Remix clone Hacker News

new | show | ask | jobs Github

▲

panzi 6 hours ago

Does Debian 12 have this patched? But I guess I'm not affected if I don't use `rewrite` or `set` anywhere?

▲ aftbit 4 hours ago | parent | next [-]

https://security-tracker.debian.org/tracker/CVE-2026-42945

▲ wiredfool 4 hours ago | parent | prev | next [-]

Ubuntu has patched as of this morning. Debian doesn't look like they've patched trixie yet.

	▲	rslashuser 4 hours ago \| parent [-]
		Just as a PSA, I found that "nginx -v" was not detailed about the version sufficient to check, but "apt list nginx" gave the full version number that was checkable, and indeed the 24.04 version of this morning (1.24.0-2ubuntu7.8) is patched.

▲ lpcvoid 5 hours ago | parent | prev | next [-]

[dead]

▲ iririririr 5 hours ago | parent | prev [-]

I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.

	▲	babuskov 4 hours ago \| parent [-]
		The default NGINX PHP integration uses this: `# regex to split $uri to $fastcgi_script_name and $fastcgi_path fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info;`