For what it’s worth, this is how Debian did it without changing the ABI:
* backport max_headers directive from upstream nginx. It limits the number
of request headers accepted from clients. Fixes remote denial-of-service
exploit.
And move max_headers from core module to the ngx_http_header_count_module
to avoid potential ABI breakage and keep all the 3rd party modules
compatible with the new version of nginx without recompilation.
A big thanks to Miao Wang for preparing the modification.
Fixes TEMP-1138794-BADE22.
Patch: https://sources.debian.org/patches/nginx/1.26.3-3+deb13u6/FIX-
HTTP2bomb.patch/
I tested this yesterday and indeed, Debian’s patch works without
breaking the ABI.
> On Jun 9, 2026, at 23:41, Jeroen Bobbeldijk <[email protected]>
> wrote:
>
> @Marc, alright, thanks for the rollback!
> I do also think that moving this new field to the end of the struct would fix
> the segfaults, without rebuilding the other packages.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2155992
>
> Title:
> headers-more dynamic module crash | Signal 11 and 6 Crashes due to
> ABI breakage on 1.24.0-2ubuntu7.10 and 1.28.3-2ubuntu1.3
>
> Status in nginx package in Ubuntu:
> Invalid
> Status in nginx source package in Jammy:
> Fix Released
> Status in nginx source package in Noble:
> Fix Released
> Status in nginx source package in Questing:
> Fix Released
> Status in nginx source package in Resolute:
> Fix Released
> Status in nginx source package in Stonking:
> Invalid
>
> Bug description:
> Environment:
> - OS: Ubuntu 24.04 LTS (noble), arm64
> - nginx package: nginx 1.24.0-2ubuntu7.10
> - nginx flavor: nginx-extras 1.24.0-2ubuntu7.10
> - headers-more package: libnginx-mod-http-headers-more-filter
> 1:0.37-2build1
> - Architecture: arm64
> - TLS/HTTP: HTTPS with HTTP/2 enabled
>
> Summary:
> When the headers-more dynamic module is enabled and `more_set_headers
> "Server: TJ Server";` is configured, nginx workers crash repeatedly while
> serving HTTP/2 requests.
> Clients see intermittent `ERR_CONNECTION_RESET`, `ERR_EMPTY_RESPONSE`,
> WebSocket close code `1006`, and curl may report an invalid HTTP/2 header
> field.
>
> The issue disappears when the headers-more module/directive is
> disabled while keeping HTTP/2 enabled. Normal nginx `add_header`
> security headers continue to work correctly.
>
> Relevant configuration:
> ```nginx
> include /etc/nginx/modules-enabled/*.conf;
> http {
>
> 11:27:57 [77/1841]
> server_tokens off;
> more_set_headers "Server: TJ Server";
>
> server {
> server_name mystock.emoco.kr;
>
> listen 443 ssl http2;
> ssl_certificate
> /etc/letsencrypt/live/mystock.emoco.kr/fullchain.pem;
> ssl_certificate_key
> /etc/letsencrypt/live/mystock.emoco.kr/privkey.pem;
>
> add_header X-Content-Type-Options "nosniff" always;
> add_header X-Frame-Options "SAMEORIGIN" always;
> add_header Referrer-Policy "strict-origin-when-cross-origin"
> always;
> add_header Permissions-Policy "camera=(), microphone=(),
> geolocation=()" always;
> add_header Strict-Transport-Security "max-age=31536000" always;
>
> location / {
> proxy_pass http://localhost:3000;
> proxy_http_version 1.1;
> proxy_set_header Host $host;
> proxy_set_header X-Forwarded-Proto $scheme;
> }
>
> location /api {
> proxy_pass http://localhost:8000;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_set_header Host $host;
> proxy_read_timeout 86400s;
> proxy_send_timeout 86400s;
> }
> }
> }
>
> Actual behavior:
> After enabling more_set_headers "Server: TJ Server"; with HTTP/2, nginx
> workers crash repeatedly.
>
> systemd journal examples:
>
> nginx[1697786]: double free or corruption (!prev)
> nginx[1697785]: worker process 1697786 exited on signal 6 (core dumped)
> nginx[1697785]: worker process 1697788 exited on signal 11 (core dumped)
>
> curl example:
>
> curl: (92) Invalid HTTP header field was received: frame type: 1,
> stream: 1, name: [], value: [...]
>
> Browser symptoms:
>
> GET /icon.svg net::ERR_CONNECTION_RESET
> GET /api/... net::ERR_EMPTY_RESPONSE
> WebSocket closed: 1006
>
> Expected behavior:
> nginx should not crash. more_set_headers should either set the Server
> header safely for HTTP/2 responses or reject/ignore unsupported header
> manipulation without corrupting
> HTTP/2 response headers or causing worker process crashes.
>
> Reproduction observations:
>
> - HTTP/2 enabled + headers-more disabled: stable
> - HTTP/2 enabled + normal add_header security headers: stable
> - HTTP/2 enabled + server_tokens off: stable
> - HTTP/2 enabled + more_set_headers "Server: TJ Server";: worker crashes
> and invalid HTTP/2 headers
> - Disabling only headers-more while keeping HTTP/2 enabled stops the
> crashes
>
> Package versions:
>
> nginx version: nginx/1.24.0 (Ubuntu)
>
> nginx 1.24.0-2ubuntu7.10
> nginx-common 1.24.0-2ubuntu7.10
> nginx-extras 1.24.0-2ubuntu7.10
> libnginx-mod-http-headers-more-filter 1:0.37-2build1
>
> Workaround:
> Disable the headers-more module/directive and keep only:
>
> server_tokens off;
>
> This hides the nginx version but leaves Server: nginx.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2155992/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155992
Title:
headers-more dynamic module crash | Signal 11 and 6 Crashes due to
ABI breakage on 1.24.0-2ubuntu7.10 and 1.28.3-2ubuntu1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2155992/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
