From nobody Sun May 31 20:01:11 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gT7Jd6VVQz6gftx for ; Sun, 31 May 2026 20:01:21 +0000 (UTC) (envelope-from arnaud@pnzone.net) Received: from icecube.pnzone.net (icecube.pnzone.net [IPv6:2001:41d0:a:1ba8::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gT7Jc6bKfz3scg for ; Sun, 31 May 2026 20:01:20 +0000 (UTC) (envelope-from arnaud@pnzone.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pnzone.net header.s=dkimsel header.b=0jWC1RQb; dmarc=pass (policy=reject) header.from=pnzone.net; spf=pass (mx1.freebsd.org: domain of arnaud@pnzone.net designates 2001:41d0:a:1ba8::1 as permitted sender) smtp.mailfrom=arnaud@pnzone.net Received: from webmail.pnzone.net (localhost [IPv6:::1]) by icecube.pnzone.net (Postfix) with ESMTP id A3DDC1A82F5 for ; Sun, 31 May 2026 22:01:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pnzone.net; s=dkimsel; t=1780257671; bh=yDy0O0GkO45E0CTlen63jYTYyUhH6F8i46wMpXALmWY=; h=Date:From:To:Subject:From; b=0jWC1RQbGX0P+8Lhd8Vaz3K0oNIJC4GJjK6gyKAlAaA1nDj7n3RdborO7WX7oZhfE TV8vWZFr/xvgbzfShYmUfuSJIbV9r6hxPJJbAXr+AJE9mv3l/7VfsvDOVYAMFZow/2 yVVeFMSvOofEFuQzkZuHLXMJDOrijOZZ3fT5jwE0= List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Date: Sun, 31 May 2026 22:01:11 +0200 From: Arnaud de Prelle To: freebsd-security@freebsd.org Subject: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: X-Sender: arnaud@pnzone.net Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 1.5.2 at icecube.pnzone.net X-Virus-Status: Clean X-Spamd-Result: default: False [-1.58 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.90)[-0.900]; DMARC_POLICY_ALLOW(-0.50)[pnzone.net,reject]; R_DKIM_ALLOW(-0.20)[pnzone.net:s=dkimsel]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:41d0:a:1ba8::1]; NEURAL_SPAM_SHORT(0.12)[0.124]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[pnzone.net:+] X-Spamd-Bar: - X-Rspamd-Queue-Id: 4gT7Jc6bKfz3scg Hi, As per - https://www.freshports.org/www/nginx/ and - https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html CVE-2026-9256 should be fixed since nginx 1.30.2,3. I'm using the latest version of nginx: # pkg info nginx | grep Version Version : 1.30.2_2,3 But pkg audit -F reports this port as vulnerable to CVE-2026-9256: # pkg audit -F vulnxml file up-to-date nginx-1.30.2_2,3 is vulnerable: nginx -- heap buffer overflow in ngx_http_rewrite_module CVE: CVE-2026-9256 WWW: https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html Am I missing something ? Thanks, Arnaud.