-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 12:23:48 +0000
Source: nginx
Binary: nginx-common nginx-core nginx-dev nginx-doc nginx-full nginx-light
Architecture: all
Version: 1.22.1-9+deb12u8
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Description:
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-core - nginx web/proxy server (standard version)
 nginx-dev  - nginx web/proxy server - development headers
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-full - nginx web/proxy server (standard version with 3rd parties)
 nginx-light - nginx web/proxy server (basic version)
Changes:
 nginx (1.22.1-9+deb12u8) bookworm-security; urgency=medium
 .
   * Apply both patches to fix CVE-2026-42946. In the previous version,
     only one part of the patch was applied, so the fix was incomplete.
     This really fixes CVE-2026-42946, thanks to charles@debian.org for
     pointing it out.
     * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch
     * d/p/CVE-2026-42946.1.patch add
   * backport fix for buffer overflow vulnerability in the
     ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
     * d/p/CVE-2026-9256.patch add
   * backport max_headers directive from upstream nginx. It limits the number
     of request headers accepted from clients. Fixes remote denial-of-service
     exploit.
     And move max_headers from core module to the ngx_http_header_count_module
     to avoid potential ABI breakage and keep all the 3rd party modules
     compatible with the new version of nginx without recompilation.
     A big thanks to Miao Wang for preparing the modification.
     Fixes TEMP-1138794-BADE22.
     * d/p/FIX-HTTP2bomb.patch add
Checksums-Sha1:
 22134629aa6863bac13e8c2915c52f1d32a7b438 114588 nginx-common_1.22.1-9+deb12u8_all.deb
 74c0e9357b0ba126fd59dd9264b6f7607190df5f 81092 nginx-core_1.22.1-9+deb12u8_all.deb
 6ea059b3fdc0f1d13e2b8ee4206ee1d92e777a14 177616 nginx-dev_1.22.1-9+deb12u8_all.deb
 5f023649eccce8ad49df73f6075f4efe4cb71289 89124 nginx-doc_1.22.1-9+deb12u8_all.deb
 fbde90aa2a6a601d23fc473411d21f38fdba1b80 81168 nginx-full_1.22.1-9+deb12u8_all.deb
 1a8a7c7c2ea5608b7dad46a18a1defdf5dacdb2f 80868 nginx-light_1.22.1-9+deb12u8_all.deb
 b30241bceb1056dfb580ec03da4dbf749ddbe699 10128 nginx_1.22.1-9+deb12u8_all-buildd.buildinfo
Checksums-Sha256:
 ddef37e05b497b0315b393596b2269d5e26b69bca1c55dd1ef32e662d50971c6 114588 nginx-common_1.22.1-9+deb12u8_all.deb
 f399054b0669367d19933f455d950b7e7095819dcd0f3574dcd6457225c1ce6d 81092 nginx-core_1.22.1-9+deb12u8_all.deb
 0daa0865b101b8b156b2ca7f1718506a05bf5da50b028b647cb7a7ba4489650d 177616 nginx-dev_1.22.1-9+deb12u8_all.deb
 e6dc9653799fbcdb2d746522d87d15801c9e067753d659a675073fcffdde8021 89124 nginx-doc_1.22.1-9+deb12u8_all.deb
 14259a0ee9ce1122c98f18d08c7692e510a60b6c7200a8537ee5e84cc9897eee 81168 nginx-full_1.22.1-9+deb12u8_all.deb
 2fc0f6b990aa114764fbdc3529a5f3acd28aa4d688b4994f1dd2aad7b3b91c1a 80868 nginx-light_1.22.1-9+deb12u8_all.deb
 abe90a4bc52b01c07ea51760886c2b4f878d45dd7d2c99637af87d1c8332aaf6 10128 nginx_1.22.1-9+deb12u8_all-buildd.buildinfo
Files:
 2a8a3b7a04089d827b7a7992b97e60aa 114588 httpd optional nginx-common_1.22.1-9+deb12u8_all.deb
 d8a0cbfe04876c068147db41a8997b35 81092 httpd optional nginx-core_1.22.1-9+deb12u8_all.deb
 057eba9914aac6a29be420cf71d3aab9 177616 httpd optional nginx-dev_1.22.1-9+deb12u8_all.deb
 9fe82e4b4de5f95f0fcb2dfe7c29fee1 89124 doc optional nginx-doc_1.22.1-9+deb12u8_all.deb
 533b7cec8430f74ff1e3d4bfe1d4ddab 81168 httpd optional nginx-full_1.22.1-9+deb12u8_all.deb
 9fe8db602e79732c0627322a020d9fdb 80868 httpd optional nginx-light_1.22.1-9+deb12u8_all.deb
 de06a64c4aa512657087ff417c159e88 10128 httpd optional nginx_1.22.1-9+deb12u8_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmokM4gACgkQGNGWmfrq
ILE8sA//YGUvoZpZ0QNY7KkHHcRr5u9jQS8ZTpCWZyEXRbShLsZDGdpj5hWOOOif
60ZYUBrzJVUXCvYntvBZOlonrfeFiWH6sXqgQqkFJSRJ8r0ocL0UcznbI7K9w70l
LSvGoY06s0RNtjVKWS7DX2OLgtm7WVIyEOEn+B1UWNqrIcz+vNipMK7Q05prsqrh
t2Okwl3n/XU6qfO67N2wUr4jkDjhEUN23RQD16hRQ2PgX8NV/r+QWcD6vt2oxMhJ
KH3DvUFzFWSfnzXNPnOgN4rn0MzI+rdqEcWx9+UbTTxgmoDhYTC4Y2hB7TrdEij7
9Eeigi7opd5Er9XAZ3M7H8TbnfpB7cIaVLlFGqIGqpTJpk/anjfNYs7JS3ee5H60
eZZp53a/6bIi8S5iq8zoonAaAkPH3DjmZOUbcNP19mR5VIgS7BE4eRm09jve89qz
iZwakN9bP0OxEdHYG2BEn+2rQzbvsqcjQBnq7wQh6zXgJ8BSaxJnym4kpV8yA+hc
texC9fgb7UK+uHaDaWj7xVhcmXU/S6whK5dDTqqHEAD6fbgJ8+Ep9eaZnGCSlBQW
7b2eKGsK92K1J7B1HHq9G8w42zKpn+U4AJLHYMtbdVWBX2jF5nYuoE/rYjEmobLA
2gYwaR3Ne1Wjk7S6GVDrMCrU6kZoGrUy1anETJlIIf2XcAeNzrI=
=Jp9f
-----END PGP SIGNATURE-----