-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 17:04:15 +0200
Source: nghttp2
Binary: libnghttp2-14 libnghttp2-14-dbgsym libnghttp2-dev nghttp2-client nghttp2-client-dbgsym nghttp2-proxy nghttp2-proxy-dbgsym nghttp2-server nghttp2-server-dbgsym
Architecture: arm64
Version: 1.64.0-1.1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: arm64 Build Daemon (arm-conova-03) <buildd_arm64-arm-conova-03@buildd.debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Description:
 libnghttp2-14 - library implementing HTTP/2 protocol (shared library)
 libnghttp2-dev - library implementing HTTP/2 protocol (development files)
 nghttp2-client - client implementing HTTP/2 protocol
 nghttp2-proxy - reverse proxy implementing HTTP/2 protocol
 nghttp2-server - server implementing HTTP/2 protocol
Closes: 1131369
Changes:
 nghttp2 (1.64.0-1.1+deb13u1) trixie-security; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
Checksums-Sha1:
 9a8271923676102d2d77a1f51ca5c2922d767513 228980 libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 e0b30b461a3e305d3e12453faca5624f9bb19694 71604 libnghttp2-14_1.64.0-1.1+deb13u1_arm64.deb
 bc11e09c95bf3fa43c54022c16d9493d593fd346 112428 libnghttp2-dev_1.64.0-1.1+deb13u1_arm64.deb
 112986b1888c88f63e4c0af95cd9dfe761f1bc1d 2168148 nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 a2ea16e6b5b9dd1a174471990731282750707982 169036 nghttp2-client_1.64.0-1.1+deb13u1_arm64.deb
 9ad6fe92d0bab3849a92042c364a002265b5f509 6192404 nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 d855f72b66c653d560ab788f8a27f6dac7ba0611 384256 nghttp2-proxy_1.64.0-1.1+deb13u1_arm64.deb
 70d93bb9c7ca96b24ef6d46aa4e9f14cb11a608c 1120944 nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 46058d7d290e34aa2b5f0d954860095cd2828462 100312 nghttp2-server_1.64.0-1.1+deb13u1_arm64.deb
 a6dbbffbf9d89042e5763822aa0ebd25d6ea12fa 8696 nghttp2_1.64.0-1.1+deb13u1_arm64-buildd.buildinfo
Checksums-Sha256:
 543d43a843547cd9bb283750ef6f7fc40803cea0d472fc610a5ed67a7916580a 228980 libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 ca222b98d5bef2193c05a1e736d0619798ba7a8f8e92526f3e1d06edcd0bf751 71604 libnghttp2-14_1.64.0-1.1+deb13u1_arm64.deb
 361de4929817975feff6363a896734ac32de74418a5a75c32b05b3d7e81d74a8 112428 libnghttp2-dev_1.64.0-1.1+deb13u1_arm64.deb
 09ccfd3c75599aeb559a178deeb929fde030420169e46b08a52b2413ecc1cad1 2168148 nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 ab6ea0df876b0a6180de0402331fdcdbfb5f55ac0b24967b80c9d077e472adec 169036 nghttp2-client_1.64.0-1.1+deb13u1_arm64.deb
 721e74d8375c5a84bfb7aef4955cda7ec7b729edffdbaef259acd258ac5825b4 6192404 nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 674e4975ff6657e34e404a5c0bbbeec1139ec08de96576f09b038022587c7870 384256 nghttp2-proxy_1.64.0-1.1+deb13u1_arm64.deb
 6dfdb7bc68766ab9b495fc9102af9e77c15013cc6d9232fefd740d3a00b251b4 1120944 nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 3142179e9796642514acf7a2d5138966e10c3f74fc07a33d6644bcf058848782 100312 nghttp2-server_1.64.0-1.1+deb13u1_arm64.deb
 f1fca96ca552a2b941e59cef01ee1ddf5913f23302f6b3eb89765bca7e6459de 8696 nghttp2_1.64.0-1.1+deb13u1_arm64-buildd.buildinfo
Files:
 8f46c5f7faa7090d4c3f868437591e04 228980 debug optional libnghttp2-14-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 4a8c3ff02286da3016035bdb03405d41 71604 libs optional libnghttp2-14_1.64.0-1.1+deb13u1_arm64.deb
 9c2fad61192952faf501303a36958cfc 112428 libdevel optional libnghttp2-dev_1.64.0-1.1+deb13u1_arm64.deb
 9804925c2e1d19f04dd6014decef8cfd 2168148 debug optional nghttp2-client-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 53ccf7d8fd635dfb20e0b2bbf6ed1d67 169036 httpd optional nghttp2-client_1.64.0-1.1+deb13u1_arm64.deb
 04269ded02ee4dc49d5bfde876a3536a 6192404 debug optional nghttp2-proxy-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 959f8c62b93039c9cef5b070280e2827 384256 httpd optional nghttp2-proxy_1.64.0-1.1+deb13u1_arm64.deb
 25c089a475cbd2cde89c4909b885baf1 1120944 debug optional nghttp2-server-dbgsym_1.64.0-1.1+deb13u1_arm64.deb
 fd94422fa9051a9c71d8edfb83b0e5a0 100312 httpd optional nghttp2-server_1.64.0-1.1+deb13u1_arm64.deb
 3fc25ce835aa1278c0d1ab58dae687ce 8696 httpd optional nghttp2_1.64.0-1.1+deb13u1_arm64-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElFiH1oZRZh1t4FSiXVp1sEH/1mIFAmoEbk0ACgkQXVp1sEH/
1mLpvQ/8Crc2vXETuna9WNCvrKGAO9ncKgN6y9YhhJH4D64t5vLBkqyKhuGomXHf
jnPFi9/jFDRk+WhS/UVTTSB17QWLR32MLD2G/ZRKhA5xO6Q4AWQrJOpjkqagsb4n
oPyqDoifDdgCImmZOt1FS1vVgXXDDzFQWwvfZLSqUyx+LxLW1jqd8MdowvHfIeMd
wHZWEyXEj8WyRiBe3XDWCm+IKDZ/HYFth6sz3AzAfzSr4OYFT741IfjjylOfI4OV
Ko5Y8KP98576Gmy1LLgXv5poAbCw7klZKyGupZHHZuCCvUrh+iky6JTouAk2/X1H
Pci/D88zxsunM3PWQi/K5OwhZ7p7qCRrU5J5ovNl0vacWM3IF0rrDOMvDD5sfZpb
WwsEJrTss2Aa3ScCLeZ6Mi/DI3xcYKUtTwO+rihcDE6mNXvJ/AqV27AOK3nsaEfR
JlVwrhXSAY3eTBx7SJMMqQSl5rtz6OK607p97dCwBZiYqGjEf1m9XYUFw16afb/M
ZIn/nIHssQzjRPCb9bCch8odCNYTiuBOTLmxrwp08VC+ofW17kyy+eeotzcyZDYi
44Nez3L1gkezPFMvCSlYDptR4Y2dVE/Sxqf+sRn8fOKXh6OcXUT9tnjH8qm93Bv/
U2QMECLskB0eT9k8QfCxRLOLjB2D/YOuZzt3nXvnfxiJP5ZuxtA=
=4wjz
-----END PGP SIGNATURE-----