Your message dated Sat, 23 May 2026 07:07:28 +0000
with message-id <[email protected]>
and subject line Bug#1137339: fixed in nginx 1.30.1-3
has caused the Debian Bug report #1137339,
regarding nginx: CVE-2026-9256
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137339: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137339
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.30.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nginx.
CVE-2026-9256[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_rewrite_module module. This vulnerability exists when a
| rewrite directive uses a regex pattern with distinct, overlapping
| Perl-Compatible Regular Expression (PCRE) captures (for example,
| ^/((.*))$) and a replacement string that references multiple such
| captures (for example, $1$2) in a redirect or arguments context. An
| unauthenticated attacker along with conditions beyond their control
| can exploit this vulnerability by sending crafted HTTP requests.
| This may cause a heap buffer overflow in the NGINX worker process
| leading to a restart. Additionally, attackers can execute code on
| systems with Address Space Layout Randomization (ASLR) disabled or
| when the attacker can bypass ASLR. Note: Software versions which
| have reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9256
https://www.cve.org/CVERecord?id=CVE-2026-9256
[1]
https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.30.1-3
Done: Jan Mojžíš <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Mojžíš <[email protected]> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 06:23:38 +0000
Source: nginx
Architecture: source
Version: 1.30.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Jan Mojžíš <[email protected]>
Closes: 1137339
Changes:
nginx (1.30.1-3) unstable; urgency=medium
.
* backport fix for buffer overflow vulnerability in the
ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
* d/p/CVE-2026-9256.patch add (Closes: 1137339)
Checksums-Sha1:
1b7d1fe5dfc33b65fb1e09bea76ab9acfe067bfe 3803 nginx_1.30.1-3.dsc
bbaaf21796643b8bc4c6c09cf1033bdc8272af43 75668 nginx_1.30.1-3.debian.tar.xz
04c904cb626ea2d87f3333c1ae936dc680fbd7a4 2365196 nginx_1.30.1-3.git.tar.xz
b84361bca698c3d90528eb74450b0ee24ba61a33 17418 nginx_1.30.1-3_source.buildinfo
Checksums-Sha256:
a9f302b3d5ae79ef0b792e7e52e1ed9e75dfd73a5f4b3d371ff8095bace7c9e2 3803
nginx_1.30.1-3.dsc
7d5486118924e51c519caf866a93df87ea935b95f4e00abec82ed61eb569945e 75668
nginx_1.30.1-3.debian.tar.xz
e0a7d8588c1b6f3c9f000134a87614c4ea7c331912a0ae37bfb1bfb636068fcb 2365196
nginx_1.30.1-3.git.tar.xz
87926e29d4dba1a7d325acf80ba92b8efbee1dab806decb2af080520a43204a5 17418
nginx_1.30.1-3_source.buildinfo
Files:
1930cb6c07bf11ff32aa1f9d54596dc3 3803 httpd optional nginx_1.30.1-3.dsc
8d1114bc4ce3ea879d45cbda4c485f97 75668 httpd optional
nginx_1.30.1-3.debian.tar.xz
06ceee00079e5fca845a1a4d6ffdbc7c 2365196 httpd None nginx_1.30.1-3.git.tar.xz
196d6a784f633e22ee294d35aa7099b4 17418 httpd optional
nginx_1.30.1-3_source.buildinfo
Git-Tag-Info: tag=89c8f82e5343bc7437103287712cdd9aa430b696
fp=d008b0c23d8479e46b9fcb9045da517496939ff9
Git-Tag-Tagger: Jan Mojžíš <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoRTXoACgkQYG0ITkaD
wHnozg/+KJbD0yzWQeGAXqOkIABTNF9ER8nru4cwTj+ubKOBugYomIuL9bJ599Bu
gqxU0S6UmuKAJJoagnwwRiq7JSKekqG3jlTiRX793WVeDx6Js+CFi7TII04i6NNt
tzcc9yzyXaVjb0dimOTe/n2FzD6CYbzrfN7HFZZezZpGcSgUm1Zb6zUImWS2IBOm
/Pv4uhxfTfcJTkOh6/EZuL258ddHnV5XCN6/rvpiu22KNYKzwdIFjiyX+NT7vV/Y
MNvRzW6My+D2/8SMBacUdKC/WI2RnL0sdDUZrDNQfGTK+tCw2ynq708zDTru5Z6u
EowVBUeewgZpQvox0FjQOeKm7R92qIcITpodVevZsVIiJahFKeWxeFKdawfnPX/y
TSA61gR4izne4ARQzUAdmRihKcD+nkAXRO1ADGlNT8EjAAfFPPw6hsn9zNhuXQJz
Iquz4cpTUoBvzTkuvVwoHyKhsfLTNQIulIO+0SiAVjGD64hkNlUgTswTKsC8ipOB
UxzhdmfHqeZlIhdag6kXlH2/QLZoHVu6BoiT5BLKxkDwPPaUMp1cq4q9mAhHsIp0
ri5JaUyDA+YonMDIKUN8sEXQQznl8jVu25zvld/eSp7wqyimZShmBWHmlKNjXv0t
EiA9xpdY7/pWLjutzDceM9vJGca2vuavxvTs47kdZRrg7VrI29Y=
=WzQv
-----END PGP SIGNATURE-----
pgp_SdQIabYCi.pgp
Description: PGP signature
--- End Message ---
