--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:nginx
User: [email protected]
Usertags: pu
Hi,
the Debian nginx package currently uses "$http_host" in the default
*_params configuration files (proxy_params, fastcgi_params, scgi_params,
uwsgi_params) when setting HTTP_HOST / Host.
"$http_host" is the Host header exactly as supplied by the client.
This is unsafe when a client sends an absolute-form request target together
with a different Host header, for example:
GET https://example.com/ HTTP/1.1
Host: malformedhost
In such a case, passing "$http_host" upstream exposes the raw client-supplied
Host value ("malformedhost") to the backend application, even though it does
not match the effective request target. Applications often use HTTP_HOST for
redirects, absolute URL generation, virtual host routing, or security checks;
forwarding the raw Host header can therefore lead to incorrect or unsafe
behaviour.
Newer nginx versions (since 1.30.0) introduce variables "$is_request_port" and
"$request_port", allowing HTTP_HOST to be constructed as:
$host$is_request_port$request_port
In stable/oldstable packages we use "$host" as a security workaround.
It avoids forwarding an untrusted raw Host header to the backend.
Note: this changes behaviour compared to previous versions, because "$host"
does not preserve the client-supplied port, while "$http_host" typically
does. Existing deployments that rely on "$http_host" containing a port number
may therefore break or behave differently after this change.
[ Impact ]
Without fix, this can lead to attacker-controlled
HTTP_HOST/Host values and may affect 'host' handling.
In particular, configuration relying on host-based logic may be bypassed,
e.g. exposing internal endpoints.
[ Tests ]
Autopkgtests have been added in unstable to cover this behaviour and
prevent regressions in the future. These tests were also used to verify
the fix for the stable/oldstable versions.
[ Risks ]
The change replaces "$http_host" with "$host", which does not preserve
the client-supplied port. Deployments relying on HTTP_HOST including a
port number may observe behavioural changes and should be used
carefully.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The fix contains only configuration changes.
Updates d/conf/*_params to use "$host" instead of "$http_host" when
setting HTTP_HOST / Host
[ Other info ]
The change also includes a NEWS entry describing
this behaviour change.
diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog 2026-03-30 21:10:24.000000000 +0200
+++ nginx-1.22.1/debian/changelog 2026-04-22 22:15:43.000000000 +0200
@@ -1,3 +1,19 @@
+nginx (1.22.1-9+deb12u6) bookworm; urgency=medium
+
+ * d/conf/*_params: use "$host" instead of "$http_host"
+ * "$http_host" forwards the Host header exactly as supplied by the client
+ and may not match the effective request target (e.g. absolute-form
+ requests with a conflicting Host header)
+ this can expose inconsistent or attacker-controlled host values to
+ backend applications (uwsgi, fastcgi, scgi, proxy)
+ * switch to "$host" as a safer, normalized alternative
+ * note: this changes behaviour, as "$host" does not preserve the
+ client-supplied port; deployments relying on "$http_host" including
+ a port number may be affected
+ * it is workaround for Debian bug #1126960 for stable/oldstable release
+
+ -- Jan MojžÃÅ¡ <[email protected]> Wed, 22 Apr 2026 20:15:43 +0000
+
nginx (1.22.1-9+deb12u5) bookworm; urgency=medium
* backport changes from upstream nginx, fixes for buffer overflow
diff -Nru nginx-1.22.1/debian/conf/fastcgi_params
nginx-1.22.1/debian/conf/fastcgi_params
--- nginx-1.22.1/debian/conf/fastcgi_params 2026-03-30 21:10:24.000000000
+0200
+++ nginx-1.22.1/debian/conf/fastcgi_params 2026-04-22 22:15:43.000000000
+0200
@@ -24,3 +24,34 @@
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
+
+# !!! Security workaround !!!
+# Do not use HTTP_HOST as "$http_host".
+#
+# "$http_host" is the Host header exactly as supplied by the client.
+# This is unsafe when a client sends an absolute-form request target together
+# with a different Host header, for example:
+#
+# GET https://example.com/ HTTP/1.1
+# Host: malformedhost
+#
+# In such a case, passing "$http_host" upstream exposes the raw client-supplied
+# Host value ("malformedhost") to the backend application, even though it does
+# not match the effective request target. Applications often use HTTP_HOST for
+# redirects, absolute URL generation, virtual host routing, or security checks;
+# forwarding the raw Host header can therefore lead to incorrect or unsafe
+# behaviour.
+#
+# Newer nginx versions (since 1.30.0) introduce variables "$is_request_port"
and
+# "$request_port", allowing HTTP_HOST to be constructed as:
+# $host$is_request_port$request_port
+#
+# In stable/oldstable packages we use "$host" as a security workaround.
+# It avoids forwarding an untrusted raw Host header to the backend.
+#
+# Note: this changes behaviour compared to previous versions, because "$host"
+# does not preserve the client-supplied port, while "$http_host" typically
+# does. Existing deployments that rely on "$http_host" containing a port number
+# may therefore break or behave differently after this change.
+
+fastcgi_param HTTP_HOST $host;
diff -Nru nginx-1.22.1/debian/conf/proxy_params
nginx-1.22.1/debian/conf/proxy_params
--- nginx-1.22.1/debian/conf/proxy_params 2026-03-30 21:10:24.000000000
+0200
+++ nginx-1.22.1/debian/conf/proxy_params 2026-04-22 22:15:43.000000000
+0200
@@ -1,4 +1,33 @@
-proxy_set_header Host $http_host;
+# !!! Security workaround !!!
+# Do not set the `Host` header as "$http_host".
+#
+# "$http_host" is the Host header exactly as supplied by the client.
+# This is unsafe when a client sends an absolute-form request target together
+# with a different Host header, for example:
+#
+# GET https://example.com/ HTTP/1.1
+# Host: malformedhost
+#
+# In such a case, passing "$http_host" upstream exposes the raw client-supplied
+# Host value ("malformedhost") to the backend application, even though it does
+# not match the effective request target. Applications often use HTTP_HOST for
+# redirects, absolute URL generation, virtual host routing, or security checks;
+# forwarding the raw Host header can therefore lead to incorrect or unsafe
+# behaviour.
+#
+# Newer nginx versions (since 1.30.0) introduce variables "$is_request_port"
and
+# "$request_port", allowing `Host` to be constructed as:
+# $host$is_request_port$request_port
+#
+# In stable/oldstable packages we use "$host" as a security workaround.
+# It avoids forwarding an untrusted raw Host header to the backend.
+#
+# Note: this changes behaviour compared to previous versions, because "$host"
+# does not preserve the client-supplied port, while "$http_host" typically
+# does. Existing deployments that rely on "$http_host" containing a port number
+# may therefore break or behave differently after this change.
+
+proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
diff -Nru nginx-1.22.1/debian/conf/scgi_params
nginx-1.22.1/debian/conf/scgi_params
--- nginx-1.22.1/debian/conf/scgi_params 2026-03-30 21:10:24.000000000
+0200
+++ nginx-1.22.1/debian/conf/scgi_params 2026-04-22 22:15:43.000000000
+0200
@@ -15,3 +15,34 @@
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;
+
+# !!! Security workaround !!!
+# Do not use HTTP_HOST as "$http_host".
+#
+# "$http_host" is the Host header exactly as supplied by the client.
+# This is unsafe when a client sends an absolute-form request target together
+# with a different Host header, for example:
+#
+# GET https://example.com/ HTTP/1.1
+# Host: malformedhost
+#
+# In such a case, passing "$http_host" upstream exposes the raw client-supplied
+# Host value ("malformedhost") to the backend application, even though it does
+# not match the effective request target. Applications often use HTTP_HOST for
+# redirects, absolute URL generation, virtual host routing, or security checks;
+# forwarding the raw Host header can therefore lead to incorrect or unsafe
+# behaviour.
+#
+# Newer nginx versions (since 1.30.0) introduce variables "$is_request_port"
and
+# "$request_port", allowing HTTP_HOST to be constructed as:
+# $host$is_request_port$request_port
+#
+# In stable/oldstable packages we use "$host" as a security workaround.
+# It avoids forwarding an untrusted raw Host header to the backend.
+#
+# Note: this changes behaviour compared to previous versions, because "$host"
+# does not preserve the client-supplied port, while "$http_host" typically
+# does. Existing deployments that rely on "$http_host" containing a port number
+# may therefore break or behave differently after this change.
+
+scgi_param HTTP_HOST $host;
diff -Nru nginx-1.22.1/debian/conf/uwsgi_params
nginx-1.22.1/debian/conf/uwsgi_params
--- nginx-1.22.1/debian/conf/uwsgi_params 2026-03-30 21:10:24.000000000
+0200
+++ nginx-1.22.1/debian/conf/uwsgi_params 2026-04-22 22:15:43.000000000
+0200
@@ -15,3 +15,34 @@
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;
+
+# !!! Security workaround !!!
+# Do not use HTTP_HOST as "$http_host".
+#
+# "$http_host" is the Host header exactly as supplied by the client.
+# This is unsafe when a client sends an absolute-form request target together
+# with a different Host header, for example:
+#
+# GET https://example.com/ HTTP/1.1
+# Host: malformedhost
+#
+# In such a case, passing "$http_host" upstream exposes the raw client-supplied
+# Host value ("malformedhost") to the backend application, even though it does
+# not match the effective request target. Applications often use HTTP_HOST for
+# redirects, absolute URL generation, virtual host routing, or security checks;
+# forwarding the raw Host header can therefore lead to incorrect or unsafe
+# behaviour.
+#
+# Newer nginx versions (since 1.30.0) introduce variables "$is_request_port"
and
+# "$request_port", allowing HTTP_HOST to be constructed as:
+# $host$is_request_port$request_port
+#
+# In stable/oldstable packages we use "$host" as a security workaround.
+# It avoids forwarding an untrusted raw Host header to the backend.
+#
+# Note: this changes behaviour compared to previous versions, because "$host"
+# does not preserve the client-supplied port, while "$http_host" typically
+# does. Existing deployments that rely on "$http_host" containing a port number
+# may therefore break or behave differently after this change.
+
+uwsgi_param HTTP_HOST $host;
diff -Nru nginx-1.22.1/debian/nginx-common.NEWS
nginx-1.22.1/debian/nginx-common.NEWS
--- nginx-1.22.1/debian/nginx-common.NEWS 2026-03-30 21:10:24.000000000
+0200
+++ nginx-1.22.1/debian/nginx-common.NEWS 2026-04-22 22:15:43.000000000
+0200
@@ -1,3 +1,19 @@
+nginx (1.26.3-3+deb13u4) UNRELEASED; urgency=medium
+
+ * d/conf/*_params: use "$host" instead of "$http_host"
+ * "$http_host" forwards the Host header exactly as supplied by the client
+ and may not match the effective request target (e.g. absolute-form
+ requests with a conflicting Host header)
+ this can expose inconsistent or attacker-controlled host values to
+ backend applications (uwsgi, fastcgi, scgi, proxy)
+ * switch to "$host" as a safer, normalized alternative
+ * note: this changes behaviour, as "$host" does not preserve the
+ client-supplied port; deployments relying on "$http_host" including
+ a port number may be affected
+ * it is workaround for Debian bug #1126960 for stable/oldstable release
+
+ -- Jan MojžÃÅ¡ <[email protected]> Mon, 20 Apr 2026 17:52:06 +0000
+
nginx-common (1.10.2-4) unstable; urgency=medium
Since nginx 1.9.14 Debian has gradually switched to dynamic loadable modules
--- End Message ---
