-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 16:23:22 +0200
Source: nghttp2
Architecture: source
Version: 1.52.0-1+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Tomasz Buchert <tomasz@debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Closes: 1131369
Changes:
 nghttp2 (1.52.0-1+deb12u3) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2026-27135 (Closes: #1131369)
     Fix missing iframe->state validations to avoid assertion failure.
   * Add test for CVE-2026-27135 (cherry-picked from upstream c619c7b)
Checksums-Sha1:
 8aef9f684058d7652e4bec0042d1fd0651d9baf8 2196 nghttp2_1.52.0-1+deb12u3.dsc
 9a3ef41846254f6ddbe541b50fe47065beb9cad9 21112 nghttp2_1.52.0-1+deb12u3.debian.tar.xz
 e3b298b5894d57b17fc203c379891bce74d73d9f 5991 nghttp2_1.52.0-1+deb12u3_source.buildinfo
Checksums-Sha256:
 d4fcb364e461616ef63cb0653a71f08a9ae23703d497745e90160ed7d1eda393 2196 nghttp2_1.52.0-1+deb12u3.dsc
 57aee32be437d31753cb36e6a518a48693f129cb884c17b0dcf323426331001d 21112 nghttp2_1.52.0-1+deb12u3.debian.tar.xz
 892fb79ca6aa9f3ace0d65b1b36ba8ebebd1b811a00006b9b85ec773d9e4e77f 5991 nghttp2_1.52.0-1+deb12u3_source.buildinfo
Files:
 eee52f14871a08e943752f298dd91381 2196 httpd optional nghttp2_1.52.0-1+deb12u3.dsc
 978bc18ebadd4573e163a21bfe977a57 21112 httpd optional nghttp2_1.52.0-1+deb12u3.debian.tar.xz
 dcba13d9a7cdd8a023312dc18a61f08a 5991 httpd optional nghttp2_1.52.0-1+deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoEaLkACgkQ+GQ1dHE8
m67Buwf+M8c4mqIC5LgiKwM6my0W1T3xH+oz7MeI6gOwrE7QQnR7vYoiFN7NoCVy
yLgLzfpaIOzHvy0MGsflu0GXTWIFkASf4JD6/p04eiFfuz0/ikNNJzbTaJfkMOHT
vbwPXvfOH7aiWeRAKC8iD8EO4/ta9JHHaB7y1M061minBhhJBt0QTxpIK0phadbr
Ik9wo9FS4xRiaT97A1UT+fr1sNkw7IXzl5gmMKe1DLFLe3dhWgmvlkIpHS98eCQL
/XhQMSd4ULVa/RH1n542UWCUlwejI53wGt4D7MX/wJ5fl8eDjoRVSOoMOH7HOR70
0xW5CmACWu512L7mu7W/JOv3UBZK+g==
=f1zz
-----END PGP SIGNATURE-----