Your message dated Wed, 24 Jun 2026 20:35:50 +0000
with message-id <[email protected]>
and subject line Bug#1140361: fixed in nginx 1.30.1-6
has caused the Debian Bug report #1140361,
regarding nginx: CVE-2026-48142
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140361: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140361
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.30.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nginx.
CVE-2026-48142[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_charset_module module. When content is served or proxied
| through a location block with both source_charset utf-8; and a
| charset directive (for example, charset koi8-r;) configured, remote,
| unauthenticated attackers can send requests (in conjunction with
| conditions beyond their control) to cause a heap buffer over-read in
| the NGINX worker process, leading to limited disclosure of memory or
| a restart. Note: Software versions which have reached End of
| Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48142
https://www.cve.org/CVERecord?id=CVE-2026-48142
[1] https://my.f5.com/manage/s/article/K000161585
[2]
https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.30.1-6
Done: Jan Mojžíš <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Mojžíš <[email protected]> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jun 2026 19:29:57 +0000
Source: nginx
Architecture: source
Version: 1.30.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Jan Mojžíš <[email protected]>
Closes: 1124757 1140361 1140605
Changes:
nginx (1.30.1-6) unstable; urgency=medium
.
* d/p/fix-cache-line-size-for-loongarch64.patch add,
backport loongarch64 detection and set cache line size 64
(Closes: 1140605)
* d/control: add `Suggests logrotate` for nginx-common (Closes: 1124757)
* d/changelog: fix the 1.30.1-5 entry, which already closed bug #1140361
(Closes: 1140361)
Checksums-Sha1:
379867e41016146fc6d9f4e5e7ec4e0ca835df84 3803 nginx_1.30.1-6.dsc
c587557aa93c83009f036a6c2eef0d50e78781e5 78572 nginx_1.30.1-6.debian.tar.xz
f70703dc045d411a4825c663d52e256f07def524 3121372 nginx_1.30.1-6.git.tar.xz
b2807788f9ff57c3c3f922147c89d66f116c906f 17484 nginx_1.30.1-6_source.buildinfo
Checksums-Sha256:
cf842aefd9ac755c25fe6976cd329922c749b8daa747cf3a78e809805ca71180 3803
nginx_1.30.1-6.dsc
e6b592a38c1dc3358e9230b6ec912d4663e12234ff951cb764531cb788dda69c 78572
nginx_1.30.1-6.debian.tar.xz
2f43ef3dea7f9f44ad853b095c1a7dec134a98e1c9c77ac8b8489357e60debdb 3121372
nginx_1.30.1-6.git.tar.xz
933b011b6624b3d2135b167da7c8b6e44c43f73c53d97ec4b279d2111fb9e914 17484
nginx_1.30.1-6_source.buildinfo
Files:
f29a6e17511ce7b111af09808b14ba4f 3803 httpd optional nginx_1.30.1-6.dsc
f9f2c90464a04d4caee0eee5dcf54b8f 78572 httpd optional
nginx_1.30.1-6.debian.tar.xz
fb0ccd397b78b542d12fac667c165634 3121372 httpd None nginx_1.30.1-6.git.tar.xz
bafa2c7c338723bf5ebe39f5f815554b 17484 httpd optional
nginx_1.30.1-6_source.buildinfo
Git-Tag-Info: tag=8f13e9810e558ec9b570bf61f59886ed4b11929f
fp=d008b0c23d8479e46b9fcb9045da517496939ff9
Git-Tag-Tagger: Jan Mojžíš <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmo8NGYACgkQYG0ITkaD
wHlefRAAsRnfmYE05aUQSrtYrdy9EGxewjpRc4EFV+NovhVCiufygAzmEdm7yclL
hdABCAxdY5dO5Ob4fx2dOAR3VKwy0qrBKiSw5jSoVahD/LFUDvGii869QbKZaxuI
39/QI1/G1eaVjk4rBeQN1yz6of+HasK7B74IycKY9IqxyOq3wegsoxC0hNz5YVF9
CXaBLrLkFuq12mHXvkW2fmLMoFmXMKVSYTg9wBvCVn1iQs5HlK+Rd0jZisu118QO
9rR7ksUte8l0hkNE3lYppTO+V3gegMtU00JRZhP9MAe5qGZdNLnnAfOIINapzupm
iXjin67uo460vbe012GKFb77c0LRQtuoRNdGW0aXLgKGa28CqJcTnPVrhMDpUelI
nsVAJk/EqpDUjkfzrhhVtoZc0cont42mLd+11Onn2S71WXrYuil14nstYPSqm5fO
zSXX4+12vrwEhjjMkEfWqSdUksIWWp1Lacalym1T3ni1/XwGMQaf3+DFxvR4HUIW
s6pSoa4qGNmvwjPrWdAApSZNRTQqIJHsTIlDl75Ak8/lJKPySTZt/pbXpfyRmp+9
fcxNu7/CESV4YJESRSyyBYW821SEv2JLM+QUM4P+9owT5PmcgKM3R+W0tuaB9kQ8
sy0NRmy3jkfgJToN58WAnAyFz/8tD8Kuda5nwv5qR8ZEVMw4S0k=
=R91o
-----END PGP SIGNATURE-----
pgpM1DzLY7vlc.pgp
Description: PGP signature
--- End Message ---
