Mapeji eNginx 1.31.1 ne1.30.2 aburitswa, zvichigadzirisa dambudziko guru (CVE-2026-9256) rinobvumira kushandiswa kwekodhi iri kure nekodzero dzemaitiro emushandi weNginx nekutumira chikumbiro cheHTTP chakagadzirwa zvakanaka. Vatsvagiri vakawana dambudziko iri vakaratidza kushandiswa kuri kushanda, uko kuchaburitswa pamwe netsananguro yakazara mazuva makumi matatu mushure mekunge patch yaburitswa. Dambudziko iri rakatumidzwa zita rekuti nginx-poolslip. Dambudziko iri rinoonekwa kutanga neNginx vhezheni 0.1.17. Panguva yekunyora uku, hapana mapeji akaburitswa eAngie neFreenginx.
Kufanana nedambudziko rakafanana rakagadziriswa svondo rapfuura, dambudziko iri idzva rinokonzerwa nekuwanda kwebuffer mu ngx_http_rewrite_module module uye rinozviratidza mumagadzirirwo ane mamwe mazwi akajairwa mu "rewrite" directive. Muchiitiko ichi, dambudziko iri rinokanganisa masisitimu ane mapatani ekuchinjana (mabhureki ari mukati memabhureki) muchirevo chekunyorazve, senge "^/((.*))$" kana "^/(test([123]))$", pamwe chete nekushandiswa kwemamwe ma substitutions akawanda asina mazita mu string yekutsiva (semuenzaniso, "$1$2").
Chimwe chinhu chinokosha ndechekuburitswa kwe njs 0.9.9, module yekubatanidza vaturikiri veJavaScript mu nginx HTTP server. Shanduro itsva iyi inogadzirisa dambudziko rekusagadzikana (CVE-2026-8711) rave riripo kubvira njs 0.9.4. Dambudziko iri rinokonzerwa ne buffer overflow uye rinozviratidza mumagadzirirwo ane js_fetch_proxy directive, ine nginx variables ine data kubva ku client request (yakadai se $http_*, $arg_*, uye $cookie_*), pamwe chete nekushandiswa kwe location handler inodana ngx.fetch() function. Dambudziko iri rinogona kushandiswa kuita kodhi ine kodzero dze nginx worker process nekutumira chikumbiro cheHTTP chakagadzirwa nehunyanzvi.
Source: opennet.ru
