-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Apr 2026 20:15:43 +0000 Source: nginx Architecture: source Version: 1.22.1-9+deb12u6 Distribution: bookworm Urgency: medium Maintainer: Debian Nginx Maintainers Changed-By: Jan Mojžíš Changes: nginx (1.22.1-9+deb12u6) bookworm; urgency=medium . * d/conf/*_params: use "$host" instead of "$http_host" * "$http_host" forwards the Host header exactly as supplied by the client and may not match the effective request target (e.g. absolute-form requests with a conflicting Host header) this can expose inconsistent or attacker-controlled host values to backend applications (uwsgi, fastcgi, scgi, proxy) * switch to "$host" as a safer, normalized alternative * note: this changes behaviour, as "$host" does not preserve the client-supplied port; deployments relying on "$http_host" including a port number may be affected * it is workaround for Debian bug #1126960 for stable/oldstable release Checksums-Sha1: 8b8a0bdc2aeacd771e88664a2d03e8dd12f2a601 3586 nginx_1.22.1-9+deb12u6.dsc b58e412556841a006da89270de4bfc9de822c245 79232 nginx_1.22.1-9+deb12u6.debian.tar.xz 416077d45207af1b5a114cd12ada6311bf2c786d 8828 nginx_1.22.1-9+deb12u6_source.buildinfo Checksums-Sha256: 961b8c8f3e57bf50c37352e110bda975d0f0f4daa188f7b70856049dbbbf1ef2 3586 nginx_1.22.1-9+deb12u6.dsc 0c7368fd7218777d1e7c9feb6656a3129e3dc90d8c08462e12788f8fe3262aa5 79232 nginx_1.22.1-9+deb12u6.debian.tar.xz 58d69911618ead84a859259ee2ab0b84695bd5fcfd1670c9447f099b84535c49 8828 nginx_1.22.1-9+deb12u6_source.buildinfo Files: d265e67a4c019ad7d5667ca23e7771b8 3586 httpd optional nginx_1.22.1-9+deb12u6.dsc e15293aecf38068e7168a22dfeed399b 79232 httpd optional nginx_1.22.1-9+deb12u6.debian.tar.xz 8cf44ea9735e6c0e78985f3294ceda9a 8828 httpd optional nginx_1.22.1-9+deb12u6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmn47bMVHGphbm1vanpp c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5XyQP/0Ay8JkgaQ7n/PomBz7jWalNodFC 0ygNgeHNpI/owm3LSx9tvBz5WsUEcIXDgQQTqyJAgrzKGwgKIuo2qkVuLp2EW+Gk Ah9ikY4/z6llBA7LGKsxegUPYKyjfjcSfeWb8ix3ZWb2MYXNReOjYrvhBd7c3psK DwsI8YtNpSougLJTspHhDRDFgocvI0HQPn+jVUshP7X+W+3dnESFEodjREMWLOOt jgdUUGDUdT6np88Tg0j9k56DLgwAKp5dKgoLYGHXZO7QQYFiKlyyhZWRsg6Pr7i3 XBrgRN8dZtwz2R2ifCikZeldjE/IqTUTRRV6HVPJ9OGPG7nHc9UObKKpcW60uLtv tMIp1Kyz/zpb2ytIom0ihBlUMKY+3g4NRbBUGpzG/6Iux81/G4UG3SNO/G/FAIjY 9lnYnCFeO+gUgjejugMTELneuvYEvfP4y87uxxsZfAjgXeLyvfMZ4Te3N+hNy5xo gGTXJkctcG8ywuEU0T/iMK8H2tsRFeVgGzMHn9m0WgpIrQoKwkw8U1Q7KbY2OXCn cK9dZsqRgeTGU6HB05BGAze+SgLM/uVd2j/5oWJFS4ZPR0erYdmp+8mLu30hzj68 0l9qZVATVoncRdCRZh7sIUxzuZjZi5fNTJx1X8IaWFtxOpAxFE9hAKaiwRQxvNZe BhTKmrwhSDYQ14rb =T9I5 -----END PGP SIGNATURE-----