/ Register

Welcome to Centmin Mod Community
Become a Member

Security Nginx 1.29.7 Security Bug Fix Release (6 CVEs)

Discussion in 'Centmin Mod News' started by eva2000, Mar 26, 2026.

Tags:
Thread Status:
Not open for further replies.
Previous Thread Next Thread
Loading...
  1. Mar 26, 2026 #1
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:07 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Nginx 1.29.7 mainline and 1.28.3 stable releases are out with 6 security bug fixes. Centmin Mod 132.00stable, 140.00beta01, and 141.00beta01 have been updated to default to Nginx 1.29.7 for fresh installs.

    However, existing Centmin Mod users if they are running older versions like 124.00stable or 130.00beta01, will need to update to latest Centmin Mod 132.00stable, 140.00beta01, or 141.00beta01 releases as outlined at https://community.centminmod.com/th...ase-with-almalinux-rocky-linux-support.25572/. Then run centmin.sh menu option 4, to update to Nginx 1.29.7 or 1.28.3.

    For existing Centmin Mod 132.00stable, 140.00beta01, and 141.00beta01 users, just running cmupdate command will get you latest updated code. Then run centmin.sh menu option 4, to update to Nginx 1.29.7 or 1.28.3.

    Code (Text):
    --------------------------------------------------------
     Centmin Mod Menu 141.00beta01 centminmod.com
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  MySQL User Database Management
7).  Persistent Config File Management
8).  PostgreSQL Server Management
9).  Option Being Revised (TBA)
10). Memcached Server Re-install
11). MariaDB MySQL Upgrade & Management
12). Zend OpCache Install/Re-install
13). Install/Reinstall Redis PHP Extension
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Install/Re-Install
21). Data Transfer
22). Add Wordpress Nginx vhost + Cache Plugin
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 4
--------------------------------------------------------

    Code (Text):
    Nginx Upgrade - Would you like to continue? [y/n] y
Current Nginx Version: 1.29.6

Install which version of Nginx? (version i.e. type 1.29.6): 1.29.7

Do you still want to continue? [y/n] y

    Code (Text):
    Changes with nginx 1.29.7                                        24 Mar 2026

    *) Security: a buffer overflow might occur while handling COPY or
       MOVE requests in a location with "alias" directive in the
       ngx_http_dav_module module, which could result in a worker process
       crash or might have a potential other impact (CVE-2026-27654).
       Thanks to Calif.io in collaboration with Claude and Anthropic
       Research.

    *) Security: processing a specially crafted mp4 file by the
       ngx_http_mp4_module on 32-bit platforms might cause worker process
       crash and might have a potential other impact (CVE-2026-27784).
       Thanks to Prabhav Srinath (sprabhav7).

    *) Security: processing a specially crafted mp4 file by the
       ngx_http_mp4_module might cause worker process crash and might
       have a potential other impact (CVE-2026-32647).
       Thanks to Xint Code and Pavel Kohout (Aisle Research).

    *) Security: a segmentation fault might occur in a worker process if
       CRAM-MD5 or APOP authentication methods were used with
       authentication retry enabled (CVE-2026-27651).
       Thanks to Arkadi Vainbrand.

    *) Security: an attacker might use PTR DNS records to inject data in
       auth_http requests or in XCLIENT command in backend SMTP
       connections (CVE-2026-28753).
       Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu
       (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu
       (Lanzhou University).

    *) Security: SSL handshake might succeed despite OCSP rejecting a
       client certificate in the stream module (CVE-2026-28755).
       Thanks to Mufeed VH of Winfunc Research.

    *) Feature: the "multipath" parameter of the "listen" directive.

    *) Feature: the "local" parameter of the "keepalive" directive in
       the "upstream" block.

    *) Change: the "keepalive" directive in the "upstream" block is now
       enabled by default.

    *) Change: ngx_http_proxy_module now supports keepalive by default;
       the default value of the "proxy_http_version" directive is "1.1";
       the "Connection" proxy header is not sent by default anymore.

    *) Bugfix: an invalid HTTP/2 request might be sent after switching
       to the next upstream if buffered body was used in the
       ngx_http_grpc_module.

     
  2. Mar 26, 2026 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    12:07 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+

    Nginx 1.29.7 Security Bugs Explained



    This release addresses 6 security vulnerabilities, 5 of which are rated medium severity and 1 rated low severity. If you run Centmin Mod Nginx behind Cloudflare CDN Orange cloud-enabled proxy, you are likely already protected from some of these security bugs. However, it is advisable to upgrade Nginx regardless.

    CVE-2026-27654 - Buffer Overflow in DAV Module (Medium Severity)
    • Vulnerability: A heap-based buffer overflow in the ngx_http_dav_module module could occur while handling COPY or MOVE requests in a location configured with the alias directive. This could allow an attacker to modify the source or destination path outside of the document root.
    • Affected Versions: 0.5.13 - 1.29.6
    • Impact: Worker process crash or potential path manipulation outside the document root. The integrity impact is constrained because the NGINX worker process user has low privileges.
    • Who Is Affected: Only users who have enabled the ngx_http_dav_module with COPY/MOVE methods in a location using alias. This module is not enabled by default in Centmin Mod Nginx builds.
    • F5 Advisory: myF5
    CVE-2026-27784 - MP4 Module Buffer Overflow on 32-bit (Medium Severity)
    • Vulnerability: An integer overflow in the ngx_http_mp4_module on 32-bit platforms could be exploited using a specially crafted MP4 file, leading to buffer over-read or over-write of NGINX worker memory.
    • Affected Versions: 1.1.19 - 1.29.6
    • Impact: Worker process crash or potential code execution on 32-bit platforms.
    • Who Is Affected: Only users running 32-bit NGINX with the ngx_http_mp4_module enabled and the mp4 directive in use. Most Centmin Mod deployments run on 64-bit systems and are not affected by this specific CVE.
    • F5 Advisory: myF5
    CVE-2026-32647 - MP4 Module Buffer Overflow (Medium Severity)
    • Vulnerability: An out-of-bounds read/write in the ngx_http_mp4_module could be triggered using a specially crafted MP4 file, affecting both 32-bit and 64-bit platforms.
    • Affected Versions: 1.1.19 - 1.29.6
    • Impact: Worker process crash or potential code execution.
    • Who Is Affected: Users who have the ngx_http_mp4_module enabled with the mp4 directive in their configuration. If you serve MP4 files with progressive download/pseudo-streaming via the mp4 directive, you should upgrade promptly.
    • F5 Advisory: myF5
    CVE-2026-27651 - NULL Pointer Dereference in Mail Auth (Low Severity)
    • Vulnerability: A NULL pointer dereference (segmentation fault) could occur in a worker process when CRAM-MD5 or APOP authentication methods are used with authentication retry enabled in the ngx_mail_auth_http_module.
    • Affected Versions: 0.5.15 - 1.29.6
    • Impact: Worker process termination (denial of service).
    • Who Is Affected: Only users who have Nginx mail proxy enabled with CRAM-MD5 or APOP authentication and retry enabled. This is not a common Centmin Mod configuration.
    • F5 Advisory: myF5
    CVE-2026-28753 - PTR DNS Record Data Injection (Medium Severity)
    • Vulnerability: An attacker could use PTR DNS records to inject data into auth_http requests or into the XCLIENT command in backend SMTP connections. This is a CRLF injection vulnerability.
    • Affected Versions: 0.6.27 - 1.29.6
    • Impact: Data injection in authentication requests and SMTP backend connections. An attacker with control over reverse DNS records could potentially manipulate mail proxy authentication.
    • Who Is Affected: Users who use Nginx as a mail proxy with auth_http or SMTP proxying. This does not affect standard HTTP/HTTPS configurations.
    • F5 Advisory: myF5
    CVE-2026-28755 - OCSP Client Certificate Bypass in Stream (Medium Severity)
    • Vulnerability: An SSL handshake could succeed in the stream module despite OCSP rejecting a client certificate. This means a revoked client certificate might not be properly denied.
    • Affected Versions: 1.27.2 - 1.29.6
    • Impact: A client with a revoked certificate could bypass OCSP-based certificate verification in stream module connections.
    • Who Is Affected: Users who use the stream module with OCSP stapling for client certificate verification. Standard HTTP virtual host configurations using ssl_stapling are not affected by this specific stream module issue.
    • F5 Advisory: myF5
     
Previous Thread Next Thread
Loading...
Thread Status:
Not open for further replies.

.