Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 7fd7a067 by Carlos Henrique Lima Melara at 2026-05-19T10:45:37+02:00 CVE-2026-28755/nginx: add reference for commit introducing vulnerability The vulnerability was introduced in 581cf22 [1] as mentioned in the commit fixing the vulnerability (78f5814) [2]. It reads: Stream: fixed client certificate validation with OCSP. Check for OCSP status was missed in 581cf22, resulting in a broken validation. 581cf22 is the one introducing "client certificate validation with OCSP" and the ssl_ocsp directive mentioned in the F5 advisory [3]. The patch was cherry-picked for trixie and bookworm via p-u, the patch seems harmless but it does not fix the vulnerability because it does not exist on versions older than 1.27.2, so it marks trixie, bookworm and bullseye as not-affected. [1] https://github.com/nginx/nginx/commit/581cf22673fc63e206693294161ea32e691a432f [2] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 [3] https://my.f5.com/manage/s/article/K000160368 - - - - - 9cb0e63f by Carlos Henrique Lima Melara at 2026-05-19T10:45:38+02:00 CVE-2026-42946/nginx: bookworm, trixie uploads (both DSA) did not fix it nginx 1.22.1-9+deb12u7 (bookworm) [1] and 1.26.3-3+deb13u5 (trixie) [2] included a patch that was a regression commit (39d7d0b) [3] for the fix of CVE-2026-42946, but they did not include the fix itself (baef7fd) [4]. [1] https://salsa.debian.org/nginx-team/nginx/-/blob/0860088df41f854ccdf6d2a04861466bfe41693e/debian/patches/CVE-2026-42946.patch [2] https://salsa.debian.org/nginx-team/nginx/-/blob/92f8f092058d77d5ccdd4a58e48053377020a7e0/debian/patches/CVE-2026-42946.patch [3] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd [4] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e - - - - - c06be90c by Salvatore Bonaccorso at 2026-05-20T07:19:44+02:00 Merge branch 'update-nginx-triage' into 'master' Update CVE-2026-28755/nginx and CVE-2026-42946/nginx See merge request security-tracker-team/security-tracker!299 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: ===================================== data/CVE/list ===================================== @@ -2876,7 +2876,7 @@ CVE-2026-42945 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx NOTE: https://nginx.org/en/security_advisories.html NOTE: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 (release-1.30.1) CVE-2026-42946 (A vulnerability exists in the ngx_http_scgi_moduleand ngx_http_uwsgi_m ...) - {DSA-6278-1 DLA-4589-1} + {DLA-4589-1} - nginx 1.30.0-4 NOTE: https://my.f5.com/manage/s/article/K000161027 NOTE: https://nginx.org/en/security_advisories.html @@ -33422,9 +33422,11 @@ CVE-2026-29772 (Astro is a web framework. Prior to version 10.0.0, Astro's Serve NOT-FOR-US: Astro CVE-2026-28755 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_strea ...) - nginx 1.28.3-2 - [trixie] - nginx 1.26.3-3+deb13u3 - [bookworm] - nginx 1.22.1-9+deb12u5 + [trixie] - nginx <not-affected> (Vulnerable code introduced later) + [bookworm] - nginx <not-affected> (Vulnerable code introduced later) + [bullseye] - nginx <not-affected> (Vulnerable code introduced later) NOTE: https://my.f5.com/manage/s/article/K000160368 + NOTE: Introduced with: https://github.com/nginx/nginx/commit/581cf22673fc63e206693294161ea32e691a432f (release-1.27.2) NOTE: Fixed by: https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 (release-1.28.3) CVE-2026-28753 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_ ...) {DLA-4589-1} ===================================== data/DSA/list ===================================== @@ -10,7 +10,7 @@ [bookworm] - redis 5:7.0.15-1~deb12u7 [trixie] - redis 5:8.0.2-3+deb13u2 [16 May 2026] DSA-6278-1 nginx - security update - {CVE-2026-40701 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946} + {CVE-2026-40701 CVE-2026-42934 CVE-2026-42945} [bookworm] - nginx 1.22.1-9+deb12u7 [trixie] - nginx 1.26.3-3+deb13u5 [15 May 2026] DSA-6277-1 openjpeg2 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cb67e16056f18c9dce7c93e81242ee111237c...c06be90c09401cc6a25e255285b44a6d83067d6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cb67e16056f18c9dce7c93e81242ee111237c...c06be90c09401cc6a25e255285b44a6d83067d6c You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
