-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Jun 2026 12:23:48 +0000 Source: nginx Architecture: source Version: 1.22.1-9+deb12u8 Distribution: bookworm-security Urgency: medium Maintainer: Debian Nginx Maintainers Changed-By: Jan Mojžíš Changes: nginx (1.22.1-9+deb12u8) bookworm-security; urgency=medium . * Apply both patches to fix CVE-2026-42946. In the previous version, only one part of the patch was applied, so the fix was incomplete. This really fixes CVE-2026-42946, thanks to charles@debian.org for pointing it out. * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch * d/p/CVE-2026-42946.1.patch add * backport fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx. * d/p/CVE-2026-9256.patch add * backport max_headers directive from upstream nginx. It limits the number of request headers accepted from clients. Fixes remote denial-of-service exploit. And move max_headers from core module to the ngx_http_header_count_module to avoid potential ABI breakage and keep all the 3rd party modules compatible with the new version of nginx without recompilation. A big thanks to Miao Wang for preparing the modification. Fixes TEMP-1138794-BADE22. * d/p/FIX-HTTP2bomb.patch add Checksums-Sha1: 82131c062255a4b51044f62d8e69ef7594e575f2 3827 nginx_1.22.1-9+deb12u8.dsc 45a89797f7c789287c7f663811efbbd19e84f154 1073948 nginx_1.22.1.orig.tar.gz ba23b11e0b8f27e8aadc86f565fee7be025cad66 683 nginx_1.22.1.orig.tar.gz.asc 5300273ebb4b0d24077189e12fb8fbb5916055b1 84416 nginx_1.22.1-9+deb12u8.debian.tar.xz d6bc1f959ef07b35b60af0a3b2e610dc10e05a02 8834 nginx_1.22.1-9+deb12u8_source.buildinfo Checksums-Sha256: 4b4e8090a1f48536ac2a77dbc6e57b19d7cbc15ecbe2243afa7b857e2e97c9b0 3827 nginx_1.22.1-9+deb12u8.dsc 9ebb333a9e82b952acd3e2b4aeb1d4ff6406f72491bab6cd9fe69f0dea737f31 1073948 nginx_1.22.1.orig.tar.gz e3c34c995f8d2748a323cf3ad5d7fbc6ddcc57f0f4b5fc6e494894cadf6075fc 683 nginx_1.22.1.orig.tar.gz.asc 94eda79dfca04280e1b0f676ddbb1090c59c619d9d9c9667f32d997097ff752e 84416 nginx_1.22.1-9+deb12u8.debian.tar.xz 5cad989730a1c34452427ea557443c09e307d911de091571b76cfaa04d9b226e 8834 nginx_1.22.1-9+deb12u8_source.buildinfo Files: 61534e6781e453772735c669e5279ce2 3827 httpd optional nginx_1.22.1-9+deb12u8.dsc 8296d957561aeed0261d9be4d3decaec 1073948 httpd optional nginx_1.22.1.orig.tar.gz aaf853b5467d007c528067ee7393fff3 683 httpd optional nginx_1.22.1.orig.tar.gz.asc dd40d329225ee603341793ebe0364d37 84416 httpd optional nginx_1.22.1-9+deb12u8.debian.tar.xz 33a34115a39e0b53235e662c4a22e265 8834 httpd optional nginx_1.22.1-9+deb12u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmokLn0VHGphbm1vanpp c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5YQoP/judtXkZ3EK8+8WCagF5bu4Jxz6Y whaBO5hp5oE7b+DHXrvbnfeyq2ugUlg1WzNNRVUil7FYAtPFPo88Nm0ia7rMj1FS c9rS44PyHS3BbFalnlUbHnsKh0e2UtqcufckK/ZhkOhcpP37E0K5Zo5gmdM8/m4j W4ADhMrQj6MjY8x1jV4VxUupZC9aalzsagTiZwa5CnI6RKWhWelXJBh3GoOWHf+e mXX+BnqCq9mvptV97EwwgzplY035Gff3PQ45S8Vkbr6G/koFNPPcXHNkulvskV0Y bJHXhX5TRBFMejIchdHo+4bVvUF/Nld9/PzXoQRgmOVJINYbfGUqJHa4xEM2xpOf UDqIPT/kAdXA4zw7R/Znv+D+EyF/YkGBYlCy1JMg/ay3ClwHgN/GGxwGOSkMn7B+ hvqZklJDtD1cQC372jUNphHl600piPI60wY06f3Xqqsv5r1Tq4IPVpR9WlUC/SO3 eRSEG0PtC7/MLw6afni8RfnScAWpqYtVr7n4sP6f74NKsGBrGC/5xaN68EFreJSz ZAWqNACJtc9liDgsHL5wmPWX13ibeL7bSuqvrSyzuXW7jMVfTkO+6gatYZVjskU+ pTSN5os4ZYtMChdiLc1nMqwENJrkmfOvGwIpAYpDPApNyMdUQOsHmownvZQN6/tk Po2U+nYkfbfVeMWu =wgqL -----END PGP SIGNATURE-----