Release date:
2026-05-26 21:10:37 UTC
Description:
* SECURITY UPDATE: heap buffer overflow in ngx_http_rewrite_module
when a rewrite replacement string has overlapping PCRE captures and
no variables, with either the 'redirect' parameter or arguments
- debian/patches/CVE-2026-9256.patch: account per-capture length
(including URI-escape expansion) when sizing the replacement
buffer in ngx_http_script_regex_start_code
- CVE-2026-9256
Updated packages:
-
nginx1.23_1.23.4-1~trixie+tuxcare.els6_amd64.deb
sha:18bfc2e8cb4a0a1ef9b91329765f76642c2d3499
-
nginx1.23_1.23.4-1~trixie+tuxcare.els6_arm64.deb
sha:f1e51e4da0eafe8d178bd54df4aca6889a1267a9
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
