Debian Patches
Status for nginx/1.22.1-9+deb12u7
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0003-define_gnu_source-on-other-glibc-based-platforms.patch | Use _GNU_SOURCE on GNU/kFreeBSD Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based platforms including GNU/kFreeBSD. modified by jan.mojzis@gmail.com =================================================================== |
Steven Chamberlain <stevenc@debian.org> | yes | 2016-07-16 | ||
| nginx-fix-pidfile.patch | Fix NGINX pidfile handling | Tj <ubuntu@iam.tj> | no | debian | 2020-06-24 | |
| nginx-ssl_cert_cb_yield.patch | # HG changeset patch # User Yichun Zhang <agentzh@openresty.org> # Date 1451762084 28800 # Sat Jan 02 11:14:44 2016 -0800 # Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd # Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom callbacks to serve the SSL certificiates and private keys dynamically and lazily. The callbacks may yield for nonblocking I/O or sleeping. Here we added support for such usage in NGINX 3rd-party modules (like ngx_lua) in NGINX's event handlers for downstream SSL connections. |
no | https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch | |||
| bug-1024605.patch | SSI: handling of subrequests from other modules | User Ciel Zhao <i@ciel.dev> | not-needed | debian | https://hg.nginx.org/nginx/raw-rev/49e7db44b57c | 2022-11-21 |
| bug-973861.patch | Lingering close for connections with pipelined requests. This is expected to help with clients using pipelining with some constant depth, such as apt[1][2]. When downloading many resources, apt uses pipelining with some constant depth, a number of requests in flight. This essentially means that after receiving a response it sends an additional request to the server, and this can result in requests arriving to the server at any time. Further, additional requests are sent one-by-one, and can be easily seen as such (neither as pipelined, nor followed by pipelined requests). The only safe approach to close such connections (for example, when keepalive_requests is reached) is with lingering. To do so, now nginx monitors if pipelining was used on the connection, and if it was, closes the connection with lingering. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973861#10 [2] https://mailman.nginx.org/pipermail/nginx-devel/2023-January/ZA2SP5SJU55LHEBCJMFDB2AZVELRLTHI.html |
Maxim Dounin <mdounin@mdounin.ru> | not-needed | https://hg.nginx.org/nginx/rev/cffaf3f2eec8 | 2023-02-02 | |
| CVE-2025-23419.patch | CVE-2025-23419 In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in b720f65 insufficient for sessions resumed with different SNI server name. Considering the example from b720f65, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration. |
Jan Mojžíš <jan.mojzis@gmail.com> | no | https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e | 2025-02-17 | |
| CVE-2024-7347-1.patch | Mp4: fixed buffer underread while updating stsz atom. While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer overflow could happen, which could result in incorrect seeking and a very large value stored in "samples". This resulted in a large invalid value of trak->end_chunk_samples. This value is further used to calculate the value of trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing this, a large invalid value of trak->end_chunk_samples could result in reading memory before stsz atom start. This could potentially result in a segfault. |
Roman Arutyunyan <arut@nginx.com> | no | upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4 | 2024-08-12 | |
| CVE-2024-7347-2.patch | Mp4: rejecting unordered chunks in stsc atom. Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() this caused buffer overread while trying to calculate trak->end_offset. |
Roman Arutyunyan <arut@nginx.com> | no | upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f | 2024-08-12 | |
| CVE-2025-53859.patch | CVE-2025-53859 diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c index 1167df3fb..d3be7f3b3 100644 |
not-needed | debian | https://nginx.org/download/patch.2025.smtp.txt | ||
| CVE-2026-1642.patch | Upstream: detect premature plain text response from SSL backend. When connecting to a backend, the connection write event is triggered first in most cases. However if a response arrives quickly enough, both read and write events can be triggered together within the same event loop iteration. In this case the read event handler is called first and the write event handler is called after it. SSL initialization for backend connections happens only in the write event handler since SSL handshake starts with sending Client Hello. Previously, if a backend sent a quick plain text response, it could be parsed by the read event handler prior to starting SSL handshake on the connection. The change adds protection against parsing such responses on SSL-enabled connections. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e | 2026-01-29 | |
| CVE-2026-27651.patch | Mail: fixed clearing s->passwd in auth http requests. Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c | 2026-03-18 | |
| CVE-2026-27654.patch | Dav: destination length validation for COPY and MOVE. Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 | 2026-03-16 | |
| CVE-2026-27784.patch | Mp4: fixed possible integer overflow on 32-bit platforms. Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 | 2026-03-02 | |
| CVE-2026-28753.patch | Mail: host validation. Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f | 2026-02-26 | |
| CVE-2026-28755.patch | Stream: fixed client certificate validation with OCSP. Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 | 2026-03-17 | |
| CVE-2026-32647.patch | Mp4: avoid zero size buffers in output. Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc | 2026-02-21 | |
| CVE-2026-42945.patch | Rewrite: fixed escaping and possible buffer overrun The following code resulted in incorrect escaping of $1 and possible segfault: location / { rewrite ^(.*) /new?c=1; set $myvar $1; return 200 $myvar; } If there were arguments in a rewrite's replacement string, the is_args flag was set and incorrectly never cleared. This resulted in escaping applied to any captures evaluated afterwards in set or if. Additionally buffer was allocated by ngx_http_script_complex_value_code() without escaping expected, thus this also resulted in buffer overrun and possible segfault. A similar issue was fixed in 74d939974d43. Reported by Leo Lin. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 | 2026-04-22 | |
| CVE-2026-42946.patch | Upstream: fixed parsing of split status lines If the first response line was split across reads and it didn't appear a status line, the portion already processed was lost. To preserve ABI, the change reuses r->header_name_start for proper backtracking on status line fallback. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd | 2026-04-29 | |
| CVE-2026-40701.patch | OCSP: resolve cleanup on connection close Previously, when a client SSL connection was terminated (typically due to a timeout) while resolving an OCSP responder, the OCSP context was freed, but the resolve context was not. This resulted in use-after-free on resolve completion. Reported by Leo Lin. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 | 2026-04-21 | |
| CVE-2026-42934.patch | Charset: fix buffer over-read in recode_from_utf8(). When a multi-byte UTF-8 character was split across 3+ single-byte buffers, the saved bytes continuation path had two related bugs: ngx_utf8_decode() was called with the last saved-array index instead of the byte count, causing it to report "incomplete" even when the sequence was already complete. The subsequent ngx_memcpy() used that same index as the copy length, reading past the input buffer boundary. |
David Carlier <devnexen@gmail.com> | no | https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a | 2026-04-12 |
All known versions for source package 'nginx'
- 1.30.1-3 (sid)
- 1.30.0-2 (forky)
- 1.26.3-3+deb13u5 (trixie-security, trixie-proposed-updates)
- 1.26.3-3+deb13u4 (trixie)
- 1.22.1-9+deb12u7 (bookworm-proposed-updates, bookworm-security)
- 1.22.1-9+deb12u6 (bookworm)