Date: Fri, 05 Jun 2026 14:47:00 +0200 From: Arnaud de Prelle <arnaud@pnzone.net> To: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernape@freebsd.org> Cc: Martin Simmons <martin@lispworks.com>, Jochen Neumeister <joneum@freebsd.org>, freebsd-security@freebsd.org Subject: Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ? Message-ID: <b8ed40cbe26107a719f9f2deea812533@pnzone.net> In-Reply-To: <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com> References: <e7252e33e7aa60c82d3a73240258d7d1@pnzone.net> <202606011426.651EQMeV018896@higson.cam.lispworks.com> <CAGwOe2ZdZ=M4dunqTtSk6J=9cwJKuCzg8u9C9hOg2t2Sf80opQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Hi all, Thank you for your adaptations. Alert has now disappeared from pkg audit -F as the vuXML database now shows : 0.1.17,3 <= nginx < 1.30.2_2,3 1.31.0,3 <= nginx < 1.31.1,3 Kind regards, Arnaud. On 2026-06-01 22:42, Fernando Apesteguía wrote: > Including joneum@ who maintains the port. > > On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <martin@lispworks.com> > wrote: > >> [fernape@ added] >> >> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said: >> > >> > Hi, >> > >> > As per >> > - https://www.freshports.org/www/nginx/ and >> > - >> > >> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html >> > CVE-2026-9256 should be fixed since nginx 1.30.2,3. >> >> The contents of this URL was stale -- the VuXML now says nginx < >> 1.31.1,3 >> (since yesterday), which explains why pkg audit is detecting it. >> >> > I'm using the latest version of nginx: >> > # pkg info nginx | grep Version >> > Version : 1.30.2_2,3 >> > >> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256: >> > # pkg audit -F >> > vulnxml file up-to-date >> > nginx-1.30.2_2,3 is vulnerable: >> > nginx -- heap buffer overflow in ngx_http_rewrite_module >> > CVE: CVE-2026-9256 >> > WWW: >> > >> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html >> > >> > Am I missing something ? >> >> The VuXML looks wrong to me now. >> >> nginx released both 1.30.2 and 1.31.1 to fix this CVE >> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES). >> >> __Martin >>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8ed40cbe26107a719f9f2deea812533>