Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted nginx 1.18.0-6.1+deb11u6 (source) into oldoldstable-security
Date: Mon, 18 May 2026 13:30:16 +0000
Signed by: Carlos Henrique Lima Melara <charles@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 May 2026 11:59:31 +0000
Source: nginx
Architecture: source
Version: 1.18.0-6.1+deb11u6
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Closes: 1111138 1127053
Changes:
 nginx (1.18.0-6.1+deb11u6) bullseye-security; urgency=medium
 .
   * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642.
     Fixes problem when an attacker with a man-in-the-middle position on the
     upstream server side—along with conditions beyond the attacker's
     control—may be able to inject plain text data into the response
     from an upstream proxied server. (Closes: #1127053)
   * backport changes from upstream nginx, fixes for buffer overflow
     vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow
     vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647),
     mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753)
     * d/p/CVE-2026-27651.patch add
     * d/p/CVE-2026-27654.patch add
     * d/p/CVE-2026-27784.patch add
     * d/p/CVE-2026-28753.patch add
     * d/p/CVE-2026-32647.patch add
   * backport changes from upstream nginx,c buffer overflow in
     the ngx_http_rewrite_module (CVE-2026-42945), buffer overread in
     the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946),
     resolver use-after-free in OCSP (CVE-2026-40701), buffer overread in
     the ngx_http_charset_module (CVE-2026-42934)
     * d/p/CVE-2026-42945.patch add
     * d/p/CVE-2026-42946.1.patch add
     * d/p/CVE-2026-42946.2.patch add
     * d/p/CVE-2026-40701.patch add
     * d/p/CVE-2026-42934.patch add
   * d/conf/*_params: use "$host" instead of "$http_host"
     * "$http_host" forwards the Host header exactly as supplied by the client
       and may not match the effective request target (e.g. absolute-form
       requests with a conflicting Host header)
       this can expose inconsistent or attacker-controlled host values to
       backend applications (uwsgi, fastcgi, scgi, proxy)
     * switch to "$host" as a safer, normalized alternative
     * note: this changes behaviour, as "$host" does not preserve the
       client-supplied port; deployments relying on "$http_host" including
       a port number may be affected
     * it is workaround for Debian bug #1126960 for stable/oldstable release
   * d/p/CVE-2025-53859.patch add, fix potential information leak
     in ngx_mail_smtp_module (CVE-2025-53859). (Closes: #1111138)
Checksums-Sha1:
 c075f6ce253229a23ce9c94d8691891a57b2a756 4790 nginx_1.18.0-6.1+deb11u6.dsc
 5c35ba2536d2386c3315a60221326bb3f256305d 1053560 nginx_1.18.0-6.1+deb11u6.debian.tar.xz
 fbe5a0ceb7e261d2c9cfec7fb4e070708af27173 27723 nginx_1.18.0-6.1+deb11u6_amd64.buildinfo
Checksums-Sha256:
 4961a0a902e5dd92d5aedae582dba7c00e6331b6b4174875d78ebef43a4e2668 4790 nginx_1.18.0-6.1+deb11u6.dsc
 8446773c8faf5e564f4dbe3c278faa49b45c158654dcf187a70454a263ffe7a9 1053560 nginx_1.18.0-6.1+deb11u6.debian.tar.xz
 292efc4c181a2af551e5c8fca65002ada01133e7e503553d04d80f1cbf99f9d5 27723 nginx_1.18.0-6.1+deb11u6_amd64.buildinfo
Files:
 09900081e6bd89ab6985dd543ddde152 4790 httpd optional nginx_1.18.0-6.1+deb11u6.dsc
 12299412127b4394bb31243b4b505965 1053560 httpd optional nginx_1.18.0-6.1+deb11u6.debian.tar.xz
 e162be3ebdf5805f548ba52f5d7031cb 27723 httpd optional nginx_1.18.0-6.1+deb11u6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECgzx8d8+AINglLHJt4M9ggJ8mQsFAmoLD6AACgkQt4M9ggJ8
mQsNzg/+LWRijP9RBMCyxKVjg68PorcRbotRRpccN7fXu3tAxH5MIEko8cQDLlfP
2OqfgbLoO87Kn5RkEj7dzxtZjh63AQrUy7znVYIFFLId+Fa7kOBok9QJ/INKzgRW
uP0ojQ/Ipp7nWtCB1ynSLe54uMxGr3NqoTEJcJRt3EGI+qEAMShTsLsDqKLDpFVr
Q5PSTyjeZV9UocgVy3QOP4efs/GEl0L05AGV6kXy+1HV3gd+woejTHtFKkkFgUhQ
LbepJ8LtX2EUXSZHZX39pRX6hKSq1bUW84JxUXT0BuUS9KiN44Lknsc/P0sx4ZVR
YoVMFQLw0qtzwPOase0CBvwr5S2DA9gpLy5FoaWSTkQU9Ku3KrNwegfKpbiqLqHk
M3KpL6Oxu2mq9yXBBSYPz3trLDybQBltQg6hLCRu+oo75YX5qK7AGESoq1G6eC7d
0nq6yhaDpX0T4cvQ0oyP9hgO5PEvRbIsGdOHpXGzCOAk5qjSzjzWTcouEhNAb1ZW
7L84R67m9hdbQSPZ749kh7JB3B0keU+OZv4YLR3/XrCsNYWifeKqmFuHBgZFKqYf
WeexAChyQjpy/X2O4Nw/WLV9wtPZk4Nidvbg0KdACo8iXQSHvGMUsRo5MP5dm+FD
pzzty9f60GF/W77ZYABhSBgLSFG9ITUEvaCUWpA/J0JfuTzKkVo=
=h2Mf
-----END PGP SIGNATURE-----
News for package nginx
