Your message dated Sat, 04 Jul 2026 10:32:25 +0000
with message-id <[email protected]>
and subject line Bug#1140359: fixed in nginx 1.22.1-9+deb12u9
has caused the Debian Bug report #1140359,
regarding nginx: CVE-2026-42055
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.30.1-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for nginx.

CVE-2026-42055[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This
| vulnerability exists when the proxy_http_version to 2 or
| grpc_pass directives are used to proxy HTTP/2 traffic, the
| ignore_invalid_headers directive is set to off, and the
| large_client_header_buffers directive size is larger than 2
| megabytes. A remote, unauthenticated attacker, along with conditions
| beyond their control, could send large headers while creating an
| upstream request. This may cause a heap-based buffer overflow in the
| NGINX worker process leading to a restart. Additionally, attackers
| can execute code on systems with Address Space Layout Randomization
| (ASLR) disabled or when the attacker can bypass ASLR.    Note:
| Software versions which have reached End of Technical Support (EoTS)
| are not evaluated.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42055
    https://www.cve.org/CVERecord?id=CVE-2026-42055
[1] https://my.f5.com/manage/s/article/K000161584
[2] 
https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.22.1-9+deb12u9
Done: Carlos Henrique Lima Melara <[email protected]>

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Carlos Henrique Lima Melara <[email protected]> (supplier of updated 
nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Jun 2026 22:05:01 -0300
Source: nginx
Architecture: source
Version: 1.22.1-9+deb12u9
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Nginx Maintainers 
<[email protected]>
Changed-By: Carlos Henrique Lima Melara <[email protected]>
Closes: 1140359 1140361
Changes:
 nginx (1.22.1-9+deb12u9) bookworm-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * debian/gbp.conf: set debian-branch to debian/bookworm.
   * debian/patches: import upstream patches to fix vulnerabilities.
       - CVE-2026-42055.patch: backport from upstream; (Closes: #1140359)
       - CVE-2026-48142.patch: cherry-pick from upstream. (Closes: #1140361)
   * debian/tests/abicheck: cherry-pick from debain/trixie, remove chown, add
     warn when it fails and remove needs-root restriction.
Checksums-Sha1:
 d3f4e6721c4f3a852fa0a604bc75900dfe87d408 3594 nginx_1.22.1-9+deb12u9.dsc
 45a89797f7c789287c7f663811efbbd19e84f154 1073948 nginx_1.22.1.orig.tar.gz
 7f9c8b261edecb645f4c0a835f7422f2486cee42 86524 
nginx_1.22.1-9+deb12u9.debian.tar.xz
 e82648b4b875593d65570b2d01d50baed342e986 6049 
nginx_1.22.1-9+deb12u9_source.buildinfo
Checksums-Sha256:
 28baa4abda06503ae8ecde6e9f049905de7c172d6ec767636628bfcd87499cf4 3594 
nginx_1.22.1-9+deb12u9.dsc
 9ebb333a9e82b952acd3e2b4aeb1d4ff6406f72491bab6cd9fe69f0dea737f31 1073948 
nginx_1.22.1.orig.tar.gz
 3aebca44037e31b4148cec5a10dc673fdac176411aaa65a0094135895d154223 86524 
nginx_1.22.1-9+deb12u9.debian.tar.xz
 7552e7d6aa39cdd6d5d4dfec8533d3670a50330ec1b6a18f23b26e7ee41915cf 6049 
nginx_1.22.1-9+deb12u9_source.buildinfo
Files:
 ef6570185853d8af66df580ff40760d5 3594 httpd optional nginx_1.22.1-9+deb12u9.dsc
 8296d957561aeed0261d9be4d3decaec 1073948 httpd optional 
nginx_1.22.1.orig.tar.gz
 4b5846cc93e3081f11259b9dfa3aa12e 86524 httpd optional 
nginx_1.22.1-9+deb12u9.debian.tar.xz
 7f5d9ff00943baf3ad0e17930d7ec008 6049 httpd optional 
nginx_1.22.1-9+deb12u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmpH5z4ZHGNoYXJsZXNt
ZWxhcmFAcmlzZXVwLm5ldAAKCRC3gz2CAnyZC61iD/kB74h3E0bZ35vjjuLI5LmI
/FYTJlAJoRaUBvHi7tPKWLIm82/pGX6nB4wJ6/vUgiByCtYIHCLsch1cjLl05nt2
F0Ye2RCGng5DqoFTkGcWhKFHvrstZ4it+Rxb8vAOPYtxw4luLhUqW6VEMuzdicS0
+7lVDCRbE+wF6P5xAup7NO6wNlkJkTwOaTZHmF/wPzmuYj8oTsBACr2be1RdMMVo
PIGqXuj31qMLviEn0dnmnlgYng7W9UHEI6KaJfHepr+UAjpIwEhg7qxAT7lqqJCo
hOMrEudmoLUcUHj8/HtMZHYHWoP5HNVQj4RqmXf6a/X8hIjRcv44qYh1cqEaSysJ
6+gDJW19l8W45t8RJGv+7d93dp/wFvPpw+rEQsTx+YORntTMrmTj5VXBiyZe84wq
HxiTUyWi+ZP1t549MENZfuvAvwmvDGshkFu5e6QM7KGFiifXZf7SKRr0+GBdMWTO
PaFAUmOIdVd/mhrFEXzA8xL/HLaiOwwRRTbKJHiklnq03K+z+2kj2FtAYr+1fg8N
SCBc5L6STPLh9D1Ro9ByW7Eq+3r+Hlh2PLxZ8D+uS1+YVBnkvdFb1Z+lbv85fjsV
W0oPEmBft70zJDm5UkSkOcRclNX3nDx+VUUSMjow97mQfsCk44Z/mjqErHxdoEek
UeFMtuJq+99V8Y+bPu6pVQ==
=dPEl
-----END PGP SIGNATURE-----

Attachment: pgp3An61WpZvP.pgp
Description: PGP signature


--- End Message ---

Reply via email to