Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted nginx 1.26.3-3+deb13u4 (source) into proposed-updates
Date: Mon, 04 May 2026 21:47:47 +0000
Signed by: Jan Mojžíš <janmojzis@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 20 Apr 2026 17:52:06 +0000
Source: nginx
Architecture: source
Version: 1.26.3-3+deb13u4
Distribution: trixie
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Changes:
 nginx (1.26.3-3+deb13u4) trixie; urgency=medium
 .
   * d/conf/*_params: use "$host" instead of "$http_host"
     * "$http_host" forwards the Host header exactly as supplied by the client
       and may not match the effective request target (e.g. absolute-form
       requests with a conflicting Host header)
       this can expose inconsistent or attacker-controlled host values to
       backend applications (uwsgi, fastcgi, scgi, proxy)
     * switch to "$host" as a safer, normalized alternative
     * note: this changes behaviour, as "$host" does not preserve the
       client-supplied port; deployments relying on "$http_host" including
       a port number may be affected
     * it is workaround for Debian bug #1126960 for stable/oldstable release
Checksums-Sha1:
 a1f101def71a027baa8409f19c5aeff822b6e15b 3827 nginx_1.26.3-3+deb13u4.dsc
 4137e2de89ea09c688a120551770c2547d6de7c0 85516 nginx_1.26.3-3+deb13u4.debian.tar.xz
 997c7754dd4f0d799af8072eb420f6b19a7a61fa 8270 nginx_1.26.3-3+deb13u4_source.buildinfo
Checksums-Sha256:
 b283718e321ec7ac5bf0e481d649f492878f51ea431bf6ee761606a626b119ad 3827 nginx_1.26.3-3+deb13u4.dsc
 92b5de81372aa36eb6c993de7d2f36e829cfeb18806dbf6fdb2fae125cb9f827 85516 nginx_1.26.3-3+deb13u4.debian.tar.xz
 e940f37c6bc60fb39297b50f8fc4b4526d9c67c01aee78b1f4df97cd058547c9 8270 nginx_1.26.3-3+deb13u4_source.buildinfo
Files:
 ac1d5cd43a29dc2c63bcd831e6827b99 3827 httpd optional nginx_1.26.3-3+deb13u4.dsc
 aa41de08add6f90fde73596623938879 85516 httpd optional nginx_1.26.3-3+deb13u4.debian.tar.xz
 542dc939372bccc938a5ce7bdaf9e4e9 8270 httpd optional nginx_1.26.3-3+deb13u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmn46EoVHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/54CAP/jyBO1QggbPR8txeb8wzpQTlRbol
Nr0aKGhnOEKThm2O8m5sHIDPF6QAqxtCTQavByVuOzGNsnOM6NmjNmg7/KSIS3r2
mY2A/2TfS//OqXTKbaGzTIbmWIisa8cFGAZKkIndX2Dz8x6lGcO4YzmEJ8iRZWBB
S04T72gckPrBUTpfdxvrJ/iFUmGCUJiPw0YJMYOJNwa9rr/sZal9qXalT7ltyk5o
5BBKRclDEI0+2KjcgD0b7DMWgQhNBCzub3EcakflYGCVd0beCrPPmoOkGpel7h2t
IJjJxAv6i/8TadI02V8yi1Pk2p4w1dQzY1v+D/++FnxkBTiVXRIA8pGG5Wzq5gPk
To1u4QSMymNzPSdBIyq597JqG4G5Kx+/MuyKcTiRf9DMnO5QYdBMLUdaBos8V0y/
2p9iFzbH6AnH4AStIhJDvm0p1T+ZvOLFd+I7Esk9dbEIZiC8FJYzSFaPZUad8Rh7
zCAf279AP07n9aFsVntjshOnYHqrrbHCD/4kzivk4UFfUyppFEJ548K2mZuP4ClE
E/4YYH1A34aHCZBSZNFio8B20BCbWRgyv+PvY4JT477hCTKcdP7jJ1+mIot6XUu7
KaORy9zOrDW/KNdftCgmaSjZHt61HnncBDqhgcnF/tq/R1ooH81HAxvlT/S3zEPK
+kMbX8/7HMuNUauJ
=ee/N
-----END PGP SIGNATURE-----
News for package nginx
