UbuntuUpdates.org

Package "nginx-common"

Name: nginx-common

Description:

small, powerful, scalable web/proxy server - common files
Latest version: 1.28.3-2ubuntu1.4
Release: resolute (26.04)
Level: security
Repository: main
Head package: nginx
Homepage: https://nginx.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "nginx-common"

All arch deb package
APT INSTALL

Other versions of "nginx-common" in Resolute

Repository Area Version
base main 1.28.3-2ubuntu1
updates main 1.28.3-2ubuntu1.4

Changelog

Version: 1.28.3-2ubuntu1.4 2026-06-09 15:07:34 UTC

  nginx (1.28.3-2ubuntu1.4) resolute-security; urgency=medium

  * SECURITY REGRESSION: ABI change breaking external modules (LP: #2155992)
    - debian/patches/CVE-2026-49975.patch: disable for now, pending further
      investigation.

 -- Marc Deslauriers <email address hidden> Tue, 09 Jun 2026 07:43:21 -0400
Source diff to previous version
CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. T

Version: 1.28.3-2ubuntu1.3 2026-06-08 13:08:04 UTC

  nginx (1.28.3-2ubuntu1.3) resolute-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 Bomb denial of service
    - debian/patches/CVE-2026-49975.patch: Added max_headers directive. in
      src/http/ngx_http_core_module.c, src/http/ngx_http_core_module.h,
      src/http/ngx_http_request.c, src/http/ngx_http_request.h,
      src/http/v2/ngx_http_v2.c, src/http/v3/ngx_http_v3_request.c.
    - CVE-2026-49975

 -- Marc Deslauriers <email address hidden> Fri, 05 Jun 2026 07:24:46 -0400
Source diff to previous version

Version: 1.28.3-2ubuntu1.2 2026-06-01 18:08:04 UTC

  nginx (1.28.3-2ubuntu1.2) resolute-security; urgency=medium

  * SECURITY UPDATE: HTTP/3 address spoofing
    - debian/patches/CVE-2026-40460.patch: QUIC: avoid assigning unvalidated
      address to new streams in src/event/quic/ngx_event_quic_migration.c.
    - CVE-2026-40460
  * SECURITY UPDATE: resolver use-after-free in OCSP
    - debian/patches/CVE-2026-40701.patch: OCSP: resolve cleanup on connection
      close in src/event/ngx_event_openssl_stapling.c.
    - CVE-2026-40701
  * SECURITY UPDATE: Buffer overread in the ngx_http_charset_module
    - debian/patches/CVE-2026-42934.patch: Charset: fix buffer over-read in
      recode_from_utf8(). in src/http/modules/ngx_http_charset_filter_module.c.
    - CVE-2026-42934
  * SECURITY UPDATE: Buffer overread in the ngx_http_scgi_module and
    ngx_http_uwsgi_module
    - debian/patches/CVE-2026-42946-1.patch: Upstream: reset parsing state after
      invalid status line in src/http/modules/ngx_http_scgi_module.c,
      src/http/modules/ngx_http_uwsgi_module.c.
    - debian/patches/CVE-2026-42946-2.patch: Upstream: fixed parsing of split
      status lines in src/http/modules/ngx_http_proxy_module.c,
      src/http/modules/ngx_http_scgi_module.c,
      src/http/modules/ngx_http_uwsgi_module.c.
    - CVE-2026-42946
  * SECURITY UPDATE: Buffer overflow in the ngx_http_rewrite_module
    - debian/patches/CVE-2026-9256.patch: Rewrite: fix buffer overflow with
      overlapping captures in src/http/ngx_http_script.c.
    - CVE-2026-9256

 -- Marc Deslauriers <email address hidden> Sat, 30 May 2026 10:26:32 -0400
Source diff to previous version
CVE-2026-40460 When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing
CVE-2026-40701 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optio
CVE-2026-42934 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_
CVE-2026-42946 A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read o
CVE-2026-9256 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses

Version: 1.28.3-2ubuntu1.1 2026-05-14 13:07:43 UTC

  nginx (1.28.3-2ubuntu1.1) resolute-security; urgency=medium

  * SECURITY UPDATE: buffer overrun in ngx_http_rewrite_module
    (LP: #2152577)
    - d/patches/cve-2026-42945.patch: Apply upstream commit/fix
      for CVE
    - CVE-2026-42945

 -- Thomas Ward <email address hidden> Wed, 13 May 2026 17:01:19 -0400
2152577 CVE-2026-42945: heap-based buffer overflow in ngx_http_rewrite_module (NGINX Rift)
CVE-2026-42945 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is


About   -   Send Feedback to @ubuntu_updates