Does Debian 12 have this patched? But I guess I'm not affected if I don't use `rewrite` or...

panzi • yesterday at 5:48 PM • 4 replies • view on HN

Does Debian 12 have this patched? But I guess I'm not affected if I don't use `rewrite` or `set` anywhere?

Replies

aftbit • yesterday at 7:59 PM

https://security-tracker.debian.org/tracker/CVE-2026-42945

wiredfool • yesterday at 7:42 PM

Ubuntu has patched as of this morning. Debian doesn't look like they've patched trixie yet.

➕ show 1 reply

lpcvoid • yesterday at 6:21 PM

[dead]

iririririr • yesterday at 6:33 PM

I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.

➕ show 1 reply

alt Hacker News

Replies