e939e33203d6cfe3b6e5a149e3f 72404 libnghttp2-14_1.52.0-1+deb12u3_amd64.deb
 6a3271848f92406b002acf57babea070b7b5d15f035f3efd16adb12d25ea648f 110824 libnghttp2-dev_1.52.0-1+deb12u3_amd64.deb
 a4072bca9523ea699d23755d0f2f98dd1dc23f06da0f1a4138803ea384ed1cac 2011188 nghttp2-client-dbgsym_1.52.0-1+deb12u3_amd64.deb
 ab4037b81496ff5736a0d56f2400f37342f9cd52604dba790b304609a1e7c218 171548 nghttp2-client_1.52.0-1+deb12u3_amd64.deb
 8f24d3b21432f1f74be3ac357005869db279b6631caaf7e3dce4dfb030420f9c 5885108 nghttp2-proxy-dbgsym_1.52.0-1+deb12u3_amd64.deb
 231555507c41eeb89c00b1d76a4862dc397a1536f28295d49407dac27fb00b54 398356 nghttp2-proxy_1.52.0-1+deb12u3_amd64.deb
 c8cbdc6b2f35bd64c6ba29bc0caede9f07885781ca02b895867b6e83f402008a 954752 nghttp2-server-dbgsym_1.52.0-1+deb12u3_amd64.deb
 33ed2f8c252f8ccb9499fca7cb65f61a92ff7089be1b734f655df403eac9af9e 98412 nghttp2-server_1.52.0-1+deb12u3_amd64.deb
 ee30d33b70dcdea73a044d4a8387466f70d11438f34785b8d5e657dea9482355 9067 nghttp2_1.52.0-1+deb12u3_amd64-buildd.buildinfo
Files:
 2e83b94ed16a4f3c0a2c940d028fa54d 218752 debug optional libnghttp2-14-dbgsym_1.52.0-1+deb12u3_amd64.deb
 d681e56846f2d3d68a237da84943b2d9 72404 libs optional libnghttp2-14_1.52.0-1+deb12u3_amd64.deb
 079c72eec7a17996e2f962de5d87d2ba 110824 libdevel optional libnghttp2-dev_1.52.0-1+deb12u3_amd64.deb
 681e456028904e690d8ae2f0c9b2e245 2011188 debug optional nghttp2-client-dbgsym_1.52.0-1+deb12u3_amd64.deb
 011e4810e840a957efe46cbe55270b66 171548 httpd optional nghttp2-client_1.52.0-1+deb12u3_amd64.deb
 fba3ce2400bb8dc3362b02a4af1a9ccb 5885108 debug optional nghttp2-proxy-dbgsym_1.52.0-1+deb12u3_amd64.deb
 a7fb411bdf6ee79bfd24b1d8fab387c9 398356 httpd optional nghttp2-proxy_1.52.0-1+deb12u3_amd64.deb
 771ec2f449c2503133686860a4f1e8e5 954752 debug optional nghttp2-server-dbgsym_1.52.0-1+deb12u3_amd64.deb
 6a325d842e5c28f64f8798d77578a920 98412 httpd optional nghttp2-server_1.52.0-1+deb12u3_amd64.deb
 7a344440f3aff64a8ec17c980a14f164 9067 httpd optional nghttp2_1.52.0-1+deb12u3_amd64-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmoEbeIACgkQTwt/65ON
6zeK6BAAk1/FbDA82exy262XNiwsdEGGREVcTUSii1znS7iR6sjKfAdow76hH2fC
BRV82AbGaAwWoCn8stgzdik2cfc97IMRRdxtTE8NrbQNhPv7XVJP+p0t5jlWWckt
J7YXpzUZu84BFjT4GtWl/2tTlfvm/bS+oXpAQ06nNEoVrO9ZNPESi+SPvqOxgaZ9
EhNdECeCFLhL75gflKFjfW0vaJQn8yxQHa03gVVEZkqALPNbLtOiexoa0ejsH6nn
aeMzlnaQlZsqqJOujCKjCjrRaTeNFfoFJYsllT53Hek0fU2Cnt/X8hasZEq7RZzR
tVKEBBuagDojGFNp8unbgV4yw23lJlBwLF8auGRsv0rNcFQsYVeipLylY8TLhhp2
p/tP21ifAE5yGzSEM30b5uV3mkyeQVcrNPPhBv6M5ckfFCKzgDQZaBhQDwradGZi
n+XuPoT2qY5dSEm0VicpQLbpkbEWTBKir/3U/Qz1pXoNRNamCuHb18AmHkfr/nEC
3L5pHjsTgtQLlbvgn6hwZ+K+Fl4EffTS9qcacnSnDql/T5bZBm/swcZG8EUz00oW
/KHlgGwYZH9JrglaapNyppGbs9u2qRwXzaNBMWms7pYXr7MGW6x1EousQ08d4c4y
98LsEP5LC1Cw7puTdbiLowyVlMNswsSIC5df5j7ayvRAxyevEDw=
=eFbg
-----END PGP SIGNATURE-----