Debian Patches
Status for nginx/1.26.3-3+deb13u5
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0003-define_gnu_source-on-other-glibc-based-platforms.patch | Use _GNU_SOURCE on GNU/kFreeBSD Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based platforms including GNU/kFreeBSD. modified by jan.mojzis@gmail.com =================================================================== |
Steven Chamberlain <stevenc@debian.org> | yes | 2016-07-16 | ||
| nginx-fix-pidfile.patch | Fix NGINX pidfile handling | Tj <ubuntu@iam.tj> | no | debian | 2020-06-24 | |
| nginx-ssl_cert_cb_yield.patch | # HG changeset patch # User Yichun Zhang <agentzh@openresty.org> # Date 1451762084 28800 # Sat Jan 02 11:14:44 2016 -0800 # Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd # Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom callbacks to serve the SSL certificiates and private keys dynamically and lazily. The callbacks may yield for nonblocking I/O or sleeping. Here we added support for such usage in NGINX 3rd-party modules (like ngx_lua) in NGINX's event handlers for downstream SSL connections. |
no | https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch | |||
| CVE-2025-53859.patch | CVE-2025-53859 diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c index 1167df3fb..d3be7f3b3 100644 |
not-needed | debian | https://nginx.org/download/patch.2025.smtp.txt | ||
| CVE-2026-1642.patch | Upstream: detect premature plain text response from SSL backend. When connecting to a backend, the connection write event is triggered first in most cases. However if a response arrives quickly enough, both read and write events can be triggered together within the same event loop iteration. In this case the read event handler is called first and the write event handler is called after it. SSL initialization for backend connections happens only in the write event handler since SSL handshake starts with sending Client Hello. Previously, if a backend sent a quick plain text response, it could be parsed by the read event handler prior to starting SSL handshake on the connection. The change adds protection against parsing such responses on SSL-enabled connections. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e | 2026-01-29 | |
| CVE-2026-27651.patch | Mail: fixed clearing s->passwd in auth http requests. Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c | 2026-03-18 | |
| CVE-2026-27654.patch | Dav: destination length validation for COPY and MOVE. Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 | 2026-03-16 | |
| CVE-2026-27784.patch | Mp4: fixed possible integer overflow on 32-bit platforms. Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 | 2026-03-02 | |
| CVE-2026-28753.patch | Mail: host validation. Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f | 2026-02-26 | |
| CVE-2026-28755.patch | Stream: fixed client certificate validation with OCSP. Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 | 2026-03-17 | |
| CVE-2026-32647.patch | Mp4: avoid zero size buffers in output. Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc | 2026-02-21 | |
| CVE-2026-40460.patch | QUIC: avoid assigning unvalidated address to new streams Previously, when a client migrated to a new address, new QUIC streams received this address before validation. This allowed an attacker to create QUIC streams with a spoofed address. Reported by Rodrigo Laneth. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/5461e8bbc09230a4cf8e3d7737c176ae69b091f1 | 2026-04-30 | |
| CVE-2026-42945.patch | Rewrite: fixed escaping and possible buffer overrun The following code resulted in incorrect escaping of $1 and possible segfault: location / { rewrite ^(.*) /new?c=1; set $myvar $1; return 200 $myvar; } If there were arguments in a rewrite's replacement string, the is_args flag was set and incorrectly never cleared. This resulted in escaping applied to any captures evaluated afterwards in set or if. Additionally buffer was allocated by ngx_http_script_complex_value_code() without escaping expected, thus this also resulted in buffer overrun and possible segfault. A similar issue was fixed in 74d939974d43. Reported by Leo Lin. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 | 2026-04-22 | |
| CVE-2026-42946.patch | Upstream: fixed parsing of split status lines If the first response line was split across reads and it didn't appear a status line, the portion already processed was lost. To preserve ABI, the change reuses r->header_name_start for proper backtracking on status line fallback. |
Sergey Kandaurov <pluknet@nginx.com> | no | https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd | 2026-04-29 | |
| CVE-2026-40701.patch | OCSP: resolve cleanup on connection close Previously, when a client SSL connection was terminated (typically due to a timeout) while resolving an OCSP responder, the OCSP context was freed, but the resolve context was not. This resulted in use-after-free on resolve completion. Reported by Leo Lin. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 | 2026-04-21 | |
| CVE-2026-42934.patch | Charset: fix buffer over-read in recode_from_utf8(). When a multi-byte UTF-8 character was split across 3+ single-byte buffers, the saved bytes continuation path had two related bugs: ngx_utf8_decode() was called with the last saved-array index instead of the byte count, causing it to report "incomplete" even when the sequence was already complete. The subsequent ngx_memcpy() used that same index as the copy length, reading past the input buffer boundary. |
David Carlier <devnexen@gmail.com> | no | https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a | 2026-04-12 |
All known versions for source package 'nginx'
- 1.30.1-3 (sid)
- 1.30.0-2 (forky)
- 1.26.3-3+deb13u5 (trixie-security, trixie-proposed-updates)
- 1.26.3-3+deb13u4 (trixie)
- 1.22.1-9+deb12u7 (bookworm-proposed-updates, bookworm-security)
- 1.22.1-9+deb12u6 (bookworm)