Date: Fri, 5 Jun 2026 15:35:18 +0200 From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org> To: Arnaud de Prelle <arnaud@pnzone.net> Cc: Martin Simmons <martin@lispworks.com>, Jochen Neumeister <joneum@freebsd.org>, freebsd-security@freebsd.org Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: <CAGwOe2brbehmLSiDdsvFrOq4SVwGid3RU1-mVNsQOm7kRCgRpQ@mail.gmail.com> In-Reply-To: <b8ed40cbe26107a719f9f2deea812533@pnzone.net> References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> <202606011426.651EQMeV018896@higson.cam.lispworks.com> <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com> <b8ed40cbe26107a719f9f2deea812533@pnzone.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] El vie, 5 jun 2026, 14:47, Arnaud de Prelle <arnaud@pnzone.net> escribió: > Hi all, > > Thank you for your adaptations. > > Alert has now disappeared from pkg audit -F as the vuXML database now > shows : > 0.1.17,3 <= nginx < 1.30.2_2,3 > 1.31.0,3 <= nginx < 1.31.1,3 > > Kind regards, > Arnaud. > Thank you all for reporting and sorry for the mistake. > On 2026-06-01 22:42, Fernando Apesteguía wrote: > > Including joneum@ who maintains the port. > > > > On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <martin@lispworks.com> > > wrote: > > > >> [fernape@ added] > >> > >> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said: > >> > > >> > Hi, > >> > > >> > As per > >> > - https://www.freshports.org/www/nginx/ and > >> > - > >> > > >> > https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > >> > CVE-2026-9256 should be fixed since nginx 1.30.2,3. > >> > >> The contents of this URL was stale -- the VuXML now says nginx < > >> 1.31.1,3 > >> (since yesterday), which explains why pkg audit is detecting it. > >> > >> > I'm using the latest version of nginx: > >> > # pkg info nginx | grep Version > >> > Version : 1.30.2_2,3 > >> > > >> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256: > >> > # pkg audit -F > >> > vulnxml file up-to-date > >> > nginx-1.30.2_2,3 is vulnerable: > >> > nginx -- heap buffer overflow in ngx_http_rewrite_module > >> > CVE: CVE-2026-9256 > >> > WWW: > >> > > >> > https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html > >> > > >> > Am I missing something ? > >> > >> The VuXML looks wrong to me now. > >> > >> nginx released both 1.30.2 and 1.31.1 to fix this CVE > >> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES). > >> > >> __Martin > >> > [-- Attachment #2 --] <div dir="auto"><div><br><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">El vie, 5 jun 2026, 14:47, Arnaud de Prelle <<a href="mailto:arnaud@pnzone.net">arnaud@pnzone.net</a>> escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br> <br> Thank you for your adaptations.<br> <br> Alert has now disappeared from pkg audit -F as the vuXML database now <br> shows :<br> 0.1.17,3 <= nginx < 1.30.2_2,3<br> 1.31.0,3 <= nginx < 1.31.1,3<br> <br> Kind regards,<br> Arnaud.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Thank you all for reporting and sorry for the mistake.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote gmail_quote_container"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> On 2026-06-01 22:42, Fernando Apesteguía wrote:<br> > Including joneum@ who maintains the port.<br> > <br> > On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <<a href="mailto:martin@lispworks.com" target="_blank" rel="noreferrer">martin@lispworks.com</a>> <br> > wrote:<br> > <br> >> [fernape@ added]<br> >> <br> >> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:<br> >> ><br> >> > Hi,<br> >> ><br> >> > As per<br> >> > - <a href="https://www.freshports.org/www/nginx/" rel="noreferrer noreferrer" target="_blank">https://www.freshports.org/www/nginx/</a>; and<br> >> > -<br> >> ><br> >> <a href="https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html" rel="noreferrer noreferrer" target="_blank">https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>; >> > CVE-2026-9256 should be fixed since nginx 1.30.2,3.<br> >> <br> >> The contents of this URL was stale -- the VuXML now says nginx < <br> >> 1.31.1,3<br> >> (since yesterday), which explains why pkg audit is detecting it.<br> >> <br> >> > I'm using the latest version of nginx:<br> >> > # pkg info nginx | grep Version<br> >> > Version : 1.30.2_2,3<br> >> ><br> >> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256:<br> >> > # pkg audit -F<br> >> > vulnxml file up-to-date<br> >> > nginx-1.30.2_2,3 is vulnerable:<br> >> > nginx -- heap buffer overflow in ngx_http_rewrite_module<br> >> > CVE: CVE-2026-9256<br> >> > WWW:<br> >> ><br> >> <a href="https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html" rel="noreferrer noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html</a><br>; >> ><br> >> > Am I missing something ?<br> >> <br> >> The VuXML looks wrong to me now.<br> >> <br> >> nginx released both 1.30.2 and 1.31.1 to fix this CVE<br> >> (<a href="https://nginx.org/en/CHANGES-1.30" rel="noreferrer noreferrer" target="_blank">https://nginx.org/en/CHANGES-1.30</a>; and <a href="https://nginx.org/en/CHANGES" rel="noreferrer noreferrer" target="_blank">https://nginx.org/en/CHANGES</a>).<br>; >> <br> >> __Martin<br> >> <br> </blockquote></div></div></div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGwOe2brbehmLSiDdsvFrOq4SVwGid3RU1-mVNsQOm7kRCgRpQ>