-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 12:22:02 +0000
Source: nginx
Architecture: source
Version: 1.26.3-3+deb13u6
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Changes:
 nginx (1.26.3-3+deb13u6) trixie-security; urgency=medium
 .
   * Apply both patches to fix CVE-2026-42946. In the previous version,
     only one part of the patch was applied, so the fix was incomplete.
     This really fixes CVE-2026-42946, thanks to charles@debian.org for
     pointing it out.
     * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch
     * d/p/CVE-2026-42946.1.patch add
   * backport fix for buffer overflow vulnerability in the
     ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
     * d/p/CVE-2026-9256.patch add
   * backport max_headers directive from upstream nginx. It limits the number
     of request headers accepted from clients. Fixes remote denial-of-service
     exploit.
     And move max_headers from core module to the ngx_http_header_count_module
     to avoid potential ABI breakage and keep all the 3rd party modules
     compatible with the new version of nginx without recompilation.
     A big thanks to Miao Wang for preparing the modification.
     Fixes TEMP-1138794-BADE22.
     * d/p/FIX-HTTP2bomb.patch add
Checksums-Sha1:
 df2318152c80b086460b54c98c3543f72f986142 3827 nginx_1.26.3-3+deb13u6.dsc
 4207a2844e6542292465427e25b76e24d01a85b6 1260179 nginx_1.26.3.orig.tar.gz
 21a3be6ada92a51e25f45ee7545a81c2037d73bf 862 nginx_1.26.3.orig.tar.gz.asc
 39d5ea60824fa0aaa5ca8b62ed9d19605c234763 91532 nginx_1.26.3-3+deb13u6.debian.tar.xz
 9a417087d7a79c63aca73d30173e35a5310587ed 8470 nginx_1.26.3-3+deb13u6_source.buildinfo
Checksums-Sha256:
 abb0c21033fa7ddb31004fed962f8cb1ca11bb9128471b94eddaad976a6ddb35 3827 nginx_1.26.3-3+deb13u6.dsc
 69ee2b237744036e61d24b836668aad3040dda461fe6f570f1787eab570c75aa 1260179 nginx_1.26.3.orig.tar.gz
 faa36c1c57af475445b2a50d203fea314ed1db6a3399ed95c79ae7e99478a9f3 862 nginx_1.26.3.orig.tar.gz.asc
 437591532fbaf63935cffc613249e90aaa0099d65797a895eb4abdda02a17d66 91532 nginx_1.26.3-3+deb13u6.debian.tar.xz
 be2471f96e1702961e8e5827452a4258c453bacc2fced6066819342f0638b9a7 8470 nginx_1.26.3-3+deb13u6_source.buildinfo
Files:
 d8dbfe232da502f638a3d4e94d1e1632 3827 httpd optional nginx_1.26.3-3+deb13u6.dsc
 75f8fdd88469c4d31e0715e186b2f1f9 1260179 httpd optional nginx_1.26.3.orig.tar.gz
 ec6865f8fe1813fd23ac9ddd5df0d1e6 862 httpd optional nginx_1.26.3.orig.tar.gz.asc
 2b2958c4422bb8f8828e818dcf59e162 91532 httpd optional nginx_1.26.3-3+deb13u6.debian.tar.xz
 afe0714456a48ac6100f6a81bf1c5b76 8470 httpd optional nginx_1.26.3-3+deb13u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmokLngVHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5/uQP/25kVCTFzvNnZXOwQiZAfQA2WJ1a
hiNdTp+uRKLN6jrEpSRsbd/buqdM5eAJxVCcqlf8EFcIPBtWm3+FUafh8ilNiFXX
ESvj00bgmU+cYA5gsTqEZPiium94U6yz8QJgvhZR1u5eVBDwgQHhRHIi145/eOIh
DhG4YAM0AwuCArKU4hZgfGHHdWJLOv35FaMmxpgeNVw1gNo7MSVFNQfMTPqFz+zu
i9DRmVnu0rpiGhJU2rWHWOwe1xmwium0tkOsr02PeAM7gRLeF/TWXGWOvcBwNsZA
wtSluiDnnw7MYt4D2ZUO8q94hSb113ZdZUJkOGQoVmujDzZuXshaokwNlZPfVrQM
TX3xO88KRu+3Tvm7R6RF1QECD9mhWlEndPd4ySLpQYyygjvr8MyzLZ9/oPdn/gRH
/aiwCgKMcR9bTA8Zq5uE0HhzNJ8YFDY0VgWwrIXCavTaUXVgnorL7Ss7n91uNa8q
D/t+yD7APTj8mcu9hkSN+liRg3aKSIP7y0oRgmD/N7AHvlVngyUlsuyMkpIsjygl
qBaeAICj1EBvsXLLkq8okTgbbxW0iU7u15Dzz51re8rwO1I15W6rziGkgKpFfpk7
i7u2mbnSVNfa3xe9CcDLnQVWZsWKJ/L23pxq7fW9LFex4tlmiFbykPGSvEwMMlxd
om0BHIBntuoKZYJp
=oKyG
-----END PGP SIGNATURE-----