1 Topic by chris.23lo

  • chris.23lo
  • Member
  • Offline
  • Registered: 2022-06-30
  • Posts: 68

Topic: About nginx CVE...

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

F5 K000161019

Separately I added acl for iredadmin...is it sufficient?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,677

Re: About nginx CVE...

Please either change those unnamed captures by named captures, or wait for patched version from Linux vendors.

Ubuntu already provides patched Nginx in official apt repository, run "apt update && apt upgrade" to get it fixed.

- Ubuntu 22.04 (jammy): https://changelogs.ubuntu.com/changelog … /changelog
- Ubuntu 24.04 (noble): https://changelogs.ubuntu.com/changelog … /changelog
- Ubuntu 26.04 (resolute): https://changelogs.ubuntu.com/changelog … /changelog

RedHat doesn't fix it yet: https://access.redhat.com/security/cve/cve-2026-42945

Update:

- Debian 13 patched: https://metadata.ftp-master.debian.org/ … _changelog
- Debian 12 patched: https://metadata.ftp-master.debian.org/ … _changelog

3 Reply by dwbotsch

  • dwbotsch
  • Member
  • Offline
  • Registered: 2012-06-27
  • Posts: 115

Re: About nginx CVE...

Our only use of the nginx web server is for iredmail. So we installed it from the red hat packages and then your installation scripted all the configuration. Does your config put any of the directives in there that would make the installation vulnerable? Thanks.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,677

Re: About nginx CVE...

dwbotsch wrote:

Our only use of the nginx web server is for iredmail. So we installed it from the red hat packages and then your installation scripted all the configuration. Does your config put any of the directives in there that would make the installation vulnerable? Thanks.

Which distribution and release are you running?

5 Reply by dwbotsch

  • dwbotsch
  • Member
  • Offline
  • Registered: 2012-06-27
  • Posts: 115

Re: About nginx CVE...

ZhangHuangbin wrote:
dwbotsch wrote:

Our only use of the nginx web server is for iredmail. So we installed it from the red hat packages and then your installation scripted all the configuration. Does your config put any of the directives in there that would make the installation vulnerable? Thanks.

Which distribution and release are you running?

RHEL8... Waiting on redhat to patch. Thanks