Todo #16049
closed
Added by Kris Phillips 2 months ago.
Updated about 2 months ago.
Plus Target Version:
25.03
Release Notes:
Force Exclusion
Description
Vulnerabilities in nginx have been discovered in CVE-2025-23419. Plus 24.11 and 25.03-BETA runs 1.26.2, which is vulnerable. There is a point release available that resolves this.
Will this be through the system update package OR through a firmware upgrade?
Mike Moore wrote in #note-1:
Will this be through the system update package OR through a firmware upgrade?
This will require an OS/package update, as System Patches can only apply patches to PHP code. This will require the nginx package to be updated.
- Status changed from New to Confirmed
25.07-DEV is also running 1.26.2.
I've updated nginx on plus-RELENG_25_03 to 1.26.3.
I've not touched the plus-devel-main (ie 25.07-DEV) branch. That'll get the update when we next do an upstream merge.
- Subject changed from Update nginx to 1.26.3 for CVE-2025-23419 to Update nginx to 1.26.3
- Category changed from Operating System to Web Interface
- Status changed from Confirmed to Resolved
- Assignee set to Kristof Provost
- Target version changed from CE-Next to 2.8.0
- % Done changed from 0 to 100
Latest beta build for 25.03 has nginx-1.26.3,3 and appears to be working fine.
- Tracker changed from Bug to Todo
- Release Notes changed from Default to Force Exclusion
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by