Package: nginx Version: 1.26.3-3+deb13u5 Severity: important Tags: upstream
Dear Maintainer, I just found about this CVE here: https://discourse.ifin.network/t/cve-2026-49975-http-2-bomb-remote-dos-against-most-major-web-servers/536 which applies to nginx as packaged by Debian Trixie and before (as soon as HTTP/2 is supported on Nginx) Nginx added a max_headers directive to prevent the exploitation of this security issue here: https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2 I tested the POC (./hpack_bomb.py --host 127.0.0.1 --port 443 --connections 15) on a stock trixie nginx and it used 3.2G of memory immediately I guess adding max_headers + changing the nginx default conf to put a sensible value there would be a good idea. Thanks for your attention, Benjamin -- System Information: Debian Release: 13.5 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-30-amd64 (SMP w/4 CPU threads) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages nginx depends on: ii iproute2 6.15.0-1 ii libc6 2.41-12+deb13u3 ii libcrypt1 1:4.4.38-1 ii libpcre2-8-0 10.46-1~deb13u1 ii libssl3t64 3.5.6-1~deb13u1 ii nginx-common 1.26.3-3+deb13u5 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 nginx recommends no packages. nginx suggests no packages. -- no debconf information
