[Pkg-nginx-maintainers] nginx_1.22.1-9+deb12u8_source.changes ACCEPTED into oldstable-proposed-updates
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Mon Jun 8 20:50:23 BST 2026
Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2026 12:23:48 +0000
Source: nginx
Architecture: source
Version: 1.22.1-9+deb12u8
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers at alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis at debian.org>
Changes:
nginx (1.22.1-9+deb12u8) bookworm-security; urgency=medium
.
* Apply both patches to fix CVE-2026-42946. In the previous version,
only one part of the patch was applied, so the fix was incomplete.
This really fixes CVE-2026-42946, thanks to charles at debian.org for
pointing it out.
* d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch
* d/p/CVE-2026-42946.1.patch add
* backport fix for buffer overflow vulnerability in the
ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
* d/p/CVE-2026-9256.patch add
* backport max_headers directive from upstream nginx. It limits the number
of request headers accepted from clients. Fixes remote denial-of-service
exploit.
And move max_headers from core module to the ngx_http_header_count_module
to avoid potential ABI breakage and keep all the 3rd party modules
compatible with the new version of nginx without recompilation.
A big thanks to Miao Wang for preparing the modification.
Fixes TEMP-1138794-BADE22.
* d/p/FIX-HTTP2bomb.patch add
Checksums-Sha1:
82131c062255a4b51044f62d8e69ef7594e575f2 3827 nginx_1.22.1-9+deb12u8.dsc
45a89797f7c789287c7f663811efbbd19e84f154 1073948 nginx_1.22.1.orig.tar.gz
ba23b11e0b8f27e8aadc86f565fee7be025cad66 683 nginx_1.22.1.orig.tar.gz.asc
5300273ebb4b0d24077189e12fb8fbb5916055b1 84416 nginx_1.22.1-9+deb12u8.debian.tar.xz
d6bc1f959ef07b35b60af0a3b2e610dc10e05a02 8834 nginx_1.22.1-9+deb12u8_source.buildinfo
Checksums-Sha256:
4b4e8090a1f48536ac2a77dbc6e57b19d7cbc15ecbe2243afa7b857e2e97c9b0 3827 nginx_1.22.1-9+deb12u8.dsc
9ebb333a9e82b952acd3e2b4aeb1d4ff6406f72491bab6cd9fe69f0dea737f31 1073948 nginx_1.22.1.orig.tar.gz
e3c34c995f8d2748a323cf3ad5d7fbc6ddcc57f0f4b5fc6e494894cadf6075fc 683 nginx_1.22.1.orig.tar.gz.asc
94eda79dfca04280e1b0f676ddbb1090c59c619d9d9c9667f32d997097ff752e 84416 nginx_1.22.1-9+deb12u8.debian.tar.xz
5cad989730a1c34452427ea557443c09e307d911de091571b76cfaa04d9b226e 8834 nginx_1.22.1-9+deb12u8_source.buildinfo
Files:
61534e6781e453772735c669e5279ce2 3827 httpd optional nginx_1.22.1-9+deb12u8.dsc
8296d957561aeed0261d9be4d3decaec 1073948 httpd optional nginx_1.22.1.orig.tar.gz
aaf853b5467d007c528067ee7393fff3 683 httpd optional nginx_1.22.1.orig.tar.gz.asc
dd40d329225ee603341793ebe0364d37 84416 httpd optional nginx_1.22.1-9+deb12u8.debian.tar.xz
33a34115a39e0b53235e662c4a22e265 8834 httpd optional nginx_1.22.1-9+deb12u8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmokLn0VHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5YQoP/judtXkZ3EK8+8WCagF5bu4Jxz6Y
whaBO5hp5oE7b+DHXrvbnfeyq2ugUlg1WzNNRVUil7FYAtPFPo88Nm0ia7rMj1FS
c9rS44PyHS3BbFalnlUbHnsKh0e2UtqcufckK/ZhkOhcpP37E0K5Zo5gmdM8/m4j
W4ADhMrQj6MjY8x1jV4VxUupZC9aalzsagTiZwa5CnI6RKWhWelXJBh3GoOWHf+e
mXX+BnqCq9mvptV97EwwgzplY035Gff3PQ45S8Vkbr6G/koFNPPcXHNkulvskV0Y
bJHXhX5TRBFMejIchdHo+4bVvUF/Nld9/PzXoQRgmOVJINYbfGUqJHa4xEM2xpOf
UDqIPT/kAdXA4zw7R/Znv+D+EyF/YkGBYlCy1JMg/ay3ClwHgN/GGxwGOSkMn7B+
hvqZklJDtD1cQC372jUNphHl600piPI60wY06f3Xqqsv5r1Tq4IPVpR9WlUC/SO3
eRSEG0PtC7/MLw6afni8RfnScAWpqYtVr7n4sP6f74NKsGBrGC/5xaN68EFreJSz
ZAWqNACJtc9liDgsHL5wmPWX13ibeL7bSuqvrSyzuXW7jMVfTkO+6gatYZVjskU+
pTSN5os4ZYtMChdiLc1nMqwENJrkmfOvGwIpAYpDPApNyMdUQOsHmownvZQN6/tk
Po2U+nYkfbfVeMWu
=wgqL
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20260608/976e7849/attachment.sig>
More information about the Pkg-nginx-maintainers
mailing list