* [Buildroot] [PATCH] package/nginx: security bump to 1.30.3
@ 2026-07-02 7:37 Waldemar Brodkorb
2026-07-02 16:53 ` Peter Korsgaard
2026-07-10 13:52 ` Thomas Perale via buildroot
0 siblings, 2 replies; 3+ messages in thread
From: Waldemar Brodkorb @ 2026-07-02 7:37 UTC (permalink / raw)
To: buildroot
Changes with nginx 1.30.3
*) Security: a heap memory buffer overflow might occur in a worker
process when using a configuration with "ignore_invalid_headers off;"
and "large_client_header_buffers" with large configured values when
proxying a specially crafted request to HTTP/2 or gRPC backend,
allowing an attacker to cause worker process memory corruption or
segmentation fault in a worker process (CVE-2026-42055).
Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially sent response with decoding from
UTF-8 via the "charset_map" directive, allowing an attacker to cause
a limited disclosure of worker proccess memory or segmentation fault
in a worker process (CVE-2026-48142).
Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
---
package/nginx/nginx.hash | 2 +-
package/nginx/nginx.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
index 5055b4bd57..6c3afa889d 100644
--- a/package/nginx/nginx.hash
+++ b/package/nginx/nginx.hash
@@ -1,4 +1,4 @@
# Locally calculated after checking pgp signature
-sha256 7df3090907fca3cc0e456d6dc00ceb230da74ea88026ceff0affc29dbbd9ac4c nginx-1.30.2.tar.gz
+sha256 e5823dc6f45610993def93ebf6cfce68264af4958c77e874b7d20f3709001b8f nginx-1.30.3.tar.gz
# License files, locally calculated
sha256 08845fe39e06b51dad7685c28140ab49577a86e947523e16b536a46caf89ad5c LICENSE
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index 3f6aecebef..ad61ef6140 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -4,7 +4,7 @@
#
################################################################################
-NGINX_VERSION = 1.30.2
+NGINX_VERSION = 1.30.3
NGINX_SITE = https://nginx.org/download
NGINX_LICENSE = BSD-2-Clause
NGINX_LICENSE_FILES = LICENSE
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH] package/nginx: security bump to 1.30.3
2026-07-02 7:37 [Buildroot] [PATCH] package/nginx: security bump to 1.30.3 Waldemar Brodkorb
@ 2026-07-02 16:53 ` Peter Korsgaard
2026-07-10 13:52 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2026-07-02 16:53 UTC (permalink / raw)
To: Waldemar Brodkorb; +Cc: buildroot
>>>>> "Waldemar" == Waldemar Brodkorb <wbx@openadk.org> writes:
> Changes with nginx 1.30.3
> *) Security: a heap memory buffer overflow might occur in a worker
> process when using a configuration with "ignore_invalid_headers off;"
> and "large_client_header_buffers" with large configured values when
> proxying a specially crafted request to HTTP/2 or gRPC backend,
> allowing an attacker to cause worker process memory corruption or
> segmentation fault in a worker process (CVE-2026-42055).
> Thanks to Mufeed VH of Winfunc Research.
> *) Security: a heap memory buffer overread might occur in a worker
> process while handling a specially sent response with decoding from
> UTF-8 via the "charset_map" directive, allowing an attacker to cause
> a limited disclosure of worker proccess memory or segmentation fault
> in a worker process (CVE-2026-48142).
> Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/nginx: security bump to 1.30.3
2026-07-02 7:37 [Buildroot] [PATCH] package/nginx: security bump to 1.30.3 Waldemar Brodkorb
2026-07-02 16:53 ` Peter Korsgaard
@ 2026-07-10 13:52 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-07-10 13:52 UTC (permalink / raw)
To: Waldemar Brodkorb; +Cc: Thomas Perale, buildroot
In reply of:
> Changes with nginx 1.30.3
>
> *) Security: a heap memory buffer overflow might occur in a worker
> process when using a configuration with "ignore_invalid_headers off;"
> and "large_client_header_buffers" with large configured values when
> proxying a specially crafted request to HTTP/2 or gRPC backend,
> allowing an attacker to cause worker process memory corruption or
> segmentation fault in a worker process (CVE-2026-42055).
> Thanks to Mufeed VH of Winfunc Research.
>
> *) Security: a heap memory buffer overread might occur in a worker
> process while handling a specially sent response with decoding from
> UTF-8 via the "charset_map" directive, allowing an attacker to cause
> a limited disclosure of worker proccess memory or segmentation fault
> in a worker process (CVE-2026-48142).
> Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
>
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Applied to 2026.05.x & 2025.02.x. Thanks
> ---
> package/nginx/nginx.hash | 2 +-
> package/nginx/nginx.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
> index 5055b4bd57..6c3afa889d 100644
> --- a/package/nginx/nginx.hash
> +++ b/package/nginx/nginx.hash
> @@ -1,4 +1,4 @@
> # Locally calculated after checking pgp signature
> -sha256 7df3090907fca3cc0e456d6dc00ceb230da74ea88026ceff0affc29dbbd9ac4c nginx-1.30.2.tar.gz
> +sha256 e5823dc6f45610993def93ebf6cfce68264af4958c77e874b7d20f3709001b8f nginx-1.30.3.tar.gz
> # License files, locally calculated
> sha256 08845fe39e06b51dad7685c28140ab49577a86e947523e16b536a46caf89ad5c LICENSE
> diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
> index 3f6aecebef..ad61ef6140 100644
> --- a/package/nginx/nginx.mk
> +++ b/package/nginx/nginx.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -NGINX_VERSION = 1.30.2
> +NGINX_VERSION = 1.30.3
> NGINX_SITE = https://nginx.org/download
> NGINX_LICENSE = BSD-2-Clause
> NGINX_LICENSE_FILES = LICENSE
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-10 13:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 7:37 [Buildroot] [PATCH] package/nginx: security bump to 1.30.3 Waldemar Brodkorb
2026-07-02 16:53 ` Peter Korsgaard
2026-07-10 13:52 ` Thomas Perale via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.