From mdounin at mdounin.ru Tue Jun 2 16:19:40 2026 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 2 Jun 2026 19:19:40 +0300 Subject: freenginx-1.30.1 Message-ID: Changes with freenginx 1.30.1 02 Jun 2026 *) Change: the logging level of the "invalid ccs message", "not on record boundary", "required compression algorithm missing", and some "record layer failure" SSL errors has been lowered from "crit" to "info". *) Bugfix: a segmentation fault might occur in a worker process if the "rewrite" directive was used to change request arguments and other directives of the ngx_http_rewrite_module were executed afterwards. *) Bugfix: a segmentation fault might occur in a worker process if nested captures were used in the "rewrite" directive. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_charset_module was used to convert responses from UTF-8. *) Bugfix: a segmentation fault might occur in a worker process if the "ssl_ocsp" directive was used. *) Bugfix: a segmentation fault might occur in a worker process if the "scgi_pass" or "uwsgi_pass" directives were used. *) Bugfix: in HTTP/3. -- Maxim Dounin http://freenginx.org/ From teo.en.ming at protonmail.com Mon Jun 15 07:57:14 2026 From: teo.en.ming at protonmail.com (Turritopsis Dohrnii Teo En Ming) Date: Mon, 15 Jun 2026 07:57:14 +0000 Subject: =?utf-8?Q?Nginx-poolslip_Vulnerability_Enables_DoS_and_Code_Execution_Attacks_=E2=80=94_Patch_Now!?= Message-ID: Subject: Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks ? Patch Now! Good day from Singapore, Here is an article which I would like to share. Article: Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks ? Patch Now! Link: https://cybersecuritynews.com/nginx-poolslip-vulnerability/amp/ Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Extremely Democratic People's Republic of Singapore 15 Jun 2026 Monday 3.56 pm Singapore Time From mdounin at mdounin.ru Mon Jun 15 11:25:42 2026 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 15 Jun 2026 14:25:42 +0300 Subject: Nginx-poolslip =?utf-8?Q?Vulnerability?= =?utf-8?Q?_Enables_DoS_and_Code_Execution_Attacks_=E2=80=94?= Patch Now! In-Reply-To: References: Message-ID: Hello! On Mon, Jun 15, 2026 at 07:57:14AM +0000, Turritopsis Dohrnii Teo En Ming via nginx wrote: > Here is an article which I would like to share. > > Article: Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks ? Patch Now! > Link: https://cybersecuritynews.com/nginx-poolslip-vulnerability/amp/ In no particular order: - The "vulnerability" in question requires quite uncommon configuration with nested rewrite captures. While vulnerable configurations are theoretically possible, it is highly unlikely that a particular configuration, even with rewrites being used, is vulnerable. - Even if the particular configuration is vulnerable, exploiting it for anything beyond DoS is, at least, questionable. - Avoid following the "replace positional captures with named captures" recommendation without understanding the effects. When done incorrectly, you are going to introduce response or request splitting issues in your configuration. - It is already fixed in freenginx 1.31.2 (mainline) and freenginx 1.30.1 (stable). Hope this helps. -- Maxim Dounin http://mdounin.ru/