Debian Patches
Status for nginx/1.26.3-3+deb13u4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0003-define_gnu_source-on-other-glibc-based-platforms.patch | Use _GNU_SOURCE on GNU/kFreeBSD Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based platforms including GNU/kFreeBSD. modified by jan.mojzis@gmail.com =================================================================== |
Steven Chamberlain <stevenc@debian.org> | yes | 2016-07-16 | ||
| nginx-fix-pidfile.patch | Fix NGINX pidfile handling | Tj <ubuntu@iam.tj> | no | debian | 2020-06-24 | |
| nginx-ssl_cert_cb_yield.patch | # HG changeset patch # User Yichun Zhang <agentzh@openresty.org> # Date 1451762084 28800 # Sat Jan 02 11:14:44 2016 -0800 # Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd # Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom callbacks to serve the SSL certificiates and private keys dynamically and lazily. The callbacks may yield for nonblocking I/O or sleeping. Here we added support for such usage in NGINX 3rd-party modules (like ngx_lua) in NGINX's event handlers for downstream SSL connections. |
no | https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch | |||
| CVE-2025-53859.patch | CVE-2025-53859 diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c index 1167df3fb..d3be7f3b3 100644 |
not-needed | debian | https://nginx.org/download/patch.2025.smtp.txt | ||
| CVE-2026-1642.patch | Upstream: detect premature plain text response from SSL backend. When connecting to a backend, the connection write event is triggered first in most cases. However if a response arrives quickly enough, both read and write events can be triggered together within the same event loop iteration. In this case the read event handler is called first and the write event handler is called after it. SSL initialization for backend connections happens only in the write event handler since SSL handshake starts with sending Client Hello. Previously, if a backend sent a quick plain text response, it could be parsed by the read event handler prior to starting SSL handshake on the connection. The change adds protection against parsing such responses on SSL-enabled connections. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e | 2026-01-29 | |
| CVE-2026-27651.patch | Mail: fixed clearing s->passwd in auth http requests. Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c | 2026-03-18 | |
| CVE-2026-27654.patch | Dav: destination length validation for COPY and MOVE. Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 | 2026-03-16 | |
| CVE-2026-27784.patch | Mp4: fixed possible integer overflow on 32-bit platforms. Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 | 2026-03-02 | |
| CVE-2026-28753.patch | Mail: host validation. Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f | 2026-02-26 | |
| CVE-2026-28755.patch | Stream: fixed client certificate validation with OCSP. Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 | 2026-03-17 | |
| CVE-2026-32647.patch | Mp4: avoid zero size buffers in output. Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc | 2026-02-21 |
All known versions for source package 'nginx'
- 1.30.1-3 (sid)
- 1.30.0-2 (forky)
- 1.26.3-3+deb13u5 (trixie-security, trixie-proposed-updates)
- 1.26.3-3+deb13u4 (trixie)
- 1.22.1-9+deb12u7 (bookworm-proposed-updates, bookworm-security)
- 1.22.1-9+deb12u6 (bookworm)