Hi,

The following vulnerability was published for nginx.

CVE-2026-42055[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This
| vulnerability exists when the proxy_http_version to 2 or
| grpc_pass directives are used to proxy HTTP/2 traffic, the
| ignore_invalid_headers directive is set to off, and the
| large_client_header_buffers directive size is larger than 2
| megabytes. A remote, unauthenticated attacker, along with conditions
| beyond their control, could send large headers while creating an
| upstream request. This may cause a heap-based buffer overflow in the
| NGINX worker process leading to a restart. Additionally, attackers
| can execute code on systems with Address Space Layout Randomization
| (ASLR) disabled or when the attacker can bypass ASLR.    Note:
| Software versions which have reached End of Technical Support (EoTS)
| are not evaluated.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42055
https://www.cve.org/CVERecord?id=CVE-2026-42055
[1] https://my.f5.com/manage/s/article/K000161584
[2] https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Mojžíš <janmojzis@debian.org> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 19 Jun 2026 19:21:49 +0000
Source: nginx
Architecture: source
Version: 1.30.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Closes: 1140359
Changes:
 nginx (1.30.1-5) unstable; urgency=medium
 .
   * d/t/ssi-module-test: remove the test associated with the bug report,
     since the underlying bug has been fixed in bookworm
   * d/t/RFC9112: create a wrapper for RFC9112 tests, then merge d/t/proxy,
     d/t/uwsgi-RFC9112, and d/t/fastcgi-RFC9112 into the wrapper to improve
     test performance.
   * d/control: bump Standards-Version: 4.7.4, no changes
   * d/p/CVE-2026-42055.patch add, backport fix for buffer overflow
     vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module
     (CVE-2026-42055) (Closes: 1140359)
   * d/p/CVE-2026-48142.patch add, backport fix for buffer overread
     vulnerability in the ngx_http_charset_module (CVE-2026-48142)
Checksums-Sha1:
 a1ca257b8c7f81a2cb40ee21f0d2a47832b7698d 3803 nginx_1.30.1-5.dsc
 2a7faa86248f3422ee9a33652cd748fd5d7f95af 78112 nginx_1.30.1-5.debian.tar.xz
 98090886fb54d6f99b73f056b54360e96ea8b451 3113948 nginx_1.30.1-5.git.tar.xz
 a6dbf86ead95db759a88a35a7baac7321bc8514e 17484 nginx_1.30.1-5_source.buildinfo
Checksums-Sha256:
 b875ef3cd5261afa2a8b157a3fdc4be81e592252cc4f64c05872c34bf1598d5c 3803 nginx_1.30.1-5.dsc
 a0e2bda21c59182446ee4cfa38b346f858a5fdc04959cb370388ad68f4560000 78112 nginx_1.30.1-5.debian.tar.xz
 39171568c401490ea513e9d49061f0a171445a3538a9ee00f8ab3e53cf54686a 3113948 nginx_1.30.1-5.git.tar.xz
 2f19a60a94861de21baca90775e7f238ddfcf21cbd8337783bd8b58c9400eb73 17484 nginx_1.30.1-5_source.buildinfo
Files:
 0bedfe152e0dae009c674f7d6184eabe 3803 httpd optional nginx_1.30.1-5.dsc
 ef2711ca9e9f6faf0289cc46aff983bb 78112 httpd optional nginx_1.30.1-5.debian.tar.xz
 78ca4e88e9aca39ffb241ad52a862991 3113948 httpd None nginx_1.30.1-5.git.tar.xz
 d6a85730bee17d1ef0bb04c4bf967bef 17484 httpd optional nginx_1.30.1-5_source.buildinfo
Git-Tag-Info: tag=df47fe26cfc38564dbbead6b0634da24cba7303c fp=d008b0c23d8479e46b9fcb9045da517496939ff9
Git-Tag-Tagger: Jan Mojžíš <jan.mojzis@gmail.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmo1odkACgkQYG0ITkaD
wHkjWRAAsdAGqR76raUBLMD/Sg+ZJuHOFLwb89JgQ5chM4y9onXYp1fTt0GSoDYc
BTZUgC162mU1tXzjAVZA6scxXbr6eW4TLDZiCRpmTyiu8zKjqSkrlKGE8UKmnbmH
+q80tNzjuw5U7F/I6/BPH7jo6dfuktxGxWpAIYo01rTobtzI2z+1PY3MxFjU0cfZ
4mTLElyNLJ8YwJCIHtOtNNyGkg7Df6K7ngJMW6pBZQMK4gN429TcrIep3Ym1mf5A
RkrSnkXTuOCF6bNUUzqaLap7TAsUD1gv1XfqO33dcdVqFCmoeFPVaV6XR8N22AKe
gFkmPDtqFDGcLs/CvmmbRwRfXSShTvxFs6PtAwYtBVgTFJUp2HFo7gGR63rF9Yk/
21L5actI7VPfysBmt5OJCxKo0U4/nf3PLsOTUgN7AuEuFxjIdUVAm7DcILDHZyWk
Kzfw/ob5FD3Xrg6QfPyTM+WILmnyDfE6JZNnwYTLIY8iBl52Tkj1yRUqU1h9vGuo
ZMot+PmxBrG2P7KKCJhabZS+9grnUOAAdztn9TI3LdC6s9cquFlZpmi90GqIIAK3
NUhwaRj9WbHFBuWxG589SnMnZPtZGnsoSpLeGtY9ZAOM6G/QbF2FcPV2T9F1DV8E
WvLd37Bu13pFWQ2IlrlahfAYrjR+SZPql6dZE9EXvXChB9nBIkc=
=vfwt
-----END PGP SIGNATURE-----