[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2026-28755/nginx: add reference for commit introducing vulnerability

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed May 20 06:19:48 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7fd7a067 by Carlos Henrique Lima Melara at 2026-05-19T10:45:37+02:00
CVE-2026-28755/nginx: add reference for commit introducing vulnerability

The vulnerability was introduced in 581cf22 [1] as mentioned in the
commit fixing the vulnerability (78f5814) [2]. It reads:

  Stream: fixed client certificate validation with OCSP.

  Check for OCSP status was missed in 581cf22, resulting
  in a broken validation.

581cf22 is the one introducing "client certificate validation with OCSP"
and the ssl_ocsp directive mentioned in the F5 advisory [3].

The patch was cherry-picked for trixie and bookworm via p-u, the patch
seems harmless but it does not fix the vulnerability because it does not
exist on versions older than 1.27.2, so it marks trixie, bookworm and
bullseye as not-affected.

[1] https://github.com/nginx/nginx/commit/581cf22673fc63e206693294161ea32e691a432f
[2] https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8
[3] https://my.f5.com/manage/s/article/K000160368

- - - - -
9cb0e63f by Carlos Henrique Lima Melara at 2026-05-19T10:45:38+02:00
CVE-2026-42946/nginx: bookworm, trixie uploads (both DSA) did not fix it

nginx 1.22.1-9+deb12u7 (bookworm) [1] and 1.26.3-3+deb13u5 (trixie) [2]
included a patch that was a regression commit (39d7d0b) [3] for the fix of
CVE-2026-42946, but they did not include the fix itself (baef7fd) [4].

[1] https://salsa.debian.org/nginx-team/nginx/-/blob/0860088df41f854ccdf6d2a04861466bfe41693e/debian/patches/CVE-2026-42946.patch
[2] https://salsa.debian.org/nginx-team/nginx/-/blob/92f8f092058d77d5ccdd4a58e48053377020a7e0/debian/patches/CVE-2026-42946.patch
[3] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd
[4] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e

- - - - -
c06be90c by Salvatore Bonaccorso at 2026-05-20T07:19:44+02:00
Merge branch 'update-nginx-triage' into 'master'

Update CVE-2026-28755/nginx and CVE-2026-42946/nginx

See merge request security-tracker-team/security-tracker!299
- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2876,7 +2876,7 @@ CVE-2026-42945 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx
 	NOTE: https://nginx.org/en/security_advisories.html
 	NOTE: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 (release-1.30.1)
 CVE-2026-42946 (A vulnerability exists in the ngx_http_scgi_moduleand ngx_http_uwsgi_m ...)
-	{DSA-6278-1 DLA-4589-1}
+	{DLA-4589-1}
 	- nginx 1.30.0-4
 	NOTE: https://my.f5.com/manage/s/article/K000161027
 	NOTE: https://nginx.org/en/security_advisories.html
@@ -33422,9 +33422,11 @@ CVE-2026-29772 (Astro is a web framework. Prior to version 10.0.0, Astro's Serve
 	NOT-FOR-US: Astro
 CVE-2026-28755 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_strea ...)
 	- nginx 1.28.3-2
-	[trixie] - nginx 1.26.3-3+deb13u3
-	[bookworm] - nginx 1.22.1-9+deb12u5
+	[trixie] - nginx <not-affected> (Vulnerable code introduced later)
+	[bookworm] - nginx <not-affected> (Vulnerable code introduced later)
+	[bullseye] - nginx <not-affected> (Vulnerable code introduced later)
 	NOTE: https://my.f5.com/manage/s/article/K000160368
+	NOTE: Introduced with: https://github.com/nginx/nginx/commit/581cf22673fc63e206693294161ea32e691a432f (release-1.27.2)
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 (release-1.28.3)
 CVE-2026-28753 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_ ...)
 	{DLA-4589-1}


=====================================
data/DSA/list
=====================================
@@ -10,7 +10,7 @@
 	[bookworm] - redis 5:7.0.15-1~deb12u7
 	[trixie] - redis 5:8.0.2-3+deb13u2
 [16 May 2026] DSA-6278-1 nginx - security update
-	{CVE-2026-40701 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946}
+	{CVE-2026-40701 CVE-2026-42934 CVE-2026-42945}
 	[bookworm] - nginx 1.22.1-9+deb12u7
 	[trixie] - nginx 1.26.3-3+deb13u5
 [15 May 2026] DSA-6277-1 openjpeg2 - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cb67e16056f18c9dce7c93e81242ee111237c...c06be90c09401cc6a25e255285b44a6d83067d6c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cb67e16056f18c9dce7c93e81242ee111237c...c06be90c09401cc6a25e255285b44a6d83067d6c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260520/babeffa4/attachment.htm>

More information about the debian-security-tracker-commits mailing list