libnginx-mod-js - Debian Package Tracker

general

source: libnginx-mod-js (main)
version: 0.9.8-1
maintainer: Debian Nginx Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 0.7.9-2
stable: 0.8.9-1
testing: 0.9.4-1
unstable: 0.9.8-1

versioned links

0.7.9-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnginx-mod-http-js
libnginx-mod-stream-js
njs

action needed

3 binary packages have unsatisfiable dependencies high

The dependencies of libnginx-mod-stream-js=0.9.8-1 cannot be satisfied in unstable on arm64, ppc64el, s390x, armhf, i386, and amd64 because: unsatisfied dependency on libnginx-mod-stream (< 1.30.0.1~)
The dependencies of njs=0.9.8-1 cannot be satisfied in unstable on arm64, ppc64el, s390x, armhf, i386, and amd64 because: unsatisfied dependency on libnginx-mod-stream (< 1.30.0.1~)
The dependencies of libnginx-mod-http-js=0.9.8-1 cannot be satisfied in unstable on arm64, ppc64el, s390x, armhf, i386, and amd64 because: unsatisfied dependency on libnginx-mod-stream (< 1.30.0.1~)

Created: 2026-05-20 Last update: 2026-05-20 21:00

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:01:26
Last run: 2026-05-14T14:43:37.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:01:08
Last run: 2026-05-20T13:24:31.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:01:16
Last run: 2025-11-09T06:27:24.000Z
Previous status: unknown

Created: 2026-05-14 Last update: 2026-05-20 20:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-8711: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Created: 2026-05-20 Last update: 2026-05-20 08:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-8711: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Created: 2026-05-20 Last update: 2026-05-20 08:32

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-8711: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Created: 2026-05-20 Last update: 2026-05-20 08:32

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-8711: NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Created: 2026-05-20 Last update: 2026-05-20 08:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-08 Last update: 2026-05-20 20:33

lintian reports 7 warnings normal

Lintian reports 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-15 Last update: 2026-05-03 23:01

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-22 Last update: 2025-09-22 19:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.2).

Created: 2024-04-07 Last update: 2026-05-03 16:47

testing migrations

This package is part of the ongoing testing transition known as auto-upperlimit-libnginx-mod-stream. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package is part of the ongoing testing transition known as nginx-abi-1.30.1-1. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: nginx
- Migration status for libnginx-mod-js (0.9.4-1 to 0.9.8-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for libnginx-mod-js/0.9.8-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Depends: libnginx-mod-js nginx (not considered)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libn/libnginx-mod-js.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 18 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-03] Accepted libnginx-mod-js 0.9.8-1 (source) into unstable (Jérémy Lal)
[2026-04-05] Accepted libnginx-mod-js 0.9.6-1 (source) into experimental (Jérémy Lal)
[2026-01-08] libnginx-mod-js 0.9.4-1 MIGRATED to testing (Debian testing watch)
[2026-01-05] Accepted libnginx-mod-js 0.9.4-1 (source) into unstable (Jérémy Lal)
[2025-09-17] libnginx-mod-js 0.9.1-1 MIGRATED to testing (Debian testing watch)
[2025-09-15] Accepted libnginx-mod-js 0.9.1-1 (source) into unstable (Jérémy Lal)
[2025-03-02] libnginx-mod-js 0.8.9-1 MIGRATED to testing (Debian testing watch)
[2025-02-28] Accepted libnginx-mod-js 0.8.9-1 (source) into unstable (Jérémy Lal)
[2024-09-03] libnginx-mod-js 0.8.5-1 MIGRATED to testing (Debian testing watch)
[2024-09-01] Accepted libnginx-mod-js 0.8.5-1 (source) into unstable (Jérémy Lal)
[2024-06-17] libnginx-mod-js 0.8.4-1 MIGRATED to testing (Debian testing watch)
[2024-06-14] Accepted libnginx-mod-js 0.8.4-1 (source) into unstable (Jérémy Lal)
[2023-12-21] libnginx-mod-js 0.8.2-1 MIGRATED to testing (Debian testing watch)
[2023-12-17] Accepted libnginx-mod-js 0.8.2-1 (source) into unstable (Jérémy Lal)
[2023-10-15] libnginx-mod-js 0.8.1-1 MIGRATED to testing (Debian testing watch)
[2023-10-12] Accepted libnginx-mod-js 0.8.1-1 (source) into unstable (Jan Mojžíš)
[2023-08-26] libnginx-mod-js 0.8.0-1 MIGRATED to testing (Debian testing watch)
[2023-08-23] Accepted libnginx-mod-js 0.8.0-1 (source) into unstable (Jan Mojžíš)
[2023-07-13] libnginx-mod-js 0.7.12-2 MIGRATED to testing (Debian testing watch)
[2023-06-28] Accepted libnginx-mod-js 0.7.12-2 (source) into unstable (Jan Mojžíš)
[2023-06-26] Accepted libnginx-mod-js 0.7.12-2~exp2 (source) into experimental (Jan Mojžíš)
[2023-06-26] Accepted libnginx-mod-js 0.7.12-2~exp1 (source) into experimental (Jan Mojžíš)
[2023-06-19] Accepted libnginx-mod-js 0.7.12-1 (source) into unstable (Jérémy Lal)
[2023-02-24] libnginx-mod-js 0.7.9-2 MIGRATED to testing (Debian testing watch)
[2023-02-13] Accepted libnginx-mod-js 0.7.9-2 (source) into unstable (Jan Mojžíš)
[2023-01-17] libnginx-mod-js 0.7.9-1 MIGRATED to testing (Debian testing watch)
[2023-01-13] Accepted libnginx-mod-js 0.7.9-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Jérémy Lal)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 7)
buildd: logs, reproducibility, debcheck, cross
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.4-1build2