Hi all,
Thank you for your adaptations.
Alert has now disappeared from pkg audit -F as the vuXML database now
shows :
0.1.17,3 <= nginx < 1.30.2_2,3
1.31.0,3 <= nginx < 1.31.1,3
Kind regards,
Arnaud.
On 2026-06-01 22:42, Fernando Apesteguía wrote:
Including joneum@ who maintains the port.
On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <[email protected]>
wrote:
[fernape@ added]
>>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
>
> Hi,
>
> As per
> - https://www.freshports.org/www/nginx/ and
> -
>
https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> CVE-2026-9256 should be fixed since nginx 1.30.2,3.
The contents of this URL was stale -- the VuXML now says nginx <
1.31.1,3
(since yesterday), which explains why pkg audit is detecting it.
> I'm using the latest version of nginx:
> # pkg info nginx | grep Version
> Version : 1.30.2_2,3
>
> But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
> # pkg audit -F
> vulnxml file up-to-date
> nginx-1.30.2_2,3 is vulnerable:
> nginx -- heap buffer overflow in ngx_http_rewrite_module
> CVE: CVE-2026-9256
> WWW:
>
https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
>
> Am I missing something ?
The VuXML looks wrong to me now.
nginx released both 1.30.2 and 1.31.1 to fix this CVE
(https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).
__Martin
