-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 20 Apr 2026 17:52:06 +0000 Source: nginx Architecture: source Version: 1.26.3-3+deb13u4 Distribution: trixie Urgency: medium Maintainer: Debian Nginx Maintainers Changed-By: Jan Mojžíš Changes: nginx (1.26.3-3+deb13u4) trixie; urgency=medium . * d/conf/*_params: use "$host" instead of "$http_host" * "$http_host" forwards the Host header exactly as supplied by the client and may not match the effective request target (e.g. absolute-form requests with a conflicting Host header) this can expose inconsistent or attacker-controlled host values to backend applications (uwsgi, fastcgi, scgi, proxy) * switch to "$host" as a safer, normalized alternative * note: this changes behaviour, as "$host" does not preserve the client-supplied port; deployments relying on "$http_host" including a port number may be affected * it is workaround for Debian bug #1126960 for stable/oldstable release Checksums-Sha1: a1f101def71a027baa8409f19c5aeff822b6e15b 3827 nginx_1.26.3-3+deb13u4.dsc 4137e2de89ea09c688a120551770c2547d6de7c0 85516 nginx_1.26.3-3+deb13u4.debian.tar.xz 997c7754dd4f0d799af8072eb420f6b19a7a61fa 8270 nginx_1.26.3-3+deb13u4_source.buildinfo Checksums-Sha256: b283718e321ec7ac5bf0e481d649f492878f51ea431bf6ee761606a626b119ad 3827 nginx_1.26.3-3+deb13u4.dsc 92b5de81372aa36eb6c993de7d2f36e829cfeb18806dbf6fdb2fae125cb9f827 85516 nginx_1.26.3-3+deb13u4.debian.tar.xz e940f37c6bc60fb39297b50f8fc4b4526d9c67c01aee78b1f4df97cd058547c9 8270 nginx_1.26.3-3+deb13u4_source.buildinfo Files: ac1d5cd43a29dc2c63bcd831e6827b99 3827 httpd optional nginx_1.26.3-3+deb13u4.dsc aa41de08add6f90fde73596623938879 85516 httpd optional nginx_1.26.3-3+deb13u4.debian.tar.xz 542dc939372bccc938a5ce7bdaf9e4e9 8270 httpd optional nginx_1.26.3-3+deb13u4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmn46EoVHGphbm1vanpp c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/54CAP/jyBO1QggbPR8txeb8wzpQTlRbol Nr0aKGhnOEKThm2O8m5sHIDPF6QAqxtCTQavByVuOzGNsnOM6NmjNmg7/KSIS3r2 mY2A/2TfS//OqXTKbaGzTIbmWIisa8cFGAZKkIndX2Dz8x6lGcO4YzmEJ8iRZWBB S04T72gckPrBUTpfdxvrJ/iFUmGCUJiPw0YJMYOJNwa9rr/sZal9qXalT7ltyk5o 5BBKRclDEI0+2KjcgD0b7DMWgQhNBCzub3EcakflYGCVd0beCrPPmoOkGpel7h2t IJjJxAv6i/8TadI02V8yi1Pk2p4w1dQzY1v+D/++FnxkBTiVXRIA8pGG5Wzq5gPk To1u4QSMymNzPSdBIyq597JqG4G5Kx+/MuyKcTiRf9DMnO5QYdBMLUdaBos8V0y/ 2p9iFzbH6AnH4AStIhJDvm0p1T+ZvOLFd+I7Esk9dbEIZiC8FJYzSFaPZUad8Rh7 zCAf279AP07n9aFsVntjshOnYHqrrbHCD/4kzivk4UFfUyppFEJ548K2mZuP4ClE E/4YYH1A34aHCZBSZNFio8B20BCbWRgyv+PvY4JT477hCTKcdP7jJ1+mIot6XUu7 KaORy9zOrDW/KNdftCgmaSjZHt61HnncBDqhgcnF/tq/R1ooH81HAxvlT/S3zEPK +kMbX8/7HMuNUauJ =ee/N -----END PGP SIGNATURE-----