Your message dated Sat, 04 Jul 2026 10:02:51 +0000
with message-id <[email protected]>
and subject line Bug#1140359: fixed in nginx 1.26.3-3+deb13u7
has caused the Debian Bug report #1140359,
regarding nginx: CVE-2026-42055
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.30.1-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for nginx.

CVE-2026-42055[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This
| vulnerability exists when the proxy_http_version to 2 or
| grpc_pass directives are used to proxy HTTP/2 traffic, the
| ignore_invalid_headers directive is set to off, and the
| large_client_header_buffers directive size is larger than 2
| megabytes. A remote, unauthenticated attacker, along with conditions
| beyond their control, could send large headers while creating an
| upstream request. This may cause a heap-based buffer overflow in the
| NGINX worker process leading to a restart. Additionally, attackers
| can execute code on systems with Address Space Layout Randomization
| (ASLR) disabled or when the attacker can bypass ASLR.    Note:
| Software versions which have reached End of Technical Support (EoTS)
| are not evaluated.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42055
    https://www.cve.org/CVERecord?id=CVE-2026-42055
[1] https://my.f5.com/manage/s/article/K000161584
[2] 
https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.26.3-3+deb13u7
Done: Salvatore Bonaccorso <[email protected]>

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jun 2026 22:33:06 +0200
Source: nginx
Architecture: source
Version: 1.26.3-3+deb13u7
Distribution: trixie-security
Urgency: high
Maintainer: Debian Nginx Maintainers 
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1140359 1140361
Changes:
 nginx (1.26.3-3+deb13u7) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Upstream: limit header length for HTTP/2 and gRPC (CVE-2026-42055)
     (Closes: #1140359)
   * Charset: fixed another rare buffer overread in recode_from_utf8()
     (CVE-2026-48142) (Closes: #1140361)
Checksums-Sha1:
 88d2932f85883790729500395b595ee754c342b3 3953 nginx_1.26.3-3+deb13u7.dsc
 3d91dada31ac9fee539f1ddfbef14084319df5cb 92748 
nginx_1.26.3-3+deb13u7.debian.tar.xz
 f449aab4057bbf1e25e24370f37c0dcc26febf77 6308 
nginx_1.26.3-3+deb13u7_source.buildinfo
Checksums-Sha256:
 12ea342366d81030e59e3a0ac9591ca549f5da023d85055f0a25d99e68378381 3953 
nginx_1.26.3-3+deb13u7.dsc
 19fcf637728c01356f4c80909812b32bc38d6f10eabc1e7fa2bb2c6fbcf27474 92748 
nginx_1.26.3-3+deb13u7.debian.tar.xz
 e99e0c54070ead7a45891e72c02da52622aa924b546c8f51d3da640a5b390dc1 6308 
nginx_1.26.3-3+deb13u7_source.buildinfo
Files:
 6df53f7005030c662573cc9fd5b3b178 3953 httpd optional nginx_1.26.3-3+deb13u7.dsc
 17694b7c9829210f1401ed3471e95d5e 92748 httpd optional 
nginx_1.26.3-3+deb13u7.debian.tar.xz
 4c57def4cc45df1daa22ac88f04926ec 6308 httpd optional 
nginx_1.26.3-3+deb13u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmpBhzxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbgsP/2Posd1cuhRcPHG6J0ElVbi3VsCY1muG
woOR6qR5Ru3DrVujRiGVu0GRAO2k0fwCIRzdVBOaxDzZoi75/1jHLJ3CByd19JKq
2mZ+qzrcIfpX2UyuBUfIu+ziRJXIaxMyNNaWXA4AB+owA/6VZjILGcyhHMFD0Jy5
SkAZ09A6Nginxkzixp5Lx+NWSALZvOaQ0UFl7x262E4z3dpCMWSOUu+uiOL45U+Q
OOVAf4z7mblLKLM7kaTOAPJBnw3zM4ewhKVtcttct/NHC52NhCz/VrXu1f0gs1PF
hWyQV/oj9Gs85t2s9Cf7xA8qvGdsWjwgz5xYqBY5yy5GEEio9klzFWZFtrUh/xWW
NsS9+K0SxVwaLRO8a5slNrlDuFQB1UPk8B/um1HHRozoPzVYdNA1ByKW+ldvsve9
KOiE9zXgOq29I9Vdw7e3CQv1SfZquAhRv87CwARaIEz4YBYWFbyjFtnKUVseVKzf
OOhS2DOzVSSi70id8+Q0MXJQyesk57WZ7c+feJvpWF2B9Wnn3pMEkh8XsOqz1ZUb
9qduarfjZPhpHS7s4OcC+XzMU0ESAqcLG99WSNyxVfaBw+fdI5FvGham3WEzR6hE
B++Bdt6+P/tF5+fP2C7vkrkLwgLns+Zn5rG8B2CTDbgcCoIjUrxcUqAsREPLRIkm
p9yMtGeN3vgt
=BSjN
-----END PGP SIGNATURE-----

Attachment: pgp4CGJcvMy6W.pgp
Description: PGP signature


--- End Message ---

Reply via email to