Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted nginx 1.22.1-9+deb12u6 (source) into oldstable-proposed-updates
Date: Tue, 05 May 2026 05:32:17 +0000
Signed by: Jan Mojžíš <janmojzis@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Apr 2026 20:15:43 +0000
Source: nginx
Architecture: source
Version: 1.22.1-9+deb12u6
Distribution: bookworm
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Changes:
 nginx (1.22.1-9+deb12u6) bookworm; urgency=medium
 .
   * d/conf/*_params: use "$host" instead of "$http_host"
     * "$http_host" forwards the Host header exactly as supplied by the client
       and may not match the effective request target (e.g. absolute-form
       requests with a conflicting Host header)
       this can expose inconsistent or attacker-controlled host values to
       backend applications (uwsgi, fastcgi, scgi, proxy)
     * switch to "$host" as a safer, normalized alternative
     * note: this changes behaviour, as "$host" does not preserve the
       client-supplied port; deployments relying on "$http_host" including
       a port number may be affected
     * it is workaround for Debian bug #1126960 for stable/oldstable release
Checksums-Sha1:
 8b8a0bdc2aeacd771e88664a2d03e8dd12f2a601 3586 nginx_1.22.1-9+deb12u6.dsc
 b58e412556841a006da89270de4bfc9de822c245 79232 nginx_1.22.1-9+deb12u6.debian.tar.xz
 416077d45207af1b5a114cd12ada6311bf2c786d 8828 nginx_1.22.1-9+deb12u6_source.buildinfo
Checksums-Sha256:
 961b8c8f3e57bf50c37352e110bda975d0f0f4daa188f7b70856049dbbbf1ef2 3586 nginx_1.22.1-9+deb12u6.dsc
 0c7368fd7218777d1e7c9feb6656a3129e3dc90d8c08462e12788f8fe3262aa5 79232 nginx_1.22.1-9+deb12u6.debian.tar.xz
 58d69911618ead84a859259ee2ab0b84695bd5fcfd1670c9447f099b84535c49 8828 nginx_1.22.1-9+deb12u6_source.buildinfo
Files:
 d265e67a4c019ad7d5667ca23e7771b8 3586 httpd optional nginx_1.22.1-9+deb12u6.dsc
 e15293aecf38068e7168a22dfeed399b 79232 httpd optional nginx_1.22.1-9+deb12u6.debian.tar.xz
 8cf44ea9735e6c0e78985f3294ceda9a 8828 httpd optional nginx_1.22.1-9+deb12u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmn47bMVHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5XyQP/0Ay8JkgaQ7n/PomBz7jWalNodFC
0ygNgeHNpI/owm3LSx9tvBz5WsUEcIXDgQQTqyJAgrzKGwgKIuo2qkVuLp2EW+Gk
Ah9ikY4/z6llBA7LGKsxegUPYKyjfjcSfeWb8ix3ZWb2MYXNReOjYrvhBd7c3psK
DwsI8YtNpSougLJTspHhDRDFgocvI0HQPn+jVUshP7X+W+3dnESFEodjREMWLOOt
jgdUUGDUdT6np88Tg0j9k56DLgwAKp5dKgoLYGHXZO7QQYFiKlyyhZWRsg6Pr7i3
XBrgRN8dZtwz2R2ifCikZeldjE/IqTUTRRV6HVPJ9OGPG7nHc9UObKKpcW60uLtv
tMIp1Kyz/zpb2ytIom0ihBlUMKY+3g4NRbBUGpzG/6Iux81/G4UG3SNO/G/FAIjY
9lnYnCFeO+gUgjejugMTELneuvYEvfP4y87uxxsZfAjgXeLyvfMZ4Te3N+hNy5xo
gGTXJkctcG8ywuEU0T/iMK8H2tsRFeVgGzMHn9m0WgpIrQoKwkw8U1Q7KbY2OXCn
cK9dZsqRgeTGU6HB05BGAze+SgLM/uVd2j/5oWJFS4ZPR0erYdmp+8mLu30hzj68
0l9qZVATVoncRdCRZh7sIUxzuZjZi5fNTJx1X8IaWFtxOpAxFE9hAKaiwRQxvNZe
BhTKmrwhSDYQ14rb
=T9I5
-----END PGP SIGNATURE-----

News for package nginx