-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 21 Mar 2026 17:37:50 +0000 Source: nginx Architecture: source Version: 1.28.2-3 Distribution: unstable Urgency: medium Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net> Changed-By: Jan Mojžíš <janmojzis@debian.org> Closes: 112696 Changes: nginx (1.28.2-3) unstable; urgency=medium . * All changes in this release focus on mitigating incorrect Host header handling in proxied requests by backporting $request_port and $is_request_port variables from newer nginx, and explicitly setting HTTP_HOST in proxy_params, fastcgi_params, uwsgi_params and scgi_params to $host$is_request_port$request_port. (Closes: 112696) * d/p/debian/patches/backport-request_port_and_is_request_port.patch: add - backport of $request_port and $is_request_port variables from newer nginx - implements support across HTTP/1.x as well as HTTP/2 and HTTP/3 code paths - note: HTTP/3 module in nginx is still considered experimental upstream * d/conf/proxy_params: use $host$is_request_port$request_port instead of $http_host * d/t/proxy: add test verifying $host$is_request_port$request_port behavior * d/t/fastcgi-RFC9112: add test that verifies the correct Host value according to RFC 9112, thanks to @yadd * d/conf/fastcgi_params: add 'fastcgi_param HTTP_HOST $host$is_request_port$request_port;' * d/t/uwsgi-RFC9112: add test that verifies the correct Host value according to RFC 9112 for uwsgi * d/conf/uwsgi_params: add 'uwsgi_param HTTP_HOST $host$is_request_port$request_port;' * d/conf/scgi_params: add 'scgi_param HTTP_HOST $host$is_request_port$request_port;' Checksums-Sha1: 18edccc1c6f4b097bfeff81f986d9d5451443ef3 3803 nginx_1.28.2-3.dsc afc4e0aecf54fccfa4150ae17b022c84f2d3ace2 75880 nginx_1.28.2-3.debian.tar.xz 22bb9c15a9f210e52bc10e0ee584e784208ab2a4 3548320 nginx_1.28.2-3.git.tar.xz 70488a999ef28ff14fc2eb614d8696b47de1eaea 17327 nginx_1.28.2-3_source.buildinfo Checksums-Sha256: f4d4608ede8b700231cc6da18d2b6d6983fff45c0d86be9babfa06c98d9dabf0 3803 nginx_1.28.2-3.dsc eb04ad525fbf08e02fb51f09b5428e76a593b10800fa8a369431673bb1ec6e33 75880 nginx_1.28.2-3.debian.tar.xz 08a797694d23adfafb994a47700e2d748cc66782f1b13d18b752e138067c4f81 3548320 nginx_1.28.2-3.git.tar.xz 17abe2c241b61955175db446577acba76d6ae96b175ec0d48b3566a9bab0aa1b 17327 nginx_1.28.2-3_source.buildinfo Files: 0b0c6d6baad389f46a78fbb8d14bfbd9 3803 httpd optional nginx_1.28.2-3.dsc 6beb7b44cfa05a89050ecb53e292de48 75880 httpd optional nginx_1.28.2-3.debian.tar.xz a582d970be47ea1d3e63e7cc1375ce0d 3548320 httpd None nginx_1.28.2-3.git.tar.xz 0c1c9616e5b7938f19eece20343a9127 17327 httpd optional nginx_1.28.2-3_source.buildinfo Git-Tag-Info: tag=584014647d1207283b2224f2ab2550fdbbe1d3e9 fp=d008b0c23d8479e46b9fcb9045da517496939ff9 Git-Tag-Tagger: Jan Mojžíš <jan.mojzis@gmail.com> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmm+3KgACgkQYG0ITkaD wHldNA//U0Ff3KrmGWWUaAa/XskJPDzaziKdX5YZOmnJW7yJjWXtv/hj9wwzQX0g zIpw9LjyE9hi/m8EYCn4yvNOJ0XZXyni1/+4ypk8h/FsFcQ0S0A6b9TjJXyTqO7J MGh9r0GSblx7bK5LO9vmLLdL5iqvPq7CVBWM7YchlvkVuRsn9lqlXVbjF3/dteK2 1qoLgu7qOiEMTLgjp6kLA0Pr9qxhR/Fdc7cIxdM4SBWdxV7ig/Lug8jD7ZmWP2dA SRiOhCjmFD7YhCuo0LkXMyQVsJqJILvmNyU/Yo++lDb4iwgOgIFTmLutmIeCT4UD RhwAepA2pLRuxZsSB6DONp8+Fb3lnqJWTZnh2bhCz+m7+RfKgzalod1j65ITPlK7 0WjVK3wrleoFsFalpJYAqPN6w+2v6hVjdgrp1YmlpsZ4KSwMlSc0iy01UGcyrV/y lTKJJEQ3q/BCLaMnkXjsoSyXaAcibM8iwKvQ7+zjjhZlEWNG2DZJhhG75+YwP0Qp DsCYgSehOCKdq9gfkipyXGMIIMpV3cU2mEec7rxe19BY72NBUa0duQva3hJVBgji tTSpdGi6q6xzmjJzSwMcOhE28gWziJCpI1+Nj+ib/nlU3FYVuP3mKyls8XLgGY15 4yT78FbPmJ6Ya5FhHhpZn/zyre2GThtu97sWPgXFZf3+cB9ci2w= =qGlL -----END PGP SIGNATURE-----
