Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260326030111.GA2606@openwall.com>
Date: Thu, 26 Mar 2026 04:01:12 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Sergey Kandaurov <pluknet@...nx.com>
Subject: 7 CVEs fixed in nginx

Hi,

Since the last nginx CVE I brought in here last year, there appeared 7
more CVEs/advisories at:

https://nginx.org/en/security_advisories.html

6 of these are dated Mar 24, 2026 and one Feb 4, 2026.  Here are the
summaries copy-pasted from the above:

Buffer overflow in ngx_http_dav_module
Severity: medium
CVE-2026-27654
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 0.5.13-1.29.6

Buffer overflow in the ngx_http_mp4_module
Severity: medium
CVE-2026-27784
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 1.1.19-1.29.6

Buffer overflow in the ngx_http_mp4_module
Severity: medium
CVE-2026-32647
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 1.1.19-1.29.6

NULL pointer dereference while using CRAM-MD5 or APOP
Severity: low
CVE-2026-27651
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 0.5.15-1.29.6

Injection in auth_http and XCLIENT
Severity: medium
CVE-2026-28753
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 0.6.27-1.29.6

OCSP result bypass in stream
Severity: medium
CVE-2026-28755
Not vulnerable: 1.29.7+, 1.28.3+
Vulnerable: 1.27.2-1.29.6

SSL upstream injection
Severity: medium
CVE-2026-1642
Not vulnerable: 1.29.5+, 1.28.2+
Vulnerable: 1.3.0-1.29.4

Each of these has a link to the actual advisory on the MyF5 website, but
these are just the CVE description fields plus tables on (not) affected
F5 product versions in addition to "NGINX Open Source" versions above.

I think I am still subscribed to the nginx-announce mailing list where
things like this were sent to last year, but I didn't receive anything
this time.  I just went to the list archive at:

https://mailman.nginx.org/pipermail/nginx-announce/

and it also ends in 2025.

I only learned of these CVEs from a third-party website by chance, which
is not ideal.  Maybe something the nginx project should correct.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.