Yeah, I believe those are other bugs and Security fixes patched in NGINX
OSS 1.31.0 and 1.30.1. Just thought I'd make a note. (the one-line for
the rewrite buffer overrun is, however, a fix for the specific CVE
referenced in this thread. Other CVEs were also patched independently as
other commits.)
On 2026-05-14 23:44, Maxim Dounin wrote:
Hello!
On Fri, May 15, 2026 at 12:38:09AM +0000, Thomas Ward via nginx wrote:
FYI Maxim the fix for the buffer overrun in rewrite is a one line patch.
Sure, except it might not be the best solution. Based on my
analysis I tend to prefer at least three lines.
Also, I see at least one additional case of obviously incorrect
escaping applied by the related rewrite code, though without a
buffer overrun.
Sent from my Galaxy
-------- Original message --------
From: Maxim Dounin<[email protected]>
Date: 5/14/26 20:09 (GMT-05:00)
To:[email protected]
Subject: Re: CVE status
Hello!
On Thu, May 14, 2026 at 02:15:35PM -0700,[email protected]
wrote:
Hi,
does CVE-2026-42945 apply to freenginx? And if yes, will there be a point
release to fix it?
Here's the reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-42945
It does apply.
Note though that triggering this bug requires rather specific
configuration (a matched "rewrite" which changes request arguments
but continues rewrite processing, that is, without "break" or any
other flags, followed by a "set" or "if" which uses positional
captures or another matched rewrite which uses positional captures and
additional variables or duplicate positional captures), and
therefore most configurations won't be affected at all. As a
reference point, none of the examples provided in the rewrite
documentation are affected.
I'm currently looking into this, as well as other issues published
by F5, and will provide appropriate patches shortly. Once patches
are ready, there will be a release.
--
Maxim Dounin
http://mdounin.ru/
