Debian Patches
Status for nginx/1.22.1-9+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0003-define_gnu_source-on-other-glibc-based-platforms.patch | Use _GNU_SOURCE on GNU/kFreeBSD Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based platforms including GNU/kFreeBSD. modified by jan.mojzis@gmail.com =================================================================== |
Steven Chamberlain <stevenc@debian.org> | yes | 2016-07-16 | ||
| nginx-fix-pidfile.patch | Fix NGINX pidfile handling | Tj <ubuntu@iam.tj> | no | debian | 2020-06-24 | |
| nginx-ssl_cert_cb_yield.patch | # HG changeset patch # User Yichun Zhang <agentzh@openresty.org> # Date 1451762084 28800 # Sat Jan 02 11:14:44 2016 -0800 # Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd # Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom callbacks to serve the SSL certificiates and private keys dynamically and lazily. The callbacks may yield for nonblocking I/O or sleeping. Here we added support for such usage in NGINX 3rd-party modules (like ngx_lua) in NGINX's event handlers for downstream SSL connections. |
no | https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch | |||
| bug-1024605.patch | SSI: handling of subrequests from other modules | User Ciel Zhao <i@ciel.dev> | not-needed | debian | https://hg.nginx.org/nginx/raw-rev/49e7db44b57c | 2022-11-21 |
| bug-973861.patch | [PATCH] Lingering close for connections with pipelined requests. This is expected to help with clients using pipelining with some constant depth, such as apt[1][2]. When downloading many resources, apt uses pipelining with some constant depth, a number of requests in flight. This essentially means that after receiving a response it sends an additional request to the server, and this can result in requests arriving to the server at any time. Further, additional requests are sent one-by-one, and can be easily seen as such (neither as pipelined, nor followed by pipelined requests). The only safe approach to close such connections (for example, when keepalive_requests is reached) is with lingering. To do so, now nginx monitors if pipelining was used on the connection, and if it was, closes the connection with lingering. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973861#10 [2] https://mailman.nginx.org/pipermail/nginx-devel/2023-January/ZA2SP5SJU55LHEBCJMFDB2AZVELRLTHI.html |
Maxim Dounin <mdounin@mdounin.ru> | not-needed | https://hg.nginx.org/nginx/rev/cffaf3f2eec8 | 2023-02-02 | |
| CVE-2025-23419.patch | CVE-2025-23419 In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in b720f65 insufficient for sessions resumed with different SNI server name. Considering the example from b720f65, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration. |
=?utf-8?b?SmFuIE1vasW+w63FoQ==?= <jan.mojzis@gmail.com> | no | https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e | 2025-02-17 | |
| CVE-2024-7347-1.patch | Mp4: fixed buffer underread while updating stsz atom. While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer overflow could happen, which could result in incorrect seeking and a very large value stored in "samples". This resulted in a large invalid value of trak->end_chunk_samples. This value is further used to calculate the value of trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing this, a large invalid value of trak->end_chunk_samples could result in reading memory before stsz atom start. This could potentially result in a segfault. |
Roman Arutyunyan <arut@nginx.com> | no | upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4 | 2024-08-12 | |
| CVE-2024-7347-2.patch | Mp4: rejecting unordered chunks in stsc atom. Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() this caused buffer overread while trying to calculate trak->end_offset. |
Roman Arutyunyan <arut@nginx.com> | no | upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f | 2024-08-12 | |
| CVE-2025-53859.patch | CVE-2025-53859 diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c index 1167df3fb..d3be7f3b3 100644 |
not-needed | debian | https://nginx.org/download/patch.2025.smtp.txt |
All known versions for source package 'nginx'
- 1.28.0-6 (sid)
- 1.28.0-5 (forky)
- 1.26.3-3+deb13u1 (trixie)
- 1.22.1-9+deb12u3 (bookworm)