Skip to content

Tags: dvershinin/gixy

Tags

v0.2.49

Toggle v0.2.49's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
release: v0.2.49 — add CVE-2026-42530, -42055, -48142 (#116)

nginx 1.30.3 stable and 1.31.2 mainline shipped on 2026-06-17 with
fixes for three CVEs. Added entries to `_nginx_cves_db.CVES` with
appropriate config-gating:

- CVE-2026-42530 (HIGH) — use-after-free in `ngx_http_v3_module`;
  mainline 1.31.0–1.31.1 only; gated on `check_http3_enabled`.
- CVE-2026-42055 (MEDIUM) — buffer overflow in proxy_v2 / grpc;
  vulnerable 1.13.10–1.31.1; gated on the new
  `check_grpc_or_http2_upstream` (matches `grpc_pass` and
  `proxy_http_version 2.0`).
- CVE-2026-48142 (LOW) — buffer overread in `ngx_http_charset_module`;
  vulnerable 0.3.50–1.31.1; gated on existing `check_charset`.

Per-CVE positive + must-NOT-fire unit tests in
`tests/plugins/test_nginx_cves.py` lock in the false-positive
guarantee: 1.30.3 and 1.31.2 with every trigger present must not
surface any of these three IDs. Full suite (816 tests) green.

Claude-Session: https://claude.ai/code/session_01CEy7KLvgRt2bfjW4ZdD1Ud

v0.2.48

Toggle v0.2.48's commit message 
release: v0.2.48

v0.2.47

Toggle v0.2.47's commit message 
release: v0.2.47

Add CVE-2026-9256 to the nginx CVE database — heap memory buffer overflow
in ngx_http_rewrite_module triggered by a configuration with overlapping
captures, fixed upstream on 22 May 2026 in nginx 1.31.1 (mainline) and
1.30.2 (stable). The check fires purely on --nginx-version match, matching
the precedent set by other binary-only CVEs.

Side-fix: the simply-test harness now honours the plugin-level skip_test
flag for the test runs themselves (not just the "must have fixtures"
assertion), so plugins like nginx_cves whose binary-only CVEs naturally
emit multiple issues per fixture can keep example configs around without
breaking the "exactly one issue" simply-test contract.

v0.2.46

Toggle v0.2.46's commit message 
release: v0.2.46

v0.2.45

Toggle v0.2.45's commit message 
release: v0.2.45

v0.2.44

Toggle v0.2.44's commit message 
release: v0.2.44

v0.2.43

Toggle v0.2.43's commit message 
release: v0.2.43

v0.2.42

Toggle v0.2.42's commit message 
test(integration): regression fixture for inline return with map vars (

…#105)

Pins the fix for issue #105: gixy's parser must resolve variables inside
multiline `return` directive bodies, including variables defined by a
`map` block (e.g. `$canonical_host` referenced from a `security.txt`
return body). Auto-discovered by tests/integration/test_real_configs.py
and asserted to produce zero warnings.

v0.2.41

Toggle v0.2.41's commit message 
release: v0.2.41

New check: regex_exact_match — detects regex locations like
`location ~ ^/path$` that can be replaced with exact-match
`location = /path` for better performance.

v0.2.40

Toggle v0.2.40's commit message 
release: v0.2.40

Suppress ssl_prefer_server_ciphers warning when PrioritizeChaCha is present.
OpenSSL's SSL_OP_PRIORITIZE_CHACHA already addresses the concern about
clients without AES-NI. Closes #107.