[From nobody Thu May 21 13:51:07 2026 Received: (at 1137215-close) by bugs.debian.org; 21 May 2026 12:48:50 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 105; hammy, 150; neutral, 161; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo. Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:43364) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wQ2pW-00CxIR-2Q for 1137215-close@bugs.debian.org; Thu, 21 May 2026 12:48:50 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wQ2pV-005HSG-32 for 1137215-close@bugs.debian.org; Thu, 21 May 2026 12:48:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=C5NE6HZuiKnGSCiJ9STZRVord5Srq/5gvps6ImRycjQ=; b=iMqoFKHfhuCRzBrZDieXVR1Ch2 RAlZ+xtL3TSMeJVdbJ2BWhkKts3DGMlxgIu8BSVyTHU1qoxZlLlth6RPLjTCLPKbr1briUf5sDP/8 0d2lyrzNyoKYppTdQnOK/9tDK0pCPaVvYlCBPOxru5v0s4f8BsL5G8iIx2zgxz1ai8pnWYCNNnJSz oY6WrAgv61nJiNOF35nF9W1qN7NMl/ja5BRbJbRnbh13fpe62p9a9Z3Fc041AIvN/IiNwk1RZIn6q g51c3Rv0r0VvAFd8s4UAohIKlYzGVykVMXzn+sYnBn4qy6IgOLOZ/ePWoeoy2H1krQv4B536uDmjY val0zekg==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wQ2pV-00000002f9y-0Sb3; Thu, 21 May 2026 12:48:49 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: =?utf-8?b?SsOpcsOpbXkgTGFs?= <kapouer@melix.org> To: 1137215-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: libnginx-mod-js Debian: DAK Debian-Changes: libnginx-mod-js_0.9.9-1_source.changes Debian-Source: libnginx-mod-js Debian-Version: 0.9.9-1 Debian-Architecture: source Debian-Suite: unstable Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1137215: fixed in libnginx-mod-js 0.9.9-1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============4948395550315493370==" Message-Id: <E1wQ2pV-00000002f9y-0Sb3@fasolo.debian.org> Date: Thu, 21 May 2026 12:48:49 +0000 --===============4948395550315493370== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: libnginx-mod-js Source-Version: 0.9.9-1 Done: J=C3=A9r=C3=A9my Lal <kapouer@melix.org> We believe that the bug you reported is fixed in the latest version of libnginx-mod-js, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1137215@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. J=C3=A9r=C3=A9my Lal <kapouer@melix.org> (supplier of updated libnginx-mod-js= package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 21 May 2026 10:26:11 +0200 Source: libnginx-mod-js Architecture: source Version: 0.9.9-1 Distribution: unstable Urgency: medium Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debi= an.net> Changed-By: J=C3=A9r=C3=A9my Lal <kapouer@melix.org> Closes: 1137215 Changes: libnginx-mod-js (0.9.9-1) unstable; urgency=3Dmedium . * New upstream version 0.9.9 CVE-2026-8711: Heap buffer overflow in a worker process when the js_fetch_proxy directive value contains nginx variables derived from the client request and the location's JS handler invokes ngx.fetch(). Closes: #1137215. . [ Miao Wang ] * Separate the build directory for the njs CLI tool, to prevent the compiled modules from being linked with the .a files of the CLI tool, which causes the njs JS engine fails to load. Checksums-Sha1: 76f59d8f712d478e24ebf752cb2f147faa332f83 2302 libnginx-mod-js_0.9.9-1.dsc 8ad35183b5546657c7bb6b9c57c13999b1762983 994416 libnginx-mod-js_0.9.9.orig.t= ar.gz 0c1e5dffd60dd4c98760620922bbf55d4dab7d2d 6520 libnginx-mod-js_0.9.9-1.debian= .tar.xz 625351b9ee8d1e8011b89d7920ecfd13faef60e7 10337 libnginx-mod-js_0.9.9-1_sourc= e.buildinfo Checksums-Sha256: aca63901e7e76b4b6674786de948d1b99ca72deda7c67c1b8b1de11340e2f37e 2302 libngi= nx-mod-js_0.9.9-1.dsc ac98f680c48b3a00e80e047372d29cd6e7b423eeba26a64e9cbc40a6f8dbee2b 994416 libn= ginx-mod-js_0.9.9.orig.tar.gz dcaf6053035f9bb537e5cc75fa975e5e26300c7fe2c68a7df704a27110576f1f 6520 libngi= nx-mod-js_0.9.9-1.debian.tar.xz 960f03c1cd34e63b99e837a853c6d73d1a5023b913835898584ec0fe01684c68 10337 libng= inx-mod-js_0.9.9-1_source.buildinfo Files: 43649deb220a3f6baa611e7f21e79780 2302 httpd optional libnginx-mod-js_0.9.9-1= .dsc b88ee93fa47dc23519cc537a7db57e0c 994416 httpd optional libnginx-mod-js_0.9.9= .orig.tar.gz ec9621afee28538ec6194f2d6153b3df 6520 httpd optional libnginx-mod-js_0.9.9-1= .debian.tar.xz bc0a2f17d6bc3d191d80ec26999a6d65 10337 httpd optional libnginx-mod-js_0.9.9-= 1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmoO+acSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0pzwP/3QW5ThsoauS+ua5RdOlxz3qaeE/efoQ f0aVKeDsKOeSaK6Um5HRlMS0xj63O2mUNB8bXkpSDDpPaRopLjs6A6SL4/ffEOis 6lumc3ygsp+YrWkssUxVnAKfpKmX1yuxSUAtUVlSoNgHAVL8HlIuDTLdVh6V5qrV mJkhPSxGzQNNkqEInIYeLcyO+Up6TfRTnpGJWzoER2IWzWGQhaf42DpX4I3Wfr4r 3PGy5/1Rlw1USuZltqcm/+ctN7Jq/YTycscSp86kojcts0rF5IvrWSob9TjEsabI Gw9/1kc1VFZVZit0ZMpJNrlBJ69YBG+D9wSYeNM+LWgNl5/U6uW+2fhCCud1E6UO v2ByFUX+xCM+osLcRtQ5eFOa3RXh0CrUIP50ArtimXmhzW6SkWdmWeHE2JYEnaB7 hWKwHlc3SjYbgomKLLHT0zZYRyKb8UCGRczDzehJ1PzW4gwYKY42rgpshv6qvZ2D //dKeWyAj/F4GPP0pWQi2tM/EIvcA5EJOtQLCZsTIh8HrEV4HK8mfWipOb+4DSz0 +sf1KI9dRzkaGkc40/V07cEMzfHHh3fY/hZoWNqF/6MmIqVeki2iRP5LwlJLIFns 1cl0fU+vypJlD2IrOv2bo1mBDfqwVpuqhVakpNHBXGg8WYLoabOnSLJIUzPiaPhF NQyyVmgQdXIx =3D/sUL -----END PGP SIGNATURE----- --===============4948395550315493370== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCag7/MQAKCRCb9qggYcy5 IVHzAP9ICaY1RcKBsZ4ldNIWg3KquI1dovVojFtJ79tFoHQAPgD/QjZgl6aa9hxY T8ZXt1ZpPcCnyzE1MkAjhxGeB8KtCAA= =6+GO -----END PGP SIGNATURE----- --===============4948395550315493370==-- ]