CVS commit: pkgsrc/www/nginx

["Jonathan Perkin" <jperkin%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   jperkin
Date:           Tue May 19 17:43:06 UTC 2026

Modified Files:
        pkgsrc/www/nginx: Makefile distinfo

Log Message:
nginx: Update to 1.30.1.

Changes with nginx 1.30.1                                        13 May 2026

    *) Security: when using the "proxy_set_body" directive, an attacker
       might inject data in the proxied request to an HTTP/2 backend
       (CVE-2026-42926).
       Thanks to Mufeed VH of Winfunc Research.

    *) Security: a heap memory buffer overflow might occur in a worker
       process while handling a specially crafted request by
       ngx_http_rewrite_module, potentially resulting in arbitrary code
       execution (CVE-2026-42945).
       Thanks to Leo Lin.

    *) Security: a heap memory buffer overread might occur in a worker
       process while handling a specially crafted response by
       ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker
       to cause a disclosure of worker process memory or segmentation fault
       in a worker process (CVE-2026-42946).
       Thanks to Leo Lin.

    *) Security: a heap memory buffer overread might occur in a worker
       process while handling a specially sent response with decoding from
       UTF-8 via the "charset_map" directive, allowing an attacker to cause
       a limited disclosure of worker proccess memory or segmentation fault
       in a worker process (CVE-2026-42934).
       Thanks to David Carlier.

    *) Security: when using HTTP/3, processing of connection migration might
       cause new QUIC streams to receive a new client address before
       validation, allowing an attacker to cause address spoofing
       (CVE-2026-40460).
       Thanks to Rodrigo Laneth.

    *) Security: use-after-free might occur during DNS server response
       processing if the "ssl_ocsp" directive was used, allowing an attacker
       to cause worker process memory corruption or segmentation fault in a
       worker process (CVE-2026-40701).
       Thanks to Leo Lin.

    *) Bugfix: connections with HTTP/2 backends might not be cached when
       using the "proxy_set_body" or "proxy_pass_request_body" directives.

    *) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
       transferred incorrectly if the first line was not fully read.


To generate a diff of this commit:
cvs rdiff -u -r1.190 -r1.191 pkgsrc/www/nginx/Makefile
cvs rdiff -u -r1.140 -r1.141 pkgsrc/www/nginx/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/nginx/Makefile
diff -u pkgsrc/www/nginx/Makefile:1.190 pkgsrc/www/nginx/Makefile:1.191
--- pkgsrc/www/nginx/Makefile:1.190     Mon Apr 20 09:52:56 2026
+++ pkgsrc/www/nginx/Makefile   Tue May 19 17:43:06 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.190 2026/04/20 09:52:56 wiz Exp $
+# $NetBSD: Makefile,v 1.191 2026/05/19 17:43:06 jperkin Exp $
 
-DISTNAME=      nginx-1.30.0
+DISTNAME=      nginx-1.30.1
 CATEGORIES=    www
 MASTER_SITES=  https://nginx.org/download/
 DISTFILES=     ${DEFAULT_DISTFILES}

Index: pkgsrc/www/nginx/distinfo
diff -u pkgsrc/www/nginx/distinfo:1.140 pkgsrc/www/nginx/distinfo:1.141
--- pkgsrc/www/nginx/distinfo:1.140     Mon Apr 20 09:52:56 2026
+++ pkgsrc/www/nginx/distinfo   Tue May 19 17:43:06 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.140 2026/04/20 09:52:56 wiz Exp $
+$NetBSD: distinfo,v 1.141 2026/05/19 17:43:06 jperkin Exp $
 
 BLAKE2s (array-var-nginx-module-0.06.tar.gz) = fa6ad2a2ce3c3eba3f69287b224e9c01fcaca29a083394ab74f2f655d3e2138b
 SHA512 (array-var-nginx-module-0.06.tar.gz) = bc72158856a1be18a26ee04c6b5b0f0a20bcce688610a493bf31e2a133e7eb12e11f7c18197a09a72b1513f6a08348ee5281b9d5b84cf43603539040ebd23c26
@@ -27,9 +27,9 @@ Size (naxsi-1.7-src-with-deps.tar.gz) = 
 BLAKE2s (nchan-1.3.7.tar.gz) = 27da0a52c9123186a321a01b02cb004eed0623110aafa6737dd43ceeff766010
 SHA512 (nchan-1.3.7.tar.gz) = 585c6f9107b84354e7f6c587f85cf554dd5c213b1e3baa75e0aee0b28520afb9cffff1812c32e81541a1f25773fc58d1b92ce6bd9d85accc12f37841633eb79b
 Size (nchan-1.3.7.tar.gz) = 665133 bytes
-BLAKE2s (nginx-1.30.0.tar.gz) = 681479e840b500b4562aa925d688fd49b382d7c87a185b2c44eab7491227379b
-SHA512 (nginx-1.30.0.tar.gz) = 9df502279583ea305e2d7a4cbe67c54cbcdb880f1caf010d582eea8839bda3bc6dd5e244bb79e848a70ad0c9fda9927cb8d9d8c5fc1bc49acc2da9e734543d7c
-Size (nginx-1.30.0.tar.gz) = 1324188 bytes
+BLAKE2s (nginx-1.30.1.tar.gz) = bfbd92abc693621e9378f612c8109a3e7b3769f9a5e63c2271ed37e811528877
+SHA512 (nginx-1.30.1.tar.gz) = a081ed49692948ea61bada05a9bade88f9899f843c8d5a72c0d5362e812c14e1ea12de729bcdfe93016323fb014681ddfa472f3352b5e83455991be715293211
+Size (nginx-1.30.1.tar.gz) = 1325173 bytes
 BLAKE2s (nginx-dav-ext-module-3.0.0.tar.gz) = 8e823ffd605d4fca00eb3ca92a0954ca35fb178397e0b990fea7d47580ee582f
 SHA512 (nginx-dav-ext-module-3.0.0.tar.gz) = d0193ba90f1ef46c4e470630c4394bdf99d94fd2e3bd8be6cb2ba1655ec59944b1269025f032b79dc2c6dad366e54389ef6a6da2ddeb91d535a4027f2162fbde
 Size (nginx-dav-ext-module-3.0.0.tar.gz) = 14558 bytes