From nobody Mon Jun  1 20:42:16 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gTm9g3kVBz6fynd
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 01 Jun 2026 20:42:31 +0000 (UTC)
	(envelope-from fernando.apesteguia@gmail.com)
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gTm9g1jJLz3V3j
	for <freebsd-security@freebsd.org>; Mon, 01 Jun 2026 20:42:31 +0000 (UTC)
	(envelope-from fernando.apesteguia@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-ot1-f50.google.com with SMTP id 46e09a7af769-7e62b6163c8so3026419a34.2
        for <freebsd-security@freebsd.org>; Mon, 01 Jun 2026 13:42:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780346550; x=1780951350;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=sQPSKH5y5bDljaQhMvluGJBfQpi8dPMJ9zJ0bz8LQRg=;
        b=TWRRZiKiw1pYq2Aqyz6WIGGqkZBxXrl0bKQMxP+g0bFdLglv5c0Kt0YXYmGEwgiMXa
         SUCYG4XShtgZC6g8FRm6Jz7WA+Qr1X7FfnRah/cJdxhRE6DfZOJFd7z9QMBmfefKZJaL
         ufb9T5Zy/eKzErkPzTZvRd7t1XSMyG2GHPjYxXvZHuXpzBwuc+xNs681I1f/ZmOkCz8j
         oZFnZ/cgT7SlxnThLih76n/H5/LBk2TXPZdsr9wy7bw0hV8HAeVCmKK91x+1X+YZDneG
         E/YuzkUkLgtvDawq7n+3viZeJHpEbh2pVYOwnzOIUAZL8TdKZwpZXtzSRW947hf8H2IC
         ytwg==
X-Forwarded-Encrypted: i=1; AFNElJ+Q1lVe884Gy9xJSItWwOtEAKE7qLaI2ISxHgjWx2J3zoH6Poo38W1dvsqaXIssRIDi9hLcOKv6PRik6TL8Veb8@freebsd.org
X-Gm-Message-State: AOJu0Yxc0pVOc88n9ym+v4ZR0BlJiiC+ptQGupL4ISfSdAkyVCFP+G7a
	NsKjKFY2/aauihuInKQJsL7pCZ/D8RlBqZww3ACkgyzs9nRDetLOfTu2exBsUP7D
X-Gm-Gg: Acq92OFN+IBJBR4GfRJXmalBLHzGV2p93fvVHFltGicMLL7t0C8DXjSMh35+onbdXVQ
	v6hFJJFTojh7F3jMjb0zVjMvvKL9F2vcB9lhld9RP/keYdJn5x/f9D3dTIE9AnCQNq3NqN22BSO
	Jjl4IJLAsW5g99OKu9kzhngOKTFtL4g0ngNAmDQAP4OsK1qCfDZK4c2/lh5wdtWW0gIMkJPwWmu
	0PM7lVdRi5x5fPPHTFGSM2Hv4mdUuEyv8IFxUjoXI03uib8pCcoiP9NsuXHsgPIy8myathT6Xyg
	mZucQlEohuX6+yh94N0mypCBrJYqiViK4Ui2cDUrwT/zqmmxmC5wu7aI3zecvCEJZfdcchi7DGk
	2mKhcXVbHcCgKhAOoWmH/lJl74F+SgyGg0pSPSatYx1Fk6nEBohEZJNThiI9G0UF+edqCUkMh1u
	3E8nVl8nI9lrvhxRDs0iRUlQwSgYnFbpCkfq9U7GkWauja/kWQANbr4iSq/h3FEYsuAQB5inMI+
	kpFQWyGliEngcJ9/zkfloHNJRj6tg==
X-Received: by 2002:a05:6830:698e:b0:7dc:dd58:50c7 with SMTP id 46e09a7af769-7e6a1de8f9bmr8466948a34.18.1780346549718;
        Mon, 01 Jun 2026 13:42:29 -0700 (PDT)
Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com. [209.85.161.52])
        by smtp.gmail.com with ESMTPSA id 46e09a7af769-7e695a1d33dsm9425185a34.0.2026.06.01.13.42.29
        for <freebsd-security@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 01 Jun 2026 13:42:29 -0700 (PDT)
Received: by mail-oo1-f52.google.com with SMTP id 006d021491bc7-69e2e3c773fso395569eaf.2
        for <freebsd-security@freebsd.org>; Mon, 01 Jun 2026 13:42:29 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AFNElJ9bgZ0yBNDtw1I6bVAg2klbjBW7/Drc3bLPoSDH0eIfFpqCDMmaE7KXTkPHzazQa10/+xhkAyyg1QhQ8dzQG7Ji@freebsd.org
X-Received: by 2002:a05:6820:1351:b0:69e:b8:ffe4 with SMTP id
 006d021491bc7-69e1038265amr6771728eaf.32.1780346548906; Mon, 01 Jun 2026
 13:42:28 -0700 (PDT)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> <202606011426.651EQMeV018896@higson.cam.lispworks.com>
In-Reply-To: <202606011426.651EQMeV018896@higson.cam.lispworks.com>
From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org>
Date: Mon, 1 Jun 2026 22:42:16 +0200
X-Gmail-Original-Message-ID: <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com>
X-Gm-Features: AVHnY4JcK4gUqf7oJSLp2tu4AXxgOF73bWcf1aLSxW-d3rwdHCgZ6C6G2pd0F2s
Message-ID: <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com>
Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?
To: Martin Simmons <martin@lispworks.com>, Jochen Neumeister <joneum@freebsd.org>
Cc: Arnaud de Prelle <arnaud@pnzone.net>, freebsd-security@freebsd.org
Content-Type: multipart/alternative; boundary="0000000000009ff0520653373b3c"
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	TAGGED_FROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Queue-Id: 4gTm9g1jJLz3V3j
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated

--0000000000009ff0520653373b3c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Including joneum@ who maintains the port.

On Mon, Jun 1, 2026 at 2:26=E2=80=AFPM Martin Simmons <martin@lispworks.com=
> wrote:

> [fernape@ added]
>
> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
> >
> > Hi,
> >
> > As per
> > - https://www.freshports.org/www/nginx/ and
> > -
> >
> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.ht=
ml
> > CVE-2026-9256 should be fixed since nginx 1.30.2,3.
>
> The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3
> (since yesterday), which explains why pkg audit is detecting it.
>
> > I'm using the latest version of nginx:
> > # pkg info nginx | grep Version
> > Version        : 1.30.2_2,3
> >
> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
> > # pkg audit -F
> > vulnxml file up-to-date
> > nginx-1.30.2_2,3 is vulnerable:
> >    nginx -- heap buffer overflow in ngx_http_rewrite_module
> >    CVE: CVE-2026-9256
> >    WWW:
> >
> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.ht=
ml
> >
> > Am I missing something ?
>
> The VuXML looks wrong to me now.
>
> nginx released both 1.30.2 and 1.31.1 to fix this CVE
> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).
>
> __Martin
>

--0000000000009ff0520653373b3c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Including joneum@ who maintains the port.</div><br><d=
iv class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gm=
ail_attr">On Mon, Jun 1, 2026 at 2:26=E2=80=AFPM Martin Simmons &lt;<a href=
=3D"mailto:martin@lispworks.com">martin@lispworks.com</a>&gt; wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">[fernape@ added]<br>
<br>
&gt;&gt;&gt;&gt;&gt; On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle s=
aid:<br>
&gt; <br>
&gt; Hi,<br>
&gt; <br>
&gt; As per<br>
&gt; - <a href=3D"https://www.freshports.org/www/nginx/" rel=3D"noreferrer"=
 target=3D"_blank">https://www.freshports.org/www/nginx/</a> and<br>
&gt; - <br>
&gt; <a href=3D"https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3=
497f65b111b.html" rel=3D"noreferrer" target=3D"_blank">https://vuxml.freebs=
d.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>
&gt; CVE-2026-9256 should be fixed since nginx 1.30.2,3.<br>
<br>
The contents of this URL was stale -- the VuXML now says nginx &lt; 1.31.1,=
3<br>
(since yesterday), which explains why pkg audit is detecting it.<br>
<br>
&gt; I&#39;m using the latest version of nginx:<br>
&gt; # pkg info nginx | grep Version<br>
&gt; Version=C2=A0 =C2=A0 =C2=A0 =C2=A0 : 1.30.2_2,3<br>
&gt; <br>
&gt; But pkg audit -F reports this port as vulnerable to CVE-2026-9256:<br>
&gt; # pkg audit -F<br>
&gt; vulnxml file up-to-date<br>
&gt; nginx-1.30.2_2,3 is vulnerable:<br>
&gt;=C2=A0 =C2=A0 nginx -- heap buffer overflow in ngx_http_rewrite_module<=
br>
&gt;=C2=A0 =C2=A0 CVE: CVE-2026-9256<br>
&gt;=C2=A0 =C2=A0 WWW: <br>
&gt; <a href=3D"https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3=
497f65b111b.html" rel=3D"noreferrer" target=3D"_blank">https://vuxml.FreeBS=
D.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>
&gt; <br>
&gt; Am I missing something ?<br>
<br>
The VuXML looks wrong to me now.<br>
<br>
nginx released both 1.30.2 and 1.31.1 to fix this CVE<br>
(<a href=3D"https://nginx.org/en/CHANGES-1.30" rel=3D"noreferrer" target=3D=
"_blank">https://nginx.org/en/CHANGES-1.30</a> and <a href=3D"https://nginx=
.org/en/CHANGES" rel=3D"noreferrer" target=3D"_blank">https://nginx.org/en/=
CHANGES</a>).<br>
<br>
__Martin<br>
</blockquote></div></div>

--0000000000009ff0520653373b3c--