From nobody Fri Jun  5 12:47:00 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gX1RM2brZz6h1qk
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 05 Jun 2026 12:47:11 +0000 (UTC)
	(envelope-from arnaud@pnzone.net)
Received: from icecube.pnzone.net (icecube.pnzone.net [37.187.27.168])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gX1RK6yQGz3FFH;
	Fri, 05 Jun 2026 12:47:09 +0000 (UTC)
	(envelope-from arnaud@pnzone.net)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=pnzone.net header.s=dkimsel header.b=Vshhj6aW;
	dmarc=pass (policy=reject) header.from=pnzone.net;
	spf=pass (mx1.freebsd.org: domain of arnaud@pnzone.net designates 37.187.27.168 as permitted sender) smtp.mailfrom=arnaud@pnzone.net
Received: from webmail.pnzone.net (localhost [IPv6:::1])
	by icecube.pnzone.net (Postfix) with ESMTP id 2B558104646;
	Fri, 05 Jun 2026 14:47:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pnzone.net;
	s=dkimsel; t=1780663620;
	bh=Wg5Ex2AntQCsr0H1QEFJQCjGvpfCy+kbEfrDHb8bPz0=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=Vshhj6aWZO2N7IQkG5Ib9fYpllj7h9jMi6XuRTgtTp6qPNp60GcBgPczaY5Futrfm
	 qlcWHaEg5ZUm7+nnv0beXa/12z4QVRrLbpYYRYtcwALtLKDdTpmmWAvJ9o+REyLGPc
	 hLl8Pbsyc2/lWfwBpGVjOeeUk7Q2/MAOGnGRXAgc=
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Date: Fri, 05 Jun 2026 14:47:00 +0200
From: Arnaud de Prelle <arnaud@pnzone.net>
To: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org>
Cc: Martin Simmons <martin@lispworks.com>, Jochen Neumeister
 <joneum@freebsd.org>, freebsd-security@freebsd.org
Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?
In-Reply-To: <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com>
References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net>
 <202606011426.651EQMeV018896@higson.cam.lispworks.com>
 <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com>
Message-ID: <b8ed40cbe26107a719f9f2deea812533@pnzone.net>
X-Sender: arnaud@pnzone.net
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 1.5.2 at icecube.pnzone.net
X-Virus-Status: Clean
X-Spamd-Result: default: False [-2.80 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	DMARC_POLICY_ALLOW(-0.50)[pnzone.net,reject];
	ONCE_RECEIVED(0.20)[];
	R_SPF_ALLOW(-0.20)[+ip4:37.187.27.168];
	R_DKIM_ALLOW(-0.20)[pnzone.net:s=dkimsel];
	MIME_GOOD(-0.10)[text/plain];
	DKIM_TRACE(0.00)[pnzone.net:+];
	RCPT_COUNT_THREE(0.00)[4];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:16276, ipnet:37.187.0.0/16, country:FR];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	TO_DN_SOME(0.00)[]
X-Spamd-Bar: --
X-Rspamd-Queue-Id: 4gX1RK6yQGz3FFH

Hi all,

Thank you for your adaptations.

Alert has now disappeared from pkg audit -F as the vuXML database now 
shows :
0.1.17,3	<=	nginx	<	1.30.2_2,3
1.31.0,3	<=	nginx	<	1.31.1,3

Kind regards,
Arnaud.

On 2026-06-01 22:42, Fernando Apesteguía wrote:
> Including joneum@ who maintains the port.
> 
> On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <martin@lispworks.com> 
> wrote:
> 
>> [fernape@ added]
>> 
>> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
>> >
>> > Hi,
>> >
>> > As per
>> > - https://www.freshports.org/www/nginx/ and
>> > -
>> >
>> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
>> > CVE-2026-9256 should be fixed since nginx 1.30.2,3.
>> 
>> The contents of this URL was stale -- the VuXML now says nginx < 
>> 1.31.1,3
>> (since yesterday), which explains why pkg audit is detecting it.
>> 
>> > I'm using the latest version of nginx:
>> > # pkg info nginx | grep Version
>> > Version        : 1.30.2_2,3
>> >
>> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
>> > # pkg audit -F
>> > vulnxml file up-to-date
>> > nginx-1.30.2_2,3 is vulnerable:
>> >    nginx -- heap buffer overflow in ngx_http_rewrite_module
>> >    CVE: CVE-2026-9256
>> >    WWW:
>> >
>> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
>> >
>> > Am I missing something ?
>> 
>> The VuXML looks wrong to me now.
>> 
>> nginx released both 1.30.2 and 1.31.1 to fix this CVE
>> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).
>> 
>> __Martin
>>