[CLSA-2026:1783338524] Fix CVE(s): CVE-2026-42934
Type:
security
Severity:
Moderate
Release date:
2026-07-06 11:49:06 UTC
Description:
* SECURITY UPDATE: buffer over-read in ngx_http_charset_recode_from_utf8() when a multi-byte UTF-8 character is split across 3+ single-byte buffers, where the saved-array index was used both as the ngx_utf8_decode() byte count and the ngx_memcpy() copy length, reading past the input buffer - debian/patches/CVE-2026-42934.patch: use ngx_min() to bound the copy length and pass the byte count instead of the loop index, and adjust the advanced pointer up to the whole saved sequence to avoid a residual 1-byte overread on invalid UTF-8 sequences in src/http/modules/ngx_http_charset_filter_module.c - CVE-2026-42934
CVEs fixed:
Updated packages:
  • nginx1.27_1.27.5-1~trixie+tuxcare.els8_amd64.deb
    sha:f24ebea59ccbffd5cda9d1585722121bf29dfcc7
  • nginx1.27_1.27.5-1~trixie+tuxcare.els8_arm64.deb
    sha:f1f2becfe84419ec6896c5a8b08ea29e882ba3ca
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.