Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?

In reply to: Martin Simmons : "Re: nginx-1.30.2_2,3 wrongly vulnerable to CVE-2026-9256 ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Fernando_Apesteguía <fernape_at_freebsd.org>
Date: Mon, 01 Jun 2026 20:42:16 UTC

Including joneum@ who maintains the port.

On Mon, Jun 1, 2026 at 2:26 PM Martin Simmons <martin@lispworks.com> wrote:

> [fernape@ added]
>
> >>>>> On Sun, 31 May 2026 22:01:11 +0200, Arnaud de Prelle said:
> >
> > Hi,
> >
> > As per
> > - https://www.freshports.org/www/nginx/ and
> > -
> >
> https://vuxml.freebsd.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> > CVE-2026-9256 should be fixed since nginx 1.30.2,3.
>
> The contents of this URL was stale -- the VuXML now says nginx < 1.31.1,3
> (since yesterday), which explains why pkg audit is detecting it.
>
> > I'm using the latest version of nginx:
> > # pkg info nginx | grep Version
> > Version        : 1.30.2_2,3
> >
> > But pkg audit -F reports this port as vulnerable to CVE-2026-9256:
> > # pkg audit -F
> > vulnxml file up-to-date
> > nginx-1.30.2_2,3 is vulnerable:
> >    nginx -- heap buffer overflow in ngx_http_rewrite_module
> >    CVE: CVE-2026-9256
> >    WWW:
> >
> https://vuxml.FreeBSD.org/freebsd/36a3131d-5600-11f1-b339-3497f65b111b.html
> >
> > Am I missing something ?
>
> The VuXML looks wrong to me now.
>
> nginx released both 1.30.2 and 1.31.1 to fix this CVE
> (https://nginx.org/en/CHANGES-1.30 and https://nginx.org/en/CHANGES).
>
> __Martin
>