nginx - Debian Package Tracker

general

source: nginx (main)
version: 1.28.1-3
maintainer: Debian Nginx Maintainers (archive) (DMD)
uploaders: Jan Mojžíš [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.18.0-6.1+deb11u3
o-o-sec: 1.18.0-6.1+deb11u5
oldstable: 1.22.1-9+deb12u3
stable: 1.26.3-3+deb13u1
testing: 1.28.1-2
unstable: 1.28.1-3

versioned links

1.18.0-6.1+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.18.0-6.1+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.22.1-9+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.26.3-3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.28.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.28.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnginx-mod-http-geoip
libnginx-mod-http-image-filter
libnginx-mod-http-perl
libnginx-mod-http-xslt-filter
libnginx-mod-mail
libnginx-mod-stream
libnginx-mod-stream-geoip (1 bugs: 0, 1, 0, 0)
nginx (15 bugs: 0, 11, 4, 0)
nginx-common (11 bugs: 0, 9, 2, 0)
nginx-core
nginx-dev (3 bugs: 0, 1, 2, 0)
nginx-doc
nginx-extras (6 bugs: 0, 3, 3, 0)
nginx-full
nginx-light

action needed

A new upstream version is available: 1.28.2 high

A new upstream version 1.28.2 is available, you should consider packaging it.

Created: 2026-02-08 Last update: 2026-02-10 18:30

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-1642: A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

1 ignored issue:

CVE-2013-0337: The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Created: 2025-08-09 Last update: 2026-02-09 12:18

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2013-0337: The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Created: 2022-07-04 Last update: 2026-02-09 12:18

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2013-0337: The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.
CVE-2026-1642: A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Created: 2025-08-09 Last update: 2026-02-09 12:18

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-1642: A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

1 ignored issue:

CVE-2013-0337: The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

Created: 2023-06-10 Last update: 2026-02-09 12:18

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.28.2-1, distribution experimental) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 67fb7e128042bd5c0ee6d58e303f9dc850817e87
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 18:31:04 2026 +0100

    release nginx 1.28.2-1, upload to experimental

commit 411abff7c2077c1b8766de381f8ab0292b1aae3a
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 18:04:55 2026 +0100

    d/upstream/signing-key.asc: convert to minimal key

commit 276d3ba929214732a3d6aafc44acea82e8e8aacd
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:39:58 2026 +0100

    d/p/CVE-2026-1642.patch: remove, fixed in upstream

commit a02ec9ecabd8a94d172e97d6899bddfead89830e
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:38:01 2026 +0100

    d/control: update Standards-Version: 4.7.3, remove Priority: optional

commit 116dea3d9bffb610531c0cddd2c06cb6d4dcb415
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:36:44 2026 +0100

    d/libnginx-mod.abisubstvars: update ABI to nginx-abi-1.28.2-1

commit 62705f9e87267fcad2f9a1a1f99339265ac3fd2d
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:35:42 2026 +0100

    d/changelog: version 1.28.2-1

commit 96c2f7a2ede73eabbb6d96ba4f1f3675ecc4d5c4
Merge: 1e71561 a7e4d05
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:35:09 2026 +0100

    Update upstream source from tag 'upstream/1.28.2'
    
    Update to upstream version '1.28.2'
    with Debian dir e8853c66a4c2fadd7f4c160a5332324aa898303b

commit a7e4d05791127edfccb1965569e8444187f984e9
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:35:04 2026 +0100

    New upstream version 1.28.2

commit 1e7156190bcb436cbb346b3751733132754151f1
Author: Jan Mojžíš <jan.mojzis@gmail.com>
Date:   Tue Feb 10 17:30:51 2026 +0100

    d/upstream/signing-key.asc: replace by Roman Arutyunyan’s PGP public key
    which signed 1.28.2 release

Created: 2026-02-10 Last update: 2026-02-10 18:31

5 bugs tagged patch in the BTS normal

The BTS contains patches fixing 5 bugs (12 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2026-02-10 17:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-12-27 Last update: 2025-12-27 06:30

3 open merge requests in Salsa normal

There are 3 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-09-05 17:32

debian/patches: 4 patches to forward upstream low

Among the 4 debian patches available in version 1.28.1-3 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-02-09 12:19

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-02-09 13:01

testing migrations

This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for nginx (1.28.1-2 to 1.28.1-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for debusine/0.14.4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Ignored failure ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for diaspora-installer/0.9.0.0+debian2+nmu1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Regression ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for elinks/0.19.0-3: s390x: Pass ♻
- ∙ ∙ Autopkgtest for nginx/1.28.1-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/nginx.html
- ∙ ∙ Reproducible on amd64
- ∙ ∙ Reproducible on arm64
- ∙ ∙ Reproducible on armhf
- ∙ ∙ Reproducible on i386
- ∙ ∙ Reproducible on ppc64el
- Not considered

news

[rss feed]

[2026-02-09] Accepted nginx 1.28.1-3 (source) into unstable (Jan Mojžíš)
[2025-12-30] nginx 1.28.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-26] Accepted nginx 1.28.1-2 (source) into unstable (Jan Mojžíš)
[2025-12-24] Accepted nginx 1.28.1-1 (source) into experimental (Jan Mojžíš)
[2025-09-11] nginx 1.28.0-6 MIGRATED to testing (Debian testing watch)
[2025-09-09] nginx 1.28.0-5 MIGRATED to testing (Debian testing watch)
[2025-09-08] Accepted nginx 1.28.0-6 (source) into unstable (Jan Mojžíš)
[2025-09-06] Accepted nginx 1.28.0-5 (source) into unstable (Jan Mojžíš)
[2025-09-05] Accepted nginx 1.28.0-4 (source) into unstable (Jan Mojžíš)
[2025-08-30] Accepted nginx 1.22.1-9+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Jan Mojžíš)
[2025-08-30] Accepted nginx 1.26.3-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jan Mojžíš)
[2025-08-30] nginx 1.28.0-3 MIGRATED to testing (Debian testing watch)
[2025-08-26] Accepted nginx 1.28.0-3 (source) into unstable (Jan Mojžíš)
[2025-08-16] Accepted nginx 1.28.0-2 (source) into experimental (Jan Mojžíš)
[2025-08-12] Accepted nginx 1.28.0-1 (source) into experimental (Jan Mojžíš)
[2025-06-24] Accepted nginx 1.18.0-6.1+deb11u5 (source) into oldstable-security (Sylvain Beucler)
[2025-06-05] nginx 1.26.3-3 MIGRATED to testing (Debian testing watch)
[2025-05-15] Accepted nginx 1.26.3-3 (source) into unstable (Jan Mojžíš)
[2025-04-14] Accepted nginx 1.22.1-9+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrew Shadura)
[2025-03-25] Accepted nginx 1.18.0-6.1+deb11u4 (source) into oldstable-security (Andrej Shadura) (signed by: Andrew Shadura)
[2025-03-07] Accepted nginx 1.22.1-9+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jan Mojžíš)
[2025-02-11] nginx 1.26.3-2 MIGRATED to testing (Debian testing watch)
[2025-02-07] Accepted nginx 1.26.3-2 (source) into unstable (Jérémy Lal)
[2025-02-05] Accepted nginx 1.26.3-1 (source) into experimental (Jérémy Lal)
[2025-02-02] Accepted nginx 1.26.2-1 (source) into experimental (Jérémy Lal)
[2024-10-03] nginx 1.26.0-3 MIGRATED to testing (Debian testing watch)
[2024-09-30] Accepted nginx 1.26.0-3 (source) into unstable (Thomas Ward)
[2024-08-23] nginx 1.26.0-2 MIGRATED to testing (Debian testing watch)
[2024-08-20] Accepted nginx 1.26.0-2 (source) into unstable (Jan Mojžíš)
[2024-05-09] nginx 1.26.0-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 46 54
RC: 0
I&N: 28
M&W: 16 24
F&P: 2
patch: 5 12

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, -)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.28.1-2ubuntu1
19 bugs (1 patch)
patches for 1.28.1-2ubuntu1