Bug#1138593: (no subject)

Thomas Ward Sun, 31 May 2026 16:01:17 -0700

Attaching debdiff here as an attachment.

diff -Nru nginx-snippets-1.0+nmu1/conf.d/http-upgrade_req-connection_map.conf 
nginx-snippets-1.3~deb13u1/conf.d/http-upgrade_req-connection_map.conf
--- nginx-snippets-1.0+nmu1/conf.d/http-upgrade_req-connection_map.conf 
2025-04-08 11:17:38.000000000 -0400
+++ nginx-snippets-1.3~deb13u1/conf.d/http-upgrade_req-connection_map.conf      
2026-04-23 16:33:49.000000000 -0400
@@ -1,5 +1,5 @@
-# Used by snippets/common-proxy-pass-headers.conf
-map $http_upgrade $req_connection {
-    default upgrade;
-    ""      "";
+# Used by snippets/common-proxy-pass-headers.conf
+map $http_upgrade $req_connection {
+    default upgrade;
+    ""      "";
 }
\ No newline at end of file
diff -Nru nginx-snippets-1.0+nmu1/debian/changelog 
nginx-snippets-1.3~deb13u1/debian/changelog
--- nginx-snippets-1.0+nmu1/debian/changelog    2025-04-08 11:17:38.000000000 
-0400
+++ nginx-snippets-1.3~deb13u1/debian/changelog 2026-05-31 17:50:16.000000000 
-0400
@@ -1,9 +1,44 @@
-nginx-snippets (1.0+nmu1) unstable; urgency=medium
+nginx-snippets (1.3~deb13u1) trixie-proposed-updates; urgency=medium
 
-  * Non-maintainer upload.
-  * No change source-only upload.
+  * Backport 1.3 from Unstable to Trixie via proposed-updates.
+  * Addresses 'post quantum not available' bug in nginx-snippets.
+    (Closes: #1138590)
 
- -- Boyuan Yang <[email protected]>  Tue, 08 Apr 2025 11:17:38 -0400
+ -- Thomas Ward <[email protected]>  Sun, 31 May 2026 17:50:16 -0400
+
+nginx-snippets (1.3) unstable; urgency=medium
+
+  * conf.d/http-upgrade_req-connection_map.conf: Convert to UNIX 
+    line endings (was DOS, somehow). (Closes: #1118535)
+
+ -- Thomas Ward <[email protected]>  Thu, 23 Apr 2026 16:40:45 -0400
+
+nginx-snippets (1.2) unstable; urgency=medium
+
+  * Update TLS snippets from Mozilla TLS guidelines, referenced on 
+    2026-04-23.
+  * d/tls/* changes:
+    - tls-intermediate.conf: Update from Mozilla TLS - remove DHE-*
+      ciphers and thus the need for a dh_param file, use additional 
+      recommended EC curves.
+    - tls-modern.conf: Update from Mozilla TLS - use additional
+      recommended EC curves.
+    - tls-intermediate-nodhe.conf: Replace entire file with a symlink
+      to tls-intermediate.conf - DHE-* ciphers removed from Intermediate 
+      as of last update from Mozilla TLS guidelines
+  * d/postinst: Comment out section that generates dhparam if not 
+    already present - no longer needed thanks to dropping of DHE-* ciphers 
+    from Intermediate.
+
+ -- Thomas Ward <[email protected]>  Thu, 23 Apr 2026 13:17:45 -0400
+
+nginx-snippets (1.1) unstable; urgency=medium
+
+  * d/nginx-snippets.install: Fix missing clause that will properly 
+    install conf.d files from the package into the configuration on-
+    disk.
+
+ -- Thomas Ward <[email protected]>  Mon, 13 Oct 2025 14:47:06 -0400
 
 nginx-snippets (1.0) unstable; urgency=medium
 
diff -Nru nginx-snippets-1.0+nmu1/debian/nginx-snippets.install 
nginx-snippets-1.3~deb13u1/debian/nginx-snippets.install
--- nginx-snippets-1.0+nmu1/debian/nginx-snippets.install       2025-04-08 
11:17:38.000000000 -0400
+++ nginx-snippets-1.3~deb13u1/debian/nginx-snippets.install    2026-04-23 
16:34:28.000000000 -0400
@@ -1 +1,2 @@
 snippets/* /etc/nginx/snippets/
+conf.d/* /etc/nginx/conf.d/
\ No newline at end of file
diff -Nru nginx-snippets-1.0+nmu1/debian/postinst 
nginx-snippets-1.3~deb13u1/debian/postinst
--- nginx-snippets-1.0+nmu1/debian/postinst     2025-04-08 11:17:38.000000000 
-0400
+++ nginx-snippets-1.3~deb13u1/debian/postinst  2026-04-23 16:34:28.000000000 
-0400
@@ -3,15 +3,19 @@
 
 set -e
 
+### Commented out in version 1.2 - 2026-04-23: DHE-* ciphers no longer
+### included in Mozilla TLS recommendations, so we'll remove them, and
+### thus no longer need to generate a dhparam file.
+#
 # Generate the /etc/nginx/dhparam2048.pem if the file doesn't 
 # already exist.
-if [ ! -e /etc/nginx/dhparam2048.pem ]; then
-  echo "Generating dhparam with 2048 bits. This may take some time."
-  openssl dhparam -out /etc/nginx/dhparam2048.pem 2048
-  echo "Generated dhparam file with 2048 bits in /etc/nginx/dhparam2048.pem"
-else
-  echo "dhparam2048.pem file already exists."
-fi
+#if [ ! -e /etc/nginx/dhparam2048.pem ]; then
+#  echo "Generating dhparam with 2048 bits. This may take some time."
+#  openssl dhparam -out /etc/nginx/dhparam2048.pem 2048
+#  echo "Generated dhparam file with 2048 bits in /etc/nginx/dhparam2048.pem"
+#else
+#  echo "dhparam2048.pem file already exists."
+#fi
 
 #DEBHELPER#
 
diff -Nru nginx-snippets-1.0+nmu1/debian/salsa-ci.yml 
nginx-snippets-1.3~deb13u1/debian/salsa-ci.yml
--- nginx-snippets-1.0+nmu1/debian/salsa-ci.yml 2025-04-08 11:17:38.000000000 
-0400
+++ nginx-snippets-1.3~deb13u1/debian/salsa-ci.yml      2026-04-23 
16:34:28.000000000 -0400
@@ -8,3 +8,11 @@
 ---
 include:
   - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  # Taken from  
https://salsa.debian.org/salsa-ci-team.pipeline#select-which-jobs-run-in-the-ci-pipeline
+  # This test fails, but this isn't an arch:any package, so this is fine to 
disable.
+  SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1
+  # We don't have a d/watch file because this is a Native package
+  # so disable uscan tests
+  SALSA_CI_DISABLE_USCAN: 1
diff -Nru nginx-snippets-1.0+nmu1/snippets/tls/tls-intermediate-nodhe.conf 
nginx-snippets-1.3~deb13u1/snippets/tls/tls-intermediate-nodhe.conf
--- nginx-snippets-1.0+nmu1/snippets/tls/tls-intermediate-nodhe.conf    
2025-04-08 11:17:38.000000000 -0400
+++ nginx-snippets-1.3~deb13u1/snippets/tls/tls-intermediate-nodhe.conf 
2026-04-23 16:34:01.000000000 -0400
@@ -1,14 +1,17 @@
 # Based on Mozilla TLS generator configurations
 
-# Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, intermediate config, no 
HSTS, no OCSP
+# Mozilla Guideline v6.0, nginx 1.27.3, OpenSSL 3.6.2, intermediate config, no 
HSTS, no OCSP
 # last generated/retrieved on 2025-02-22 
 
-# intermediate configuration, but DHE-* ciphers and dhparam are removed.
+# intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ecdh_curve X25519:prime256v1:secp384r1;
+ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
 ssl_ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 
 # see also ssl_session_ticket_key alternative to stateful session cache
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+# Generated through openssl in the postinst script.
+ssl_dhparam "/etc/nginx/dhparam2048.pem";
diff -Nru nginx-snippets-1.0+nmu1/snippets/tls/tls-intermediate.conf 
nginx-snippets-1.3~deb13u1/snippets/tls/tls-intermediate.conf
--- nginx-snippets-1.0+nmu1/snippets/tls/tls-intermediate.conf  2025-04-08 
11:17:38.000000000 -0400
+++ nginx-snippets-1.3~deb13u1/snippets/tls/tls-intermediate.conf       
2026-04-23 16:34:01.000000000 -0400
@@ -1,12 +1,12 @@
 # Based on Mozilla TLS generator configurations
 
-# Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, intermediate config, no 
HSTS, no OCSP
+# Mozilla Guideline v6.0, nginx 1.27.3, OpenSSL 3.6.2, intermediate config, no 
HSTS, no OCSP
 # last generated/retrieved on 2025-02-22 
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ecdh_curve X25519:prime256v1:secp384r1;
-ssl_ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
+ssl_ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 
 # see also ssl_session_ticket_key alternative to stateful session cache
diff -Nru nginx-snippets-1.0+nmu1/snippets/tls/tls-modern.conf 
nginx-snippets-1.3~deb13u1/snippets/tls/tls-modern.conf
--- nginx-snippets-1.0+nmu1/snippets/tls/tls-modern.conf        2025-04-08 
11:17:38.000000000 -0400
+++ nginx-snippets-1.3~deb13u1/snippets/tls/tls-modern.conf     2026-04-23 
16:34:01.000000000 -0400
@@ -1,9 +1,9 @@
 # Based on Mozilla TLS generator configurations
 
-# Mozilla Guideline v5.7, nginx 1.27.3, OpenSSL 3.4.0, modern config, no HSTS, 
no OCSP
-# last generated/retrieved on 2025-02-22
+# Mozilla Guideline v5.7, for nginx 1.27.3, OpenSSL 3.6.2, modern config, no 
HSTS, no OCSP
+# last generated/retrieved on 2026-04-23
 
 # modern configuration
 ssl_protocols TLSv1.3;
-ssl_ecdh_curve X25519:prime256v1:secp384r1;
+ssl_ecdh_curve ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;;
 ssl_prefer_server_ciphers off;

Bug#1138593: (no subject)

Reply via email to