Source: nginx Version: 1.30.1-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nginx. CVE-2026-48142[0]: | NGINX Plus and NGINX Open Source have a vulnerability in the | ngx_http_charset_module module. When content is served or proxied | through a location block with both source_charset utf-8; and a | charset directive (for example, charset koi8-r;) configured, remote, | unauthenticated attackers can send requests (in conjunction with | conditions beyond their control) to cause a heap buffer over-read in | the NGINX worker process, leading to limited disclosure of memory or | a restart. Note: Software versions which have reached End of | Technical Support (EoTS) are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48142 https://www.cve.org/CVERecord?id=CVE-2026-48142 [1] https://my.f5.com/manage/s/article/K000161585 [2] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
