[Buildroot] [PATCH v2] package/nginx: security bump to version 1.28.3
Shubham Chakraborty
chakrabortyshubham66 at gmail.com
Mon May 4 09:43:25 UTC 2026
Hi Marcus,
Thanks for applying the patch and for correcting the sign-off placement.
I'll make sure to follow that convention going forward.
Best regards,
Shubham
On Mon, 4 May, 2026, 2:01 pm Marcus Hoffmann, <buildroot at bubu1.eu> wrote:
> Hi Shubham,
>
> On 4/30/26 07:40, Shubham Chakraborty wrote:
> > Fixes the following security issues:
> > - CVE-2026-27654: Buffer overflow in ngx_http_dav_module when using the
> > alias directive with WebDAV COPY or MOVE requests.
> > - CVE-2026-27784 & CVE-2026-32647: Buffer overflows in
> ngx_http_mp4_module
> > when processing specially crafted MP4 files.
> > - CVE-2026-27651: NULL pointer dereference in the mail proxy module
> > during CRAM-MD5 or APOP authentication retries.
> > - CVE-2026-28753: DNS PTR record manipulation in auth_http or SMTP proxy.
> > - CVE-2026-28755: OCSP certificate check bypass in the stream module.
> >
> > For a full list of changes, see:
> > https://nginx.org/en/CHANGES-1.28
> >
> > ---
> > v1 -> v2:
> > - Bump to 1.28.3 (stable) instead of 1.29.7 (mainline) as requested
> > by Marcus Hoffmann.
> > - Highlight security fixes in the commit message.
> >
> > Signed-off-by: Shubham Chakraborty <chakrabortyshubham66 at gmail.com>
> > ---
> Your sign-off needs to be above the first --- line which separates the
> commit message from additional patch commentary.
>
> I moved it up while applying.
>
> Marcus
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20260504/ade14159/attachment.htm>
More information about the buildroot
mailing list