Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Jun 2026 09:02:33 +0200
From:      Jochen Neumeister <joneum@FreeBSD.org>
To:        Bryan Drewery <bdrewery@FreeBSD.org>, ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   Re: git: 14b3a97af857 - main - www/nginx: Update to 1.30.3
Message-ID:  <deb19efa-e0ce-431c-bba7-30e0fddd7f4a@FreeBSD.org>
In-Reply-To: <bd9f90bd-54fc-442a-b619-a1eb0ba2164f@FreeBSD.org>
References:  <6a34162b.4502c.a03d686@gitrepo.freebsd.org> <bd9f90bd-54fc-442a-b619-a1eb0ba2164f@FreeBSD.org>

index | next in thread | previous in thread | raw e-mail



Am 18.06.26 um 22:22 schrieb Bryan Drewery:
> On 6/18/26 9:00 AM, Jochen Neumeister wrote:
>> The branch main has been updated by joneum:
>>
>> URL:https://cgit.FreeBSD.org/ports/commit/? 
>> id=14b3a97af857aa71cbf1b91921e530b34f440c31
>>
>> commit 14b3a97af857aa71cbf1b91921e530b34f440c31
>> Author:     Jochen Neumeister<joneum@FreeBSD.org>
>> AuthorDate: 2026-06-18 15:59:46 +0000
>> Commit:     Jochen Neumeister<joneum@FreeBSD.org>
>> CommitDate: 2026-06-18 15:59:46 +0000
>>
>>      www/nginx: Update to 1.30.3
>>      Changes with nginx 1.30.3                                        
>> 17 Jun
>>      2026
>>          *) Security: a heap memory buffer overflow might occur in a 
>> worker
>>             process when using a configuration with 
>> "ignore_invalid_headers
>>      off;"
>>             and "large_client_header_buffers" with large configured 
>> values
>>      when
>>             proxying a specially crafted request to HTTP/2 or gRPC 
>> backend,
>>             allowing an attacker to cause worker process memory 
>> corruption or
>>             segmentation fault in a worker process (CVE-2026-42055).
>>             Thanks to Mufeed VH of Winfunc Research.
>>          *) Security: a heap memory buffer overread might occur in a 
>> worker
>>             process while handling a specially sent response with 
>> decoding
>>      from
>>             UTF-8 via the "charset_map" directive, allowing an 
>> attacker to
>>      cause
>>             a limited disclosure of worker proccess memory or 
>> segmentation
>>      fault
>>             in a worker process (CVE-2026-48142).
>>             Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
>>      Sponsored by:   Netzkommune GmbH
> 
> Are you planing to bring this into quarterly?
> 
> 
> 
Yeah, that's landing today in Q2 2026 :)


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?deb19efa-e0ce-431c-bba7-30e0fddd7f4a>