Your message dated Thu, 21 May 2026 12:48:49 +0000
with message-id <[email protected]>
and subject line Bug#1137215: fixed in libnginx-mod-js 0.9.9-1
has caused the Debian Bug report #1137215,
regarding libnginx-mod-js: CVE-2026-8711
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137215
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libnginx-mod-js
Version: 0.9.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libnginx-mod-js.
CVE-2026-8711[0]:
| NGINX JavaScript has a vulnerability when the
| js_fetch_proxy directive is configured with at least one client-
| controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*)
| and a location invoking the ngx.fetch() operation from NGINX
| JavaScript. An unauthenticated attacker can exploit this
| vulnerability by sending crafted HTTP requests. This may cause a
| heap buffer overflow in the NGINX worker process leading to a
| restart. Additionally, for systems with Address Space Layout
| Randomization (ASLR) disabled, code execution is possible. Note:
| Software versions which have reached End of Technical Support (EoTS)
| are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8711
https://www.cve.org/CVERecord?id=CVE-2026-8711
[1] https://my.f5.com/manage/s/article/K000161307
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libnginx-mod-js
Source-Version: 0.9.9-1
Done: Jérémy Lal <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libnginx-mod-js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <[email protected]> (supplier of updated libnginx-mod-js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 21 May 2026 10:26:11 +0200
Source: libnginx-mod-js
Architecture: source
Version: 0.9.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Jérémy Lal <[email protected]>
Closes: 1137215
Changes:
libnginx-mod-js (0.9.9-1) unstable; urgency=medium
.
* New upstream version 0.9.9
CVE-2026-8711: Heap buffer overflow in a worker process when the
js_fetch_proxy directive value contains nginx variables derived from
the client request and the location's JS handler invokes ngx.fetch().
Closes: #1137215.
.
[ Miao Wang ]
* Separate the build directory for the njs CLI tool, to prevent the
compiled modules from being linked with the .a files of the CLI tool,
which causes the njs JS engine fails to load.
Checksums-Sha1:
76f59d8f712d478e24ebf752cb2f147faa332f83 2302 libnginx-mod-js_0.9.9-1.dsc
8ad35183b5546657c7bb6b9c57c13999b1762983 994416
libnginx-mod-js_0.9.9.orig.tar.gz
0c1e5dffd60dd4c98760620922bbf55d4dab7d2d 6520
libnginx-mod-js_0.9.9-1.debian.tar.xz
625351b9ee8d1e8011b89d7920ecfd13faef60e7 10337
libnginx-mod-js_0.9.9-1_source.buildinfo
Checksums-Sha256:
aca63901e7e76b4b6674786de948d1b99ca72deda7c67c1b8b1de11340e2f37e 2302
libnginx-mod-js_0.9.9-1.dsc
ac98f680c48b3a00e80e047372d29cd6e7b423eeba26a64e9cbc40a6f8dbee2b 994416
libnginx-mod-js_0.9.9.orig.tar.gz
dcaf6053035f9bb537e5cc75fa975e5e26300c7fe2c68a7df704a27110576f1f 6520
libnginx-mod-js_0.9.9-1.debian.tar.xz
960f03c1cd34e63b99e837a853c6d73d1a5023b913835898584ec0fe01684c68 10337
libnginx-mod-js_0.9.9-1_source.buildinfo
Files:
43649deb220a3f6baa611e7f21e79780 2302 httpd optional
libnginx-mod-js_0.9.9-1.dsc
b88ee93fa47dc23519cc537a7db57e0c 994416 httpd optional
libnginx-mod-js_0.9.9.orig.tar.gz
ec9621afee28538ec6194f2d6153b3df 6520 httpd optional
libnginx-mod-js_0.9.9-1.debian.tar.xz
bc0a2f17d6bc3d191d80ec26999a6d65 10337 httpd optional
libnginx-mod-js_0.9.9-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmoO+acSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0pzwP/3QW5ThsoauS+ua5RdOlxz3qaeE/efoQ
f0aVKeDsKOeSaK6Um5HRlMS0xj63O2mUNB8bXkpSDDpPaRopLjs6A6SL4/ffEOis
6lumc3ygsp+YrWkssUxVnAKfpKmX1yuxSUAtUVlSoNgHAVL8HlIuDTLdVh6V5qrV
mJkhPSxGzQNNkqEInIYeLcyO+Up6TfRTnpGJWzoER2IWzWGQhaf42DpX4I3Wfr4r
3PGy5/1Rlw1USuZltqcm/+ctN7Jq/YTycscSp86kojcts0rF5IvrWSob9TjEsabI
Gw9/1kc1VFZVZit0ZMpJNrlBJ69YBG+D9wSYeNM+LWgNl5/U6uW+2fhCCud1E6UO
v2ByFUX+xCM+osLcRtQ5eFOa3RXh0CrUIP50ArtimXmhzW6SkWdmWeHE2JYEnaB7
hWKwHlc3SjYbgomKLLHT0zZYRyKb8UCGRczDzehJ1PzW4gwYKY42rgpshv6qvZ2D
//dKeWyAj/F4GPP0pWQi2tM/EIvcA5EJOtQLCZsTIh8HrEV4HK8mfWipOb+4DSz0
+sf1KI9dRzkaGkc40/V07cEMzfHHh3fY/hZoWNqF/6MmIqVeki2iRP5LwlJLIFns
1cl0fU+vypJlD2IrOv2bo1mBDfqwVpuqhVakpNHBXGg8WYLoabOnSLJIUzPiaPhF
NQyyVmgQdXIx
=/sUL
-----END PGP SIGNATURE-----
pgptcecUknDOK.pgp
Description: PGP signature
--- End Message ---
