Wednesday, March 25, 2026

www/nginx 1.28.3 - fixing multiple CVEs

Update to www/nginx 1.28.3 released yesterday fixing

- buffer overflow vulnerability in the ngx_http_dav_module
(CVE-2026-27654)

- buffer overflow vulnerabilities in the ngx_http_mp4_module
(CVE-2026-27784, CVE-2026-32647)

- mail session authentication vulnerabilities
(CVE-2026-27651, CVE-2026-28753)

- OCSP result bypass vulnerability in stream
(CVE-2026-28755)



Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
retrieving revision 1.200
diff -u -p -r1.200 Makefile
--- Makefile 5 Feb 2026 16:09:47 -0000 1.200
+++ Makefile 25 Mar 2026 11:06:13 -0000
@@ -19,7 +19,7 @@ COMMENT-securelink= nginx HMAC secure li
COMMENT-stream= nginx TCP/UDP proxy module
COMMENT-xslt= nginx XSLT filter module

-VERSION= 1.28.2
+VERSION= 1.28.3
DISTNAME= nginx-${VERSION}
CATEGORIES= www

@@ -39,7 +39,6 @@ PKGNAME-rtmp= nginx-rtmp-${VERSION}
PKGNAME-securelink= nginx-securelink-${VERSION}
PKGNAME-stream= nginx-stream-${VERSION}
PKGNAME-xslt= nginx-xslt-${VERSION}
-REVISION= 0

SITES= https://nginx.org/download/
SITES.p=https://raw.githubusercontent.com/rnagy/nginx_chroot_patch/master/ \
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/nginx/distinfo,v
retrieving revision 1.95
diff -u -p -r1.95 distinfo
--- distinfo 5 Feb 2026 16:09:47 -0000 1.95
+++ distinfo 25 Mar 2026 11:06:13 -0000
@@ -4,7 +4,7 @@ SHA256 (kvspb-nginx-auth-ldap-83c059b735
SHA256 (leev-ngx_http_geoip2_module-3.4.tar.gz) = rXL8IzSNcVozCZSYRTH6ubNgbhYEgyNnN/mkppV9lFI=
SHA256 (nbs-system-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.gz) = 2+IXdBFFfxy6mO5Gc84xh2mUrQa9zl7MDuZjhO8OQg4=
SHA256 (nginx-1.20.1-chroot.patch) = SS1TB0j8N4/dn5pUTGT6WvkN3aAUuKz5+R0Nt+MG0gk=
-SHA256 (nginx-1.28.2.tar.gz) = IOXg8skXrPtREg7sL7qaS6Th4Q/ShGUGfMh6fYGoKaM=
+SHA256 (nginx-1.28.3.tar.gz) = LJapRr+wiCohdE7UKXcKISOuGCjHxIZlCSmT3e6RqRg=
SHA256 (nginx-modules-ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = ZXpA2rODS1enIREzlD1OqWwpWcv3NOUXH4eUOgOAmqg=
SHA256 (nginx-njs-0.9.1.tar.gz) = YTZe6mnGhi/IpbXfUxUDrklJn2vNWvkySWuEhQooJKQ=
SHA256 (openresty-headers-more-nginx-module-v0.34.tar.gz) = DA0s7SzolbP0XrKyMM2QUIqyp3MpnxU94UpD5EwSCbM=
@@ -17,7 +17,7 @@ SIZE (kvspb-nginx-auth-ldap-83c059b73566
SIZE (leev-ngx_http_geoip2_module-3.4.tar.gz) = 8877
SIZE (nbs-system-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.gz) = 237272
SIZE (nginx-1.20.1-chroot.patch) = 8783
-SIZE (nginx-1.28.2.tar.gz) = 1282351
+SIZE (nginx-1.28.3.tar.gz) = 1284562
SIZE (nginx-modules-ngx_http_hmac_secure_link_module-48c4625fbbf51ed5a95bfec23fa444f6c3702e50.tar.gz) = 6159
SIZE (nginx-njs-0.9.1.tar.gz) = 966480
SIZE (openresty-headers-more-nginx-module-v0.34.tar.gz) = 28827



--
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74 F644 0D3C F66F F286 5E51

https://www.wrapped.cx

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)