Hello! On Fri, May 15, 2026 at 12:38:09AM +0000, Thomas Ward via nginx wrote:
> FYI Maxim the fix for the buffer overrun in rewrite is a one line patch. Sure, except it might not be the best solution. Based on my analysis I tend to prefer at least three lines. Also, I see at least one additional case of obviously incorrect escaping applied by the related rewrite code, though without a buffer overrun. > > > > Sent from my Galaxy > > > > -------- Original message -------- > From: Maxim Dounin <[email protected]> > Date: 5/14/26 20:09 (GMT-05:00) > To: [email protected] > Subject: Re: CVE status > > Hello! > > On Thu, May 14, 2026 at 02:15:35PM -0700, [email protected] > wrote: > > > Hi, > > > > does CVE-2026-42945 apply to freenginx? And if yes, will there be a point > > release to fix it? > > > > Here's the reference: > > > > https://nvd.nist.gov/vuln/detail/CVE-2026-42945 > > It does apply. > > Note though that triggering this bug requires rather specific > configuration (a matched "rewrite" which changes request arguments > but continues rewrite processing, that is, without "break" or any > other flags, followed by a "set" or "if" which uses positional > captures or another matched rewrite which uses positional captures and > additional variables or duplicate positional captures), and > therefore most configurations won't be affected at all. As a > reference point, none of the examples provided in the rewrite > documentation are affected. > > I'm currently looking into this, as well as other issues published > by F5, and will provide appropriate patches shortly. Once patches > are ready, there will be a release. > > -- > Maxim Dounin > http://mdounin.ru/ -- Maxim Dounin http://mdounin.ru/
