From nobody Mon Jun  1 14:26:22 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gTbqt6kq3z6g5vM
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 01 Jun 2026 14:26:34 +0000 (UTC)
	(envelope-from martin@lispworks.com)
Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "*.lispworks.com", Issuer "Sectigo Public Server Authentication CA DV R36" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gTbqs6kSmz3dff;
	Mon, 01 Jun 2026 14:26:33 +0000 (UTC)
	(envelope-from martin@lispworks.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=lispworks.com header.s=default header.b=lEaqaZg1;
	dmarc=pass (policy=none) header.from=lispworks.com;
	spf=pass (mx1.freebsd.org: domain of martin@lispworks.com designates 46.17.166.21 as permitted sender) smtp.mailfrom=martin@lispworks.com
Received: from lwfs1-cam.cam.lispworks.com (localhost [[UNIX: localhost]])
	by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTP id 651EQQ8M038588;
	Mon, 1 Jun 2026 15:26:26 +0100 (BST)
	(envelope-from martin@lispworks.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lispworks.com;
	s=default; t=1780323986;
	bh=gha6hpuk3Y1wQyxFa3GoC3sRCs5y1Q4WNLp152WLf+8=;
	h=Date:From:To:CC:In-reply-to:Subject:References;
	b=lEaqaZg1W36oK2nEhSY1N2cXFgQ6enFAzmKHKByVcybcvrBRX3LFGqF50HAuF6N3x
	 ZOZjB/SwSg9vITutgxBAMDXChEaE9F6eqKTyaBnG27e2nBhKJEKv7/S18cD/UscoSM
	 2iCIq7wEiwAl7DsSjWZDELLF2L6icYnvvGaLWpIFEe1W/MF6g8ngEaMe2aSDpaJy97
	 jZad56Yti/dUfONcJuBQVJuwI3B7yyJVGkhiChrH6XSv3pZ1TXh6hI92W49yrXdU25
	 dN/hYYloZmksg0CqTtHtXGk0RsDtZh6OhsGySvATz/IDqbdI+hllaZ43fC69eT1IV4
	 /wZzDJVux2l2w==
Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7])
	by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTP id 651EQM2O038566;
	Mon, 1 Jun 2026 15:26:22 +0100 (BST)
	(envelope-from martin@lispworks.com)
Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 651EQMvp018900; Mon, 1 Jun 2026 15:26:22 +0100
Received: (from martin@localhost)
	by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 651EQMeV018896;
	Mon, 1 Jun 2026 15:26:22 +0100
Date: Mon, 1 Jun 2026 15:26:22 +0100
Message-Id: <202606011426.651EQMeV018896@higson.cam.lispworks.com>
From: Martin Simmons <martin@lispworks.com>
To: Arnaud de Prelle <arnaud@pnzone.net>
CC: freebsd-security@freebsd.org, fernape@freebsd.org
In-reply-to: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> (message from
	Arnaud de Prelle on Sun, 31 May 2026 22:01:11 +0200)
Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?
References:  <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net>
X-Spamd-Result: default: False [-2.93 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_SHORT(-0.73)[-0.735];
	DMARC_POLICY_ALLOW(-0.50)[lispworks.com,none];
	R_SPF_ALLOW(-0.20)[+mx];
	R_DKIM_ALLOW(-0.20)[lispworks.com:s=default];
	RWL_MAILSPIKE_VERYGOOD(-0.20)[46.17.166.21:from];
	MIME_GOOD(-0.10)[text/plain];
	MIME_TRACE(0.00)[0:+];
	FREEFALL_USER(0.00)[martin];
	ASN(0.00)[asn:51055, ipnet:46.17.160.0/21, country:GB];
	TO_DN_SOME(0.00)[];
	MISSING_XM_UA(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	ARC_NA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_THREE(0.00)[4];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	DKIM_TRACE(0.00)[lispworks.com:+]
X-Spamd-Bar: --
X-Rspamd-Queue-Id: 4gTbqs6kSmz3dff
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list

[fernape@ added]

>>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
> 
> Hi,
> 
> As per
> - https://www.freshports.org/www/nginx/ and
> - 
> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> CVE-2026-9256 should be fixed since nginx 1.30.2,3.

The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3
(since yesterday), which explains why pkg audit is detecting it.

> I'm using the latest version of nginx:
> # pkg info nginx | grep Version
> Version        : 1.30.2_2,3
> 
> But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
> # pkg audit -F
> vulnxml file up-to-date
> nginx-1.30.2_2,3 is vulnerable:
>    nginx -- heap buffer overflow in ngx_http_rewrite_module
>    CVE: CVE-2026-9256
>    WWW: 
> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> 
> Am I missing something ?

The VuXML looks wrong to me now.

nginx released both 1.30.2 and 1.31.1 to fix this CVE
(https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).

__Martin