El vie, 5 jun 2026, 14:47, Arnaud de Prelle <[email protected]> escribió:
> Hi all, > > Thank you for your adaptations. > > Alert has now disappeared from pkg audit -F as the vuXML database now > shows : > 0.1.17,3 <= nginx < 1.30.2_2,3 > 1.31.0,3 <= nginx < 1.31.1,3 > > Kind regards, > Arnaud. > Thank you all for reporting and sorry for the mistake. > On 2026-06-01 22:42, Fernando Apesteguía wrote: > > Including joneum@ who maintains the port. > > > > On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <[email protected]> > > wrote: > > > >> [fernape@ added] > >> > >> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said: > >> > > >> > Hi, > >> > > >> > As per > >> > - https://www.freshports.org/www/nginx/ and > >> > - > >> > > >> > https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > >> > CVE-2026-9256 should be fixed since nginx 1.30.2,3. > >> > >> The contents of this URL was stale -- the VuXML now says nginx < > >> 1.31.1,3 > >> (since yesterday), which explains why pkg audit is detecting it. > >> > >> > I'm using the latest version of nginx: > >> > # pkg info nginx | grep Version > >> > Version : 1.30.2_2,3 > >> > > >> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256: > >> > # pkg audit -F > >> > vulnxml file up-to-date > >> > nginx-1.30.2_2,3 is vulnerable: > >> > nginx -- heap buffer overflow in ngx_http_rewrite_module > >> > CVE: CVE-2026-9256 > >> > WWW: > >> > > >> > https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > >> > > >> > Am I missing something ? > >> > >> The VuXML looks wrong to me now. > >> > >> nginx released both 1.30.2 and 1.31.1 to fix this CVE > >> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES). > >> > >> __Martin > >> >
