Debian Patches

Status for nginx/1.30.1-3

Patch Description Author Forwarded Bugs Origin Last update
nginx-fix-pidfile.patch Fix NGINX pidfile handling Tj <ubuntu@iam.tj> no debian 2020-06-24
nginx-ssl_cert_cb_yield.patch # HG changeset patch
# User Yichun Zhang <agentzh@openresty.org>
# Date 1451762084 28800
# Sat Jan 02 11:14:44 2016 -0800
# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4

OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
callbacks to serve the SSL certificiates and private keys dynamically
and lazily. The callbacks may yield for nonblocking I/O or sleeping.
Here we added support for such usage in NGINX 3rd-party modules
(like ngx_lua) in NGINX's event handlers for downstream SSL
connections.

===================================================================		 no https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch
override-uname.patch Override uname probing during configure Miao Wang <shankerwangmiao@gmail.com> no 2025-02-13
CVE-2026-9256.patch Rewrite: fix buffer overflow with overlapping captures
When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string. This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

location / {
rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
return 200 foo;
}

location / {
rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
return 200 foo;
}

Reported by Mufeed VH of Winfunc Research.		 Roman Arutyunyan <arut@nginx.com> no https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 2026-05-14

All known versions for source package 'nginx'

Links