Debian Patches
Status for nginx/1.30.1-6
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| nginx-fix-pidfile.patch | Fix NGINX pidfile handling | Tj <ubuntu@iam.tj> | no | debian | 2020-06-24 | |
| nginx-ssl_cert_cb_yield.patch | # HG changeset patch # User Yichun Zhang <agentzh@openresty.org> # Date 1451762084 28800 # Sat Jan 02 11:14:44 2016 -0800 # Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd # Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom callbacks to serve the SSL certificiates and private keys dynamically and lazily. The callbacks may yield for nonblocking I/O or sleeping. Here we added support for such usage in NGINX 3rd-party modules (like ngx_lua) in NGINX's event handlers for downstream SSL connections. =================================================================== |
no | https://github.com/openresty/openresty/blob/master/patches/nginx-1.21.4-ssl_cert_cb_yield.patch | |||
| override-uname.patch | Override uname probing during configure | Miao Wang <shankerwangmiao@gmail.com> | no | 2025-02-13 | ||
| CVE-2026-9256.patch | Rewrite: fix buffer overflow with overlapping captures When the rewrite replacement string had no variables, but had overlapping captures, the length of the allocated buffer could be smaller than the replacement string. This could happen either when the "redirect" parameter is specified, or when arguments are present in the replacement string. The following configurations resulted in heap buffer overflow when using URI "/++++++++++++++++++++++++++++++": location / { rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect; return 200 foo; } location / { rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2; return 200 foo; } Reported by Mufeed VH of Winfunc Research. |
Roman Arutyunyan <arut@nginx.com> | no | https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 | 2026-05-14 | |
| CVE-2026-42055.patch | HTTP/2: limit Content-Type and Location response header length Previously, when these fields were larger than ~2M, the number of bytes allocated for the field length was insufficient for such a large number. The deficit is 1 byte up until ~4M, 2 bytes for sizes above, and grows bigger with even larger fields. Currently, nginx does not have modules which allow to exploit this overflow with reasonably large Content-Type and Location. The reason is other response fields make up for this deficit. For example, the Date header value contains the characters compressed well by Huffman encoding, which frees up spare bytes in the header buffer. Reported by Leo Lin. diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c index 6b73b1e68..aabc5ac1b 100644 |
Roman Arutyunyan <arut@nginx.com> | no | 2026-04-26 | ||
| CVE-2026-48142.patch | Charset: fixed another rare buffer overread in recode_from_utf8() With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() stops advancing the pointer position on the first encountered invalid byte. The fix is to adjust the advanced pointer up to the whole saved sequence in this case. Note that this may result in different output compared to complete invalid UTF-8 sequences, which we can disregard at this point. Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c index edb2db568..e0115e1e4 100644 |
Sergey Kandaurov <pluknet@nginx.com> | no | 2026-06-01 | ||
| fix-cache-line-size-for-loongarch64.patch | Configure: set cache line size for loongarch64 Section 8.2 table 54, registers 0x11 - 0x14 (2^6 = 64 bytes) <https://loongson.github.io/LoongArch-Documentation/Loongson-3A5000-usermanual-EN.html#instruction-set-features-implemented-in-3a5000> There is no intent to cover 32-bit LoongArch which acceptably falls through to the default. |
Miao Wang <shankerwangmiao@users.noreply.github.com> | not-needed | https://github.com/nginx/nginx/commit/be84ac8bda2265d254f3ead9c3f0ba1d78a79319 | 2026-06-22 |
All known versions for source package 'nginx'
- 1.30.1-6 (sid, forky)
- 1.26.3-3+deb13u6 (trixie-proposed-updates, trixie-security)
- 1.26.3-3+deb13u4 (trixie)
- 1.22.1-9+deb12u8 (bookworm-proposed-updates, bookworm-security)
- 1.22.1-9+deb12u6 (bookworm)