-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 12:22:02 +0000
Source: nginx
Binary: nginx-common nginx-core nginx-dev nginx-doc nginx-full nginx-light
Architecture: all
Version: 1.26.3-3+deb13u6
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Description:
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-core - nginx web/proxy server (standard version)
 nginx-dev  - nginx web/proxy server - development headers
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-full - nginx web/proxy server (standard version with 3rd parties)
 nginx-light - nginx web/proxy server (basic version)
Changes:
 nginx (1.26.3-3+deb13u6) trixie-security; urgency=medium
 .
   * Apply both patches to fix CVE-2026-42946. In the previous version,
     only one part of the patch was applied, so the fix was incomplete.
     This really fixes CVE-2026-42946, thanks to charles@debian.org for
     pointing it out.
     * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch
     * d/p/CVE-2026-42946.1.patch add
   * backport fix for buffer overflow vulnerability in the
     ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx.
     * d/p/CVE-2026-9256.patch add
   * backport max_headers directive from upstream nginx. It limits the number
     of request headers accepted from clients. Fixes remote denial-of-service
     exploit.
     And move max_headers from core module to the ngx_http_header_count_module
     to avoid potential ABI breakage and keep all the 3rd party modules
     compatible with the new version of nginx without recompilation.
     A big thanks to Miao Wang for preparing the modification.
     Fixes TEMP-1138794-BADE22.
     * d/p/FIX-HTTP2bomb.patch add
Checksums-Sha1:
 1fb05f5461365d8369ce94bc92d4e2338fcfe8a6 111112 nginx-common_1.26.3-3+deb13u6_all.deb
 8fd992ca673d8edb61d5289658b05ecbdb77960b 84332 nginx-core_1.26.3-3+deb13u6_all.deb
 3421bada8afb47bc862bcbb701f6d5a1bd0dd7dd 197144 nginx-dev_1.26.3-3+deb13u6_all.deb
 dc967c0e13d86db801b7608045f8a60b5a3dc2f8 92428 nginx-doc_1.26.3-3+deb13u6_all.deb
 ac1cbd3d3fee273bc1cc5e3de32f3c9232d92e9e 84348 nginx-full_1.26.3-3+deb13u6_all.deb
 e85d8f9d83cfffc469db13d0006ae7d10e9c672f 84096 nginx-light_1.26.3-3+deb13u6_all.deb
 a77ca4d036b0eec23ac06e267c40efcb0c6407c3 9809 nginx_1.26.3-3+deb13u6_all-buildd.buildinfo
Checksums-Sha256:
 3cceb60debe89f7b261fdf57567962c226d71caa79bf078bef48355162965caf 111112 nginx-common_1.26.3-3+deb13u6_all.deb
 b162b5c225fc599aea78d7a09247cb7071dff3dc0a0ae25d3e72dc19c21dd7a2 84332 nginx-core_1.26.3-3+deb13u6_all.deb
 bbcb98e5a7089cabd6459f294d365083733e41ac461138f521c379e89e32fd9c 197144 nginx-dev_1.26.3-3+deb13u6_all.deb
 0b132cc7e9d84351c427c388e1a780e3289ab1e26ddda0bebb9a5c2ddd2e8dc8 92428 nginx-doc_1.26.3-3+deb13u6_all.deb
 dd543b0547e34755083f711c31f4a64c9a88cc1b651a7e6ad2c18f839db34036 84348 nginx-full_1.26.3-3+deb13u6_all.deb
 cc85c98a4bedf5c9289568e7636dcf33204b07f2aca120977c81ab30ed58179d 84096 nginx-light_1.26.3-3+deb13u6_all.deb
 41a092e2a8d8fd61ce150bdfd6bb64a452f91bec41c8fb1536f4c7210c4e3ca6 9809 nginx_1.26.3-3+deb13u6_all-buildd.buildinfo
Files:
 cdee47e38826f76d7d6049d86779404f 111112 httpd optional nginx-common_1.26.3-3+deb13u6_all.deb
 6d526aecb5b60c2fdfb2aaa4929d5782 84332 httpd optional nginx-core_1.26.3-3+deb13u6_all.deb
 123673f42c94187875d8996211b7fca7 197144 httpd optional nginx-dev_1.26.3-3+deb13u6_all.deb
 d4f8dea3b94eec5fd61d92ecddc5e7b9 92428 doc optional nginx-doc_1.26.3-3+deb13u6_all.deb
 0eb2bd6cff4934adde29cec3d303e328 84348 httpd optional nginx-full_1.26.3-3+deb13u6_all.deb
 0881c8af521a3126fdd4b5b2838e0bdf 84096 httpd optional nginx-light_1.26.3-3+deb13u6_all.deb
 54c101c019d91307ed9ca4c5eee8f24f 9809 httpd optional nginx_1.26.3-3+deb13u6_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmokM+MACgkQGNGWmfrq
ILEOnxAAq6HGMyS/Pm68gr13LQQLFvvKvBRh88tULUHPVTwnv3J7tJSwX+AqE3vP
2I2ZtjoMO+bS7jvVRCXcZ07IlvFOnSSeVbCg2gWnSWc58jqh4fVGbQ5eBDEhyitd
GD1jPGTxUKLOzR6C1Xh077zPU3oab0njhWlymhW3MiGZxAJp9A96jstMFjWkZL1l
lXaxryozo4tddkPKT59CjS/neptP4opVrhBeOs3tB7RGAF492WWMfv7V1UujvIi9
j0svRN/ebNxAhUnjQ5MJva/SQtEvf3lS8hDHS+xDdkO7YYLIxAcrv2x+15M0R+0u
cfPRJ5b/amrv49xmS7YtNWC4EhLH26JjjFIk+Mwp4ZLFyOvRnrTX+jgXXHmO2w8I
sq74JtYtDNA6KnapBLC7fZ2DDtB8JsdfxD/qFN+JJ2wXgU498Ofp4fD6U65sBg9E
Dcl9eLWTkMI44DajJQpFSNyL72temmx0vXM6gOh4MFeMxaBZ0W4XWKNc2S3n6ckJ
BKgXP/SLGKcClO1mP7kJic6xvWRlb2hz35Upl2wyKhEKxUhZBISD4/7oK9VY5HMa
5vQGCL2o8qAd2gpNIHynx2ZE5kTintva73abKOUaHJHLtkAPmY+2ypsVVfq3Hn30
tYP6euEh95iE2yMc8byz/3jVHZUS64WN4Mi5Uc63oaU4aEQsm1Q=
=xFzk
-----END PGP SIGNATURE-----