Your message dated Mon, 04 May 2026 07:06:26 +0000
with message-id <[email protected]>
and subject line Bug#1134955: fixed in nsis 3.12-1
has caused the Debian Bug report #1134955,
regarding nsis: CVE-2026-42171
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134955: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134955
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nsis
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for nsis.
CVE-2026-42171[0]:
| NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12
| sometimes uses the Low IL temp directory when executing as SYSTEM,
| allowing local attackers to gain privileges (if they can cause
| my_GetTempFileName to return 0, as shown in the references).
https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca
(v312)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42171
https://www.cve.org/CVERecord?id=CVE-2026-42171
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: nsis
Source-Version: 3.12-1
Done: Thomas Gaugler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nsis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Gaugler <[email protected]> (supplier of updated nsis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 May 2026 08:40:33 +0200
Source: nsis
Architecture: source
Version: 3.12-1
Distribution: unstable
Urgency: medium
Maintainer: Thomas Gaugler <[email protected]>
Changed-By: Thomas Gaugler <[email protected]>
Closes: 1134955
Changes:
nsis (3.12-1) unstable; urgency=medium
.
* New upstream version 3.12
- Fixes CVE-2026-42171 (Closes: #1134955)
Checksums-Sha1:
6280b8ddd0a666ffaea0c4f568099a6c677e7e52 2396 nsis_3.12-1.dsc
68480e162b58f4a4b4449400365129aa00864f5c 1581420 nsis_3.12.orig.tar.xz
d9f00a51df4b7566ffce1cb59cdf6d79ad5038e5 25284 nsis_3.12-1.debian.tar.xz
4c381f05ad8a287cc8ae84018de5183c5ea035de 3798436 nsis_3.12-1.git.tar.xz
7ab2186a56c0c84fa5715ea3ec7f7c2cf28fc07a 17332 nsis_3.12-1_source.buildinfo
Checksums-Sha256:
dfdbcc914f35e0f735c5837e9a3358e4fc65eecca60b2102ed7d3042a6c64d68 2396
nsis_3.12-1.dsc
2f2607d8ef87b79ef1907e9cfbb00002c51d68efb025b97c47ba807a65e13ab5 1581420
nsis_3.12.orig.tar.xz
558e1bb0214d8a07d7e7d047a16b1255c49b30487db8a1a4b360005056e53431 25284
nsis_3.12-1.debian.tar.xz
a15736bcd1c4f384f510970631e9161b889dece18398d6a1d566804b41ff9c48 3798436
nsis_3.12-1.git.tar.xz
f28f39f49876a9188d9aa30a4596d962456b24e9fc600de8b78908ead67147a3 17332
nsis_3.12-1_source.buildinfo
Files:
566a1c3c2b97edf9b9f36c438b8bdd35 2396 devel optional nsis_3.12-1.dsc
294249d7cf11d155a73a95c9b1bcd292 1581420 devel optional nsis_3.12.orig.tar.xz
b3d1a751a9578f50c0b27b7b61bbafdd 25284 devel optional nsis_3.12-1.debian.tar.xz
ac4828eb34f7e4ad3f386bf0ca98e43e 3798436 devel optional nsis_3.12-1.git.tar.xz
eedf6e12cac1c87847b784b81c58c79d 17332 devel optional
nsis_3.12-1_source.buildinfo
Git-Tag-Info: tag=01ef0c5aab493e5e882d7d99d87c16aaaa0ecfb4
fp=e3a50d1be8da245a4bc141bcea830bc6a684cd7c
Git-Tag-Tagger: Didier 'OdyX' Raboud <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmn4QNwACgkQYG0ITkaD
wHnzYQ//R6ujgrzydkAI+WpNYmS5q7vYtHtX/UTLKrO48mfOF7CL1qILH/MYBKeS
/0ZhNkVakr0zgD4n3WbtoLIl0ssPVoNaQW8t3zzJo0kTKw+4tTfyUxaxSZZUcBB6
EKoxc7G3wfOI372sQIuKibZITZKMUlG60V22bNarV0rZp0Mr+DekXv/xrWz0CSqd
1KGRXc+h+zMKrBbA6+oJtVGlvlBJopAKB6G2jdTyNKddy8CnRlaCobnHW58Q3F0K
hkmt1u2yeED31URxDdmO5ux2rY/oOeSDNpBe8ofivMtbkHhjfKB3vCZ8C7a404Gn
xkyj5nl02ImkekstOrIxC0rj3K5eS8TfpCEIiJtBC0W0nktKO9R7XaIVQQxgvS2O
pkySuozR4WsNFUxrlXLZi3RdwM0XNqaExv3HoAX9iVLtCAd1xqFfb/B9PkedsHeE
pOPy87R8lxdtqBA8ZIcxGRG78MjTCEE5esu7M0cZupU4LQuGjC5zu6Ewjg0PyTDg
Z655xtPaR4cUD9Xudvo+t9cBGH0T5Dqcy65aZCyagdkCDrl1Uh8f3s2X9icTrg/D
AH2+0ep6NaUefFptjbs1od0jksJJTK5+0R7lV1lLgeg3RlbB3UgCXFOJq9NmWtUL
rOf6zp9ZTRbcJYq+srLOwljcKskm5KA5GOvmkKevYjKiWxVWBLE=
=m8/K
-----END PGP SIGNATURE-----
pgp6uiiFbk9lx.pgp
Description: PGP signature
--- End Message ---
