Detections
Analytics

Debian dla-4589 : libnginx-mod-http-auth-pam - security update

critical Nessus Plugin ID 315178

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4589 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4589-1 [email protected] https://www.debian.org/lts/security/ Carlos Henrique Lima Melara May 18, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : nginx Version : 1.18.0-6.1+deb11u6 CVE ID : CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654 CVE-2026-27784 CVE-2026-28753 CVE-2026-32647 CVE-2026-40701 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946 Debian Bug : 1111138 1127053

 Multiple vulnerabilities were discoverd in Nginx, a high-performance web and reverse proxy server, which could result in bypass of authorisation rules or rate limits, denial of service or memory disclosure.

 CVE-2025-53859

 NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method none, and (3) the authentication server returns the Auth-Wait response header.

 CVE-2026-1642

 A vulnerability exists in NGINX OSS when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server sidealong with conditions beyond the attacker's controlmay be able to inject plain text data into the response from an upstream proxied server.

 CVE-2026-27651

 When the ngx_mail_auth_http_module module is enabled on NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header.

 CVE-2026-27654

 NGINX Open Source has a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system.

 CVE-2026-27784

 The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

 CVE-2026-28753

 NGINX Open Source has a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation.

 CVE-2026-32647

 NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

 CVE-2026-40701

 NGINX Open Source has a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to on or optional, and the ssl_ocsp directive is set to on or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.

 CVE-2026-42934

 NGINX Open Source has a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering (off) directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.

 CVE-2026-42945

 NGINX Open Source has a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.

 CVE-2026-42946

 A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.

 For Debian 11 bullseye, these problems have been fixed in version 1.18.0-6.1+deb11u6.

 We recommend that you upgrade your nginx packages.

 For the detailed security status of nginx please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/nginx

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libnginx-mod-http-auth-pam packages.

See Also

https://security-tracker.debian.org/tracker/source-package/nginx

https://packages.debian.org/source/bullseye/nginx

https://security-tracker.debian.org/tracker/CVE-2025-53859

https://security-tracker.debian.org/tracker/CVE-2026-1642

https://security-tracker.debian.org/tracker/CVE-2026-27651

https://security-tracker.debian.org/tracker/CVE-2026-27784

https://security-tracker.debian.org/tracker/CVE-2026-27654

https://security-tracker.debian.org/tracker/CVE-2026-32647

https://security-tracker.debian.org/tracker/CVE-2026-28753

https://security-tracker.debian.org/tracker/CVE-2026-40701

https://security-tracker.debian.org/tracker/CVE-2026-42934

https://security-tracker.debian.org/tracker/CVE-2026-42945

https://security-tracker.debian.org/tracker/CVE-2026-42946

Plugin Details

Severity: Critical

ID: 315178

File Name: debian_DLA-4589.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/18/2026

Updated: 5/18/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2026-27654

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-27784

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 8.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-42945

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libnginx-mod-http-xslt-filter, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libnginx-mod-http-upstream-fair, p-cpe:/a:debian:debian_linux:nginx-light, p-cpe:/a:debian:debian_linux:libnginx-mod-http-auth-pam, p-cpe:/a:debian:debian_linux:libnginx-mod-http-ndk, p-cpe:/a:debian:debian_linux:nginx-doc, p-cpe:/a:debian:debian_linux:nginx-extras, p-cpe:/a:debian:debian_linux:libnginx-mod-http-subs-filter, p-cpe:/a:debian:debian_linux:libnginx-mod-http-uploadprogress, p-cpe:/a:debian:debian_linux:libnginx-mod-http-perl, p-cpe:/a:debian:debian_linux:libnginx-mod-stream-geoip2, p-cpe:/a:debian:debian_linux:libnginx-mod-http-fancyindex, p-cpe:/a:debian:debian_linux:libnginx-mod-http-lua, p-cpe:/a:debian:debian_linux:libnginx-mod-mail, p-cpe:/a:debian:debian_linux:libnginx-mod-stream, p-cpe:/a:debian:debian_linux:nginx-core, p-cpe:/a:debian:debian_linux:nginx-full, p-cpe:/a:debian:debian_linux:libnginx-mod-stream-geoip, p-cpe:/a:debian:debian_linux:libnginx-mod-http-cache-purge, p-cpe:/a:debian:debian_linux:libnginx-mod-http-echo, p-cpe:/a:debian:debian_linux:libnginx-mod-http-headers-more-filter, p-cpe:/a:debian:debian_linux:libnginx-mod-nchan, p-cpe:/a:debian:debian_linux:nginx-common, p-cpe:/a:debian:debian_linux:libnginx-mod-http-image-filter, p-cpe:/a:debian:debian_linux:libnginx-mod-http-geoip, p-cpe:/a:debian:debian_linux:libnginx-mod-http-geoip2, p-cpe:/a:debian:debian_linux:nginx, p-cpe:/a:debian:debian_linux:libnginx-mod-http-dav-ext, p-cpe:/a:debian:debian_linux:libnginx-mod-rtmp

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/18/2026

Vulnerability Publication Date: 8/13/2025

Reference Information

CVE: CVE-2025-53859, CVE-2026-1642, CVE-2026-27651, CVE-2026-27654, CVE-2026-27784, CVE-2026-28753, CVE-2026-32647, CVE-2026-40701, CVE-2026-42934, CVE-2026-42945, CVE-2026-42946

IAVA: 2025-A-0615, 2026-A-0140, 2026-A-0280