Date: Mon, 1 Jun 2026 22:42:16 +0200 From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org> To: Martin Simmons <martin@lispworks.com>, Jochen Neumeister <joneum@freebsd.org> Cc: Arnaud de Prelle <arnaud@pnzone.net>, freebsd-security@freebsd.org Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com> In-Reply-To: <202606011426.651EQMeV018896@higson.cam.lispworks.com> References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> <202606011426.651EQMeV018896@higson.cam.lispworks.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Including joneum@ who maintains the port. On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <martin@lispworks.com> wrote: > [fernape@ added] > > >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said: > > > > Hi, > > > > As per > > - https://www.freshports.org/www/nginx/ and > > - > > > https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > > CVE-2026-9256 should be fixed since nginx 1.30.2,3. > > The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3 > (since yesterday), which explains why pkg audit is detecting it. > > > I'm using the latest version of nginx: > > # pkg info nginx | grep Version > > Version : 1.30.2_2,3 > > > > But pkg audit -F reports this port as vulnerable to CVE-2026-9256: > > # pkg audit -F > > vulnxml file up-to-date > > nginx-1.30.2_2,3 is vulnerable: > > nginx -- heap buffer overflow in ngx_http_rewrite_module > > CVE: CVE-2026-9256 > > WWW: > > > https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > > > > Am I missing something ? > > The VuXML looks wrong to me now. > > nginx released both 1.30.2 and 1.31.1 to fix this CVE > (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES). > > __Martin > [-- Attachment #2 --] <div dir="ltr"><div>Including joneum@ who maintains the port.</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <<a href="mailto:martin@lispworks.com">martin@lispworks.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">[fernape@ added]<br> <br> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:<br> > <br> > Hi,<br> > <br> > As per<br> > - <a href="https://www.freshports.org/www/nginx/" rel="noreferrer" target="_blank">https://www.freshports.org/www/nginx/</a>; and<br> > - <br> > <a href="https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html" rel="noreferrer" target="_blank">https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>; > CVE-2026-9256 should be fixed since nginx 1.30.2,3.<br> <br> The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3<br> (since yesterday), which explains why pkg audit is detecting it.<br> <br> > I'm using the latest version of nginx:<br> > # pkg info nginx | grep Version<br> > Version : 1.30.2_2,3<br> > <br> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256:<br> > # pkg audit -F<br> > vulnxml file up-to-date<br> > nginx-1.30.2_2,3 is vulnerable:<br> > nginx -- heap buffer overflow in ngx_http_rewrite_module<br> > CVE: CVE-2026-9256<br> > WWW: <br> > <a href="https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>; > <br> > Am I missing something ?<br> <br> The VuXML looks wrong to me now.<br> <br> nginx released both 1.30.2 and 1.31.1 to fix this CVE<br> (<a href="https://nginx.org/en/CHANGES-1.30" rel="noreferrer" target="_blank">https://nginx.org/en/CHANGES-1.30</a>; and <a href="https://nginx.org/en/CHANGES" rel="noreferrer" target="_blank">https://nginx.org/en/CHANGES</a>).<br>; <br> __Martin<br> </blockquote></div></div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ>