UbuntuUpdates.org

Package "libnginx-mod-http-geoip2"

Name: libnginx-mod-http-geoip2

Description:

GeoIP2 HTTP module for Nginx
Latest version: 1.18.0-6ubuntu14.16
Release: jammy (22.04)
Level: security
Repository: main
Head package: nginx
Homepage: https://nginx.net

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libnginx-mod-http-geoip2"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libnginx-mod-http-geoip2" in Jammy

Repository Area Version
base main 1.18.0-6ubuntu14
updates main 1.18.0-6ubuntu14.16

Changelog

Version: 1.18.0-6ubuntu14.16 2026-06-22 15:07:45 UTC

  nginx (1.18.0-6ubuntu14.16) jammy-security; urgency=medium

  * SECURITY UPDATE: heap overflow via large headers
    - debian/patches/CVE-2026-42055.patch: limit header length for HTTP/2 and
      gRPC in src/http/modules/ngx_http_grpc_module.c.
    - CVE-2026-42055
  * SECURITY UPDATE: heap overread in ngx_http_charset_module
    - debian/patches/CVE-2026-48142.patch: Charset: fixed another rare buffer
      overread in recode_from_utf8() in
      src/http/modules/ngx_http_charset_filter_module.c.
    - CVE-2026-48142

 -- Marc Deslauriers <email address hidden> Fri, 19 Jun 2026 09:56:31 -0400
Source diff to previous version
CVE-2026-42055 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists whe
CVE-2026-48142 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location blo

Version: 1.18.0-6ubuntu14.15 2026-06-15 16:07:27 UTC

  nginx (1.18.0-6ubuntu14.15) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Bomb denial of service
    - debian/patches/CVE-2026-49975.patch: updated to patch from Debian's
      1.26.3-3+deb13u6 package which was modified to not break ABI by
      storing the information in a new ngx_http_header_count_module module.
      Thanks to Miao Wang and Jan Mojžíš for the modified patch!
    - CVE-2026-49975

 -- Marc Deslauriers <email address hidden> Wed, 10 Jun 2026 16:12:55 -0400
Source diff to previous version
CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. T

Version: 1.18.0-6ubuntu14.14 2026-06-09 15:07:28 UTC

  nginx (1.18.0-6ubuntu14.14) jammy-security; urgency=medium

  * SECURITY REGRESSION: ABI change breaking external modules (LP: #2155992)
    - debian/patches/CVE-2026-49975.patch: disable for now, pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Tue, 09 Jun 2026 07:45:51 -0400
Source diff to previous version
CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. T

Version: 1.18.0-6ubuntu14.13 2026-06-08 13:07:51 UTC

  nginx (1.18.0-6ubuntu14.13) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Bomb denial of service
    - debian/patches/CVE-2026-49975.patch: Added max_headers directive. in
      src/http/ngx_http_core_module.c, src/http/ngx_http_core_module.h,
      src/http/ngx_http_request.c, src/http/ngx_http_request.h,
      src/http/v2/ngx_http_v2.c.
    - CVE-2026-49975

 -- Marc Deslauriers <email address hidden> Fri, 05 Jun 2026 07:38:10 -0400
Source diff to previous version

Version: 1.18.0-6ubuntu14.12 2026-06-01 18:07:44 UTC

  nginx (1.18.0-6ubuntu14.12) jammy-security; urgency=medium

  * SECURITY UPDATE: resolver use-after-free in OCSP
    - debian/patches/CVE-2026-40701.patch: OCSP: resolve cleanup on connection
      close in src/event/ngx_event_openssl_stapling.c.
    - CVE-2026-40701
  * SECURITY UPDATE: Buffer overread in the ngx_http_charset_module
    - debian/patches/CVE-2026-42934.patch: Charset: fix buffer over-read in
      recode_from_utf8(). in src/http/modules/ngx_http_charset_filter_module.c.
    - CVE-2026-42934
  * SECURITY UPDATE: Buffer overread in the ngx_http_scgi_module and
    ngx_http_uwsgi_module
    - debian/patches/CVE-2026-42946-1.patch: Upstream: reset parsing state after
      invalid status line in src/http/modules/ngx_http_scgi_module.c,
      src/http/modules/ngx_http_uwsgi_module.c.
    - debian/patches/CVE-2026-42946-2.patch: Upstream: fixed parsing of split
      status lines in src/http/modules/ngx_http_proxy_module.c,
      src/http/modules/ngx_http_scgi_module.c,
      src/http/modules/ngx_http_uwsgi_module.c.
    - CVE-2026-42946
  * SECURITY UPDATE: Buffer overflow in the ngx_http_rewrite_module
    - debian/patches/CVE-2026-9256.patch: Rewrite: fix buffer overflow with
      overlapping captures in src/http/ngx_http_script.c.
    - CVE-2026-9256

 -- Marc Deslauriers <email address hidden> Sat, 30 May 2026 10:32:05 -0400
CVE-2026-40701 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optio
CVE-2026-42934 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_
CVE-2026-42946 A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read o
CVE-2026-9256 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses


About   -   Send Feedback to @ubuntu_updates