-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 17:04:15 +0200
Source: nghttp2
Binary: libnghttp2-doc nghttp2
Architecture: all
Version: 1.64.0-1.1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Description:
 libnghttp2-doc - library implementing HTTP/2 protocol (documentation)
 nghttp2    - server, proxy and client implementing HTTP/2
Closes: 1131369
Changes:
 nghttp2 (1.64.0-1.1+deb13u1) trixie-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
Checksums-Sha1:
 a1b32b047d5429db203c1cdbb470c0cdf5cabbb4 3079640 libnghttp2-doc_1.64.0-1.1+deb13u1_all.deb
 dc530b1fff07ee0bb9b84091e2733478fbfcd0b1 7994 nghttp2_1.64.0-1.1+deb13u1_all-buildd.buildinfo
 b083537ed7f37db78bc5e80c13755c2be866aa73 8772 nghttp2_1.64.0-1.1+deb13u1_all.deb
Checksums-Sha256:
 c95f32fb6b597d31951d91bd4a9a02b6a9cb86027cd8c017146ce4b6b9a1d1f1 3079640 libnghttp2-doc_1.64.0-1.1+deb13u1_all.deb
 7faf6d4410f40bcba4ed1bd50a66a3c8b646bce9e1c86824cf64789a24de0094 7994 nghttp2_1.64.0-1.1+deb13u1_all-buildd.buildinfo
 c454bc58f9063d930b61c88a9252bf911c3f2df9e51d05e5db5f4456180cc482 8772 nghttp2_1.64.0-1.1+deb13u1_all.deb
Files:
 0f5d164b3a72d1464e97d75ab571183a 3079640 doc optional libnghttp2-doc_1.64.0-1.1+deb13u1_all.deb
 c378ba62363d5eb18e7c6739ee5ddffe 7994 httpd optional nghttp2_1.64.0-1.1+deb13u1_all-buildd.buildinfo
 e8b5eaaa0747b4c205b522c5b3208c88 8772 httpd optional nghttp2_1.64.0-1.1+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmoEbpMACgkQN8Ugyu9d
QiRNmRAAssjyalx1bYVxNT72q+m5/VGzlqB9luwEl21uNKhMWDiYQO+b2S1VFTlO
VIYD0KncKHMAG4VdU6a0H+aFMVt8gMbMip2fECiwm/KkHkHDS96ZhiJlZgegQ/MU
8Y7BMpgSgml8F4RCe+kbQFsxBEm+xakmjt1BOc8OBmVFCVapYhz9VCdkoavs702J
9URa4W3GWkF8JKaCCDiWuSR9Gt2nkPcfMU34ZkhvzBttBi4WPQGtJ9vpUmiSjKxA
4gMf5Kfp/IDciOrz+mJTCQQKhvbtW0CmncVO9pGqL6zoVUEuqDQHnyHo6AvJWw/m
/o5h74BHM9NsTwbwDmCuFCq1CZCPSYSuVcANeDOkIaNTK6PgWjvHf/3ydRm9sNy3
5Jw+iFubelbzeURzjF5GgdRtwQzyMEw//cvsVEP6JFRmsFPQYEcWlmbIGe+79Nwj
NMmEhQ5AiBU6y6Fv0fRtjCfUSw7jTPSTK467gOKPyF/fyk6rxeu/0UkrK27MHc3N
j1B4ilj7G7Xe6zEjxXZPJf7Vq21UssbYvQH3Iqq3YH/0qysGHsYfUx0mP8JSx3oD
azHLcbL/Vo46HTAmP/oYr69yV1Jvg200snxxPEAUqDnuieYaw6LI28d4T4o0yY1J
PwCLR9dW5jTta8Ws5CGC1vc6uZwhwywdiqtAVMnsdHp3wRf9SEY=
=N5Jc
-----END PGP SIGNATURE-----