From nobody Sun May 31 05:25:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gSltz1Yl8z6fyk1 for ; Sun, 31 May 2026 05:26:19 +0000 (UTC) (envelope-from ish@ish.org) Received: from peach.ish.org (peach.ish.org [163.44.100.113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.ish.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gSltv4Tpkz3J0t for ; Sun, 31 May 2026 05:26:15 +0000 (UTC) (envelope-from ish@ish.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ish.org header.s=54d26185-a057-8857-582c-09c040ed7013 header.b=aVXuTYmD; dmarc=pass (policy=reject) header.from=ish.org; spf=pass (mx1.freebsd.org: domain of ish@ish.org designates 163.44.100.113 as permitted sender) smtp.mailfrom=ish@ish.org Received: from mango.ish.org (mango.ish.org [IPv6:2400:4050:9d20:2c00:0:0:0:11]) (authenticated bits=0) by peach.ish.org (8.18.2/8.18.2) with ESMTPSA id 64V5Q3xj078087 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sun, 31 May 2026 14:26:05 +0900 (JST) (envelope-from ish@ish.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ish.org; s=54d26185-a057-8857-582c-09c040ed7013; t=1780205166; bh=LkC05FXvssKgwjr1/jNWVrd+2sSI9ega0RgJEgtigME=; h=Date:To:Subject:From; b=aVXuTYmDl0EXCVDxfOPynJ60/q1UA7D+U0rjdnYxhmkTgtkG9FWX+upo1BH3Zj1GN /eyffARA8KIxaUy7oIKWVlOBElXvPUe7Cah3XYRCczlzWx6i8gife2ZcKoWDeSwPFB YF4wVqp10NPje5wXstOPOv3viPXi6dCqwGHYgekk= Date: Sun, 31 May 2026 14:25:51 +0900 (JST) Message-Id: <20260531.142551.167441309236637198.ish@ish.org> To: freebsd-security@freebsd.org Subject: Why xorg-server-21.1.22,1 is vulnerable From: Masachika ISHIZUKA X-Mailer: Mew version 6.11 on Emacs 30.2 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (peach.ish.org [IPv6:2400:8500:2002:3188:163:44:100:113]); Sun, 31 May 2026 14:26:06 +0900 (JST) X-Spamd-Result: default: False [-2.30 / 15.00]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[ish.org,reject]; R_DKIM_ALLOW(-0.20)[ish.org:s=54d26185-a057-8857-582c-09c040ed7013]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:58791, ipnet:163.44.100.0/24, country:JP]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[]; DKIM_TRACE(0.00)[ish.org:+] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4gSltv4Tpkz3J0t Hi. # pkg audit -F vulnxml file up-to-date [snip] xorg-server-21.1.22,1 is vulnerable: xorg-server -- Multiple vulnerabilities CVE: CVE-2026-34003 CVE: CVE-2026-34002 CVE: CVE-2026-34001 CVE: CVE-2026-34000 CVE: CVE-2026-33999 WWW: https://vuxml.FreeBSD.org/freebsd/7b6463c6-3813-11f1-a284-589cfc10a551.html Is this true ? -- Masachika ISHIZUKA From nobody Sun May 31 20:01:11 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gT7Jd6VVQz6gftx for ; Sun, 31 May 2026 20:01:21 +0000 (UTC) (envelope-from arnaud@pnzone.net) Received: from icecube.pnzone.net (icecube.pnzone.net [IPv6:2001:41d0:a:1ba8::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gT7Jc6bKfz3scg for ; Sun, 31 May 2026 20:01:20 +0000 (UTC) (envelope-from arnaud@pnzone.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pnzone.net header.s=dkimsel header.b=0jWC1RQb; dmarc=pass (policy=reject) header.from=pnzone.net; spf=pass (mx1.freebsd.org: domain of arnaud@pnzone.net designates 2001:41d0:a:1ba8::1 as permitted sender) smtp.mailfrom=arnaud@pnzone.net Received: from webmail.pnzone.net (localhost [IPv6:::1]) by icecube.pnzone.net (Postfix) with ESMTP id A3DDC1A82F5 for ; Sun, 31 May 2026 22:01:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pnzone.net; s=dkimsel; t=1780257671; bh=yDy0O0GkO45E0CTlen63jYTYyUhH6F8i46wMpXALmWY=; h=Date:From:To:Subject:From; b=0jWC1RQbGX0P+8Lhd8Vaz3K0oNIJC4GJjK6gyKAlAaA1nDj7n3RdborO7WX7oZhfE TV8vWZFr/xvgbzfShYmUfuSJIbV9r6hxPJJbAXr+AJE9mv3l/7VfsvDOVYAMFZow/2 yVVeFMSvOofEFuQzkZuHLXMJDOrijOZZ3fT5jwE0= List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Date: Sun, 31 May 2026 22:01:11 +0200 From: Arnaud de Prelle To: freebsd-security@freebsd.org Subject: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: X-Sender: arnaud@pnzone.net Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 1.5.2 at icecube.pnzone.net X-Virus-Status: Clean X-Spamd-Result: default: False [-1.58 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.90)[-0.900]; DMARC_POLICY_ALLOW(-0.50)[pnzone.net,reject]; R_DKIM_ALLOW(-0.20)[pnzone.net:s=dkimsel]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:41d0:a:1ba8::1]; NEURAL_SPAM_SHORT(0.12)[0.124]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[pnzone.net:+] X-Spamd-Bar: - X-Rspamd-Queue-Id: 4gT7Jc6bKfz3scg Hi, As per - https://www.freshports.org/www/nginx/ and - https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html CVE-2026-9256 should be fixed since nginx 1.30.2,3. I'm using the latest version of nginx: # pkg info nginx | grep Version Version : 1.30.2_2,3 But pkg audit -F reports this port as vulnerable to CVE-2026-9256: # pkg audit -F vulnxml file up-to-date nginx-1.30.2_2,3 is vulnerable: nginx -- heap buffer overflow in ngx_http_rewrite_module CVE: CVE-2026-9256 WWW: https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html Am I missing something ? Thanks, Arnaud.