Release date:
2026-05-26 16:11:20 UTC
Description:
* SECURITY UPDATE: heap buffer overflow in ngx_http_rewrite_module
when a rewrite replacement string has overlapping PCRE captures and
no variables, with either the 'redirect' parameter or arguments
- debian/patches/CVE-2026-9256.patch: account per-capture length
(including URI-escape expansion) when sizing the replacement
buffer in ngx_http_script_regex_start_code
- CVE-2026-9256
Updated packages:
-
nginx1.23_1.23.4-1~bookworm+tuxcare.els6_amd64.deb
sha:cf3178f9e9791c102c207ac4ee9d435dba7af609
-
nginx1.23_1.23.4-1~bookworm+tuxcare.els6_arm64.deb
sha:e29392abf7b0caaa782560075cc8c0932d05b96e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
