Date: Mon, 1 Jun 2026 15:26:22 +0100 From: Martin Simmons <martin@lispworks.com> To: Arnaud de Prelle <arnaud@pnzone.net> Cc: freebsd-security@freebsd.org, fernape@freebsd.org Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: <202606011426.651EQMeV018896@higson.cam.lispworks.com> In-Reply-To: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> (message from Arnaud de Prelle on Sun, 31 May 2026 22:01:11 %2B0200) References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net>
index | next in thread | previous in thread | raw e-mail
[fernape@ added] >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said: > > Hi, > > As per > - https://www.freshports.org/www/nginx/ and > - > https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > CVE-2026-9256 should be fixed since nginx 1.30.2,3. The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3 (since yesterday), which explains why pkg audit is detecting it. > I'm using the latest version of nginx: > # pkg info nginx | grep Version > Version : 1.30.2_2,3 > > But pkg audit -F reports this port as vulnerable to CVE-2026-9256: > # pkg audit -F > vulnxml file up-to-date > nginx-1.30.2_2,3 is vulnerable: > nginx -- heap buffer overflow in ngx_http_rewrite_module > CVE: CVE-2026-9256 > WWW: > https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > > Am I missing something ? The VuXML looks wrong to me now. nginx released both 1.30.2 and 1.31.1 to fix this CVE (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES). __Martinhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202606011426.651EQMeV018896>