Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2026-05-24 19:35:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Sun May 24 19:35:02 2026 rev:113 rq:1354768 version:1.31.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2026-05-16 19:25:12.067697117 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new.2084/nginx.changes 2026-05-24 19:36:06.884409020 +0200 @@ -1,0 +2,10 @@ +Fri May 22 15:59:50 UTC 2026 - Marcus Rueckert <[email protected]> + +- Updated to 1.31.0 ( boo#1266215 CVE-2026-9256 ) + *) Security: a heap memory buffer overflow might occur in a + worker process when using a configuration with overlapping + captures in ngx_http_rewrite_module, potentially resulting in + arbitrary code execution (CVE-2026-9256). + Thanks to Mufeed VH of Winfunc Research. + +------------------------------------------------------------------- Old: ---- nginx-1.31.0.tar.gz nginx-1.31.0.tar.gz.asc New: ---- nginx-1.31.1.tar.gz nginx-1.31.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.sBBUQX/_old 2026-05-24 19:36:07.888450102 +0200 +++ /var/tmp/diff_new_pack.sBBUQX/_new 2026-05-24 19:36:07.892450265 +0200 @@ -24,7 +24,7 @@ %bcond_with awslc # Name: nginx -Version: 1.31.0 +Version: 1.31.1 Release: 0 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause ++++++ nginx-1.31.0.tar.gz -> nginx-1.31.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/CHANGES new/nginx-1.31.1/CHANGES --- old/nginx-1.31.0/CHANGES 2026-05-13 15:34:06.000000000 +0200 +++ new/nginx-1.31.1/CHANGES 2026-05-22 14:53:13.000000000 +0200 @@ -1,4 +1,13 @@ +Changes with nginx 1.31.1 22 May 2026 + + *) Security: a heap memory buffer overflow might occur in a worker + process when using a configuration with overlapping captures in + ngx_http_rewrite_module, potentially resulting in arbitrary code + execution (CVE-2026-9256). + Thanks to Mufeed VH of Winfunc Research. + + Changes with nginx 1.31.0 13 May 2026 *) Security: when using the "proxy_set_body" directive, an attacker diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/CHANGES.ru new/nginx-1.31.1/CHANGES.ru --- old/nginx-1.31.0/CHANGES.ru 2026-05-13 15:34:05.000000000 +0200 +++ new/nginx-1.31.1/CHANGES.ru 2026-05-22 14:53:12.000000000 +0200 @@ -1,4 +1,13 @@ +Изменения в nginx 1.31.1 22.05.2026 + + *) Безопасность: при использовании конфигурации модуля + ngx_http_rewrite_module с перекрывающимися выделениями могло + происходить переполнение буфера в рабочем процессе, что потенциально + могло приводить к выполнению произвольного кода (CVE-2026-9256). + Спасибо Mufeed VH из Winfunc Research. + + Изменения в nginx 1.31.0 13.05.2026 *) Безопасность: при использовании директивы proxy_set_body атакующий diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/core/nginx.h new/nginx-1.31.1/src/core/nginx.h --- old/nginx-1.31.0/src/core/nginx.h 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/core/nginx.h 2026-05-22 14:50:47.000000000 +0200 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1031000 -#define NGINX_VERSION "1.31.0" +#define nginx_version 1031001 +#define NGINX_VERSION "1.31.1" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/http/modules/ngx_http_mp4_module.c new/nginx-1.31.1/src/http/modules/ngx_http_mp4_module.c --- old/nginx-1.31.0/src/http/modules/ngx_http_mp4_module.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/http/modules/ngx_http_mp4_module.c 2026-05-22 14:50:47.000000000 +0200 @@ -1063,7 +1063,9 @@ { ssize_t n; - if (mp4->buffer_pos + size <= mp4->buffer_end) { + if (mp4->buffer_pos && mp4->buffer_end + && mp4->buffer_pos + size <= mp4->buffer_end) + { return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/http/ngx_http_script.c new/nginx-1.31.1/src/http/ngx_http_script.c --- old/nginx-1.31.0/src/http/ngx_http_script.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/http/ngx_http_script.c 2026-05-22 14:50:47.000000000 +0200 @@ -1037,6 +1037,8 @@ void ngx_http_script_regex_start_code(ngx_http_script_engine_t *e) { + int *cap; + u_char *p; size_t len; ngx_int_t rc; ngx_uint_t n; @@ -1143,15 +1145,19 @@ if (code->lengths == NULL) { e->buf.len = code->size; - if (code->uri) { - if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) { - e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, - NGX_ESCAPE_ARGS); - } - } + cap = r->captures; + p = r->captures_data; for (n = 2; n < r->ncaptures; n += 2) { - e->buf.len += r->captures[n + 1] - r->captures[n]; + e->buf.len += cap[n + 1] - cap[n]; + + if (code->uri) { + if (r->quoted_uri || r->plus_in_uri) { + e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]], + cap[n + 1] - cap[n], + NGX_ESCAPE_ARGS); + } + } } } else { @@ -1183,6 +1189,7 @@ return; } + e->is_args = 0; e->quote = code->redirect; e->pos = e->buf.data; @@ -1769,6 +1776,7 @@ le.ip = code->lengths->elts; le.line = e->line; le.request = e->request; + le.is_args = e->is_args; le.quote = e->quote; for (len = 0; *(uintptr_t *) le.ip; len += lcode(&le)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/http/v2/ngx_http_v2_filter_module.c new/nginx-1.31.1/src/http/v2/ngx_http_v2_filter_module.c --- old/nginx-1.31.0/src/http/v2/ngx_http_v2_filter_module.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/http/v2/ngx_http_v2_filter_module.c 2026-05-22 14:50:47.000000000 +0200 @@ -241,6 +241,14 @@ } if (r->headers_out.content_type.len) { + + if (r->headers_out.content_type.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_CRIT, fc->log, 0, + "too long response header value: " + "\"Content-Type: %V\"", &r->headers_out.content_type); + return NGX_ERROR; + } + len += 1 + NGX_HTTP_V2_INT_OCTETS + r->headers_out.content_type.len; if (r->headers_out.content_type_len == r->headers_out.content_type.len @@ -264,6 +272,13 @@ if (r->headers_out.location && r->headers_out.location->value.len) { + if (r->headers_out.location->value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_CRIT, fc->log, 0, + "too long response header value: \"Location: %V\"", + &r->headers_out.location->value); + return NGX_ERROR; + } + if (r->headers_out.location->value.data[0] == '/' && clcf->absolute_redirect) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/mail/ngx_mail_imap_handler.c new/nginx-1.31.1/src/mail/ngx_mail_imap_handler.c --- old/nginx-1.31.0/src/mail/ngx_mail_imap_handler.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/mail/ngx_mail_imap_handler.c 2026-05-22 14:50:47.000000000 +0200 @@ -48,6 +48,7 @@ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ngx_mail_close_connection(c); + return; } ngx_mail_send(c->write); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/mail/ngx_mail_pop3_handler.c new/nginx-1.31.1/src/mail/ngx_mail_pop3_handler.c --- old/nginx-1.31.0/src/mail/ngx_mail_pop3_handler.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/mail/ngx_mail_pop3_handler.c 2026-05-22 14:50:47.000000000 +0200 @@ -69,6 +69,7 @@ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ngx_mail_close_connection(c); + return; } ngx_mail_send(c->write); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/mail/ngx_mail_proxy_module.c new/nginx-1.31.1/src/mail/ngx_mail_proxy_module.c --- old/nginx-1.31.0/src/mail/ngx_mail_proxy_module.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/mail/ngx_mail_proxy_module.c 2026-05-22 14:50:47.000000000 +0200 @@ -894,6 +894,7 @@ if (ngx_handle_write_event(wev, 0) != NGX_OK) { ngx_mail_proxy_internal_server_error(s); + return; } if (c->read->ready) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.31.0/src/mail/ngx_mail_smtp_handler.c new/nginx-1.31.1/src/mail/ngx_mail_smtp_handler.c --- old/nginx-1.31.0/src/mail/ngx_mail_smtp_handler.c 2026-05-13 14:43:09.000000000 +0200 +++ new/nginx-1.31.1/src/mail/ngx_mail_smtp_handler.c 2026-05-22 14:50:47.000000000 +0200 @@ -340,6 +340,7 @@ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ngx_mail_close_connection(c); + return; } if (c->read->ready) { @@ -347,8 +348,8 @@ } if (sscf->greeting_delay) { - c->read->handler = ngx_mail_smtp_invalid_pipelining; - return; + c->read->handler = ngx_mail_smtp_invalid_pipelining; + return; } c->read->handler = ngx_mail_smtp_init_protocol;
