CVE-2025-53859 was announced here: https://www.openwall.com/lists/oss-security/2025/08/13/5
CVE: (none) => CVE-2025-53859Source RPM: (none) => nginx-1.26.3-4.mga10.src.rpm, nginx-1.26.3-1.mga9.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 1.29.1
No registered maintainer, so assigning to all.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Package updated to 1.29.1 for cauldron. Patched package pushed for Mageia 9. Advisory: ======================== Patched nginx package fixes security vulnerability: It was discovered that nginx contains a security issue in the ngx_mail_smtp_module which might allow an attacker to cause buffer over-read potentially resulting in sensitive information leak in a HTTP request to the authentication server (CVE-2025-53859). References: https://www.openwall.com/lists/oss-security/2025/08/13/5 https://www.cve.org/CVERecord?id=CVE-2025-53859 ======================== Updated packages in core/updates_testing: ======================== nginx-1.26.3-1.1.mga9 from nginx-1.26.3-1.1.mga9.src.rpm test procedure https://bugs.mageia.org/show_bug.cgi?id=26086#c6
Version: Cauldron => 9CC: (none) => mhrambo3501Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsKeywords: (none) => has_procedure
Keywords: (none) => advisory
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Ref bug 33509. I get response "Tt works" from http://localhost/ instead of the Welcome. I checked that httpd is not running. Is something missing???
CC: (none) => herman.viaene
Did you check status after starting nginx to see if it actually started? Apache (httpd) is not the only web server in Mageia. lighttpd is another and it uses an index page that says It Works. Is lighttpd installed, running, and answering the query? You'd probably see an error in the nginx log if it couldn't get exclusive access to port 80.
Checked that neither httpd nor lighttpd were running. Checked in MCC the list of server packages installed. Found lighttpd from testing its current update and removed it completely. Checked again. # systemctl status -l httpd ○ httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: inactive (dead) # systemctl status -l lighttpd Unit lighttpd.service could not be found. # nginx # ps -aux | grep nginx root 6031 0.0 0.0 49260 4568 ? Ss 14:24 0:00 nginx: master process nginx apache 6035 0.0 0.0 49668 6384 ? S 14:24 0:00 nginx: worker process root 9245 0.0 0.0 9488 2552 pts/1 S+ 14:26 0:00 grep --color nginx Still "Tt works" from http://localhost/
I guess I'd recommend starting nginx with systemctl start nginx but aside from that I don't know why you're seeing that. My mga9 won't even successfully start from cli and that manner. The "it works" it is reading is probably /var/www/html/index.html but nginx is supposed to read /usr/share/nginx/html/index.html by default afaik. Both the cauldron and Mageia 9 packages read the correct file in my tests here. That file location appears to be configured in /etc/nginx/conf.d/default.conf. There is a root path and index filename specified in the location section of that config file. Bottom line is that I don't know why you're seeing that behavior. It works ok here. Guess we'll need to wait for others to chime in and see if there is a pattern.
RH i586 LC_ALL=C urpmi nginx To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (32-bit)") nginx 1.26.3 1.1.mga9 i586 (medium "Core Release (distrib1)") pcre2-tools 10.42 1.mga9 i586 webserver-base 2.0 16.mga9 noarch 1.9MB of additional disk space will be used. 774KB of packages will be retrieved. Proceed with the installation of the 3 packages? (Y/n) y http://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/pcre2-tools-10.42-1.mga9.i586.rpm http://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/webserver-base-2.0-16.mga9.noarch.rpm installing //home/katnatek/qa-testing/i586/nginx-1.26.3-1.1.mga9.i586.rpm /var/cache/urpmi/rpms/webserver-base-2.0-16.mga9.noarch.rpm /var/cache/urpmi/rpms/pcre2-tools-10.42-1.mga9.i586.rpm Preparing... ####################################################################################### 1/3: webserver-base ####################################################################################### 2/3: pcre2-tools ####################################################################################### 3/3: nginx ####################################################################################### systemctl start nginx.service http://localhost/ , shows This page is used to test the proper operation of the nginx HTTP server after it has been installed. If you can read this page, it means that the web server installed at this site is working properly. Website Administrator This is the default index.html page that is distributed with nginx on Mageia. It is located in /usr/share/nginx/html. You should now put your content in a location of your choice and edit the root configuration directive in the nginx configuration file /etc/nginx/nginx.conf.
Whiteboard: (none) => MGA9-32-0K
Whiteboard: MGA9-32-0K => MGA9-32-OK
MGA9-64 Plasma. Not already installed, so used urpmi for a fresh install of nginx and two dependencies. No installation issues. If there is another web server installed on this, I don't remember installing it. I used Herman's command as root to start nginx, then pointed Firefox 140.4 to http://localhost/ and it showed me the welcome screen that katnatek describes. But this is what I get afterward if I check the status of the service: # systemctl status nginx ○ nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) Active: inactive (dead) I don't know if this would be expected behavior, or not. A Wild Guess on why the command doesn't work for Mike: Could it be that the command only works if the service isn't running?
CC: (none) => andrewsfarm
Nope, it is that I issued the nginx command as a normal user which resulted in permissions errors. I didn't notice you used root. If you use sudo or switch to root it starts up ok but does result in the message from systemctl you noted in comment 8. The reason that happens is because if systemctl is not used to start the service, systemctl also cannot track it. Starting nginx by command as root isn't the way it is intended to be started. It should be started with systemctl the same as with apache and lighttpd and most other server services. I did confirm this by launching nginx as root and found that systemctl status nginx displayed exactly what you specified above. But it you launch the nginx service with 'systemctl start nginx', you'll find 'systemctl status nginx' works as it should. The only thing that I can't answer is the wrong index page Herman gets. My only guess is a previous configuration (perhaps?). You, and katnatek, and me all saw the correct page, and Herman is seeing an actual index page on his machine (see comment 6), but I don't know why he isn't see the one nginx normally uses.
OK, removed nginx with MCC, deleted folders mentioned above from /etc and /usr/share. Installed again. # systemctl start nginx # systemctl status -l nginx ● nginx.service - The nginx HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) Active: active (running) since Wed 2025-10-22 10:11:05 CEST; 5s ago Process: 45034 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS) Process: 45044 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) Main PID: 45053 (nginx) Tasks: 2 (limit: 8805) Memory: 4.8M CPU: 313ms CGroup: /system.slice/nginx.service ├─45053 "nginx: master process /usr/sbin/nginx" └─45054 "nginx: worker process" Oct 22 10:11:04 mach3.hviaene.thuis systemd[1]: Starting nginx.service... Oct 22 10:11:05 mach3.hviaene.thuis nginx[45034]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok Oct 22 10:11:05 mach3.hviaene.thuis nginx[45034]: nginx: configuration file / Result: It works! May I suggest that your favorable results are due to previous installations and do not represent an installation from a clean slate?
(In reply to Herman Viaene from comment #10) > OK, removed nginx with MCC, deleted folders mentioned above from /etc and > /usr/share. > Installed again. > # systemctl start nginx > # systemctl status -l nginx > ● nginx.service - The nginx HTTP and reverse proxy server > Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; > preset: disabled) > Active: active (running) since Wed 2025-10-22 10:11:05 CEST; 5s ago > Process: 45034 ExecStartPre=/usr/sbin/nginx -t (code=exited, > status=0/SUCCESS) > Process: 45044 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) > Main PID: 45053 (nginx) > Tasks: 2 (limit: 8805) > Memory: 4.8M > CPU: 313ms > CGroup: /system.slice/nginx.service > ├─45053 "nginx: master process /usr/sbin/nginx" > └─45054 "nginx: worker process" > > Oct 22 10:11:04 mach3.hviaene.thuis systemd[1]: Starting nginx.service... > Oct 22 10:11:05 mach3.hviaene.thuis nginx[45034]: nginx: the configuration > file /etc/nginx/nginx.conf syntax is ok > Oct 22 10:11:05 mach3.hviaene.thuis nginx[45034]: nginx: configuration file / > > Result: It works! > May I suggest that your favorable results are due to previous installations > and do not represent an installation from a clean slate? My installation was a clean one I never install webserver in my laptop I suggest check the index file in the path shown in my previoy test if its content is right Something more is overriden the webserver's root folder
My installation was also clean, with no web server ever installed on that system - that I can recall. It sounds to me, too, like there is still something left behind somewhere by previous activities, but I have no clue what it might be.
I got it!!! All config files were as you explained, but .... For some reason I cann't remember, I had port 8000/tcp open in MCC personal firewall. Deleted that, let MCC configure the firewall again and restarted nginx. Now I get the correct page. Let it go...
Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK
Well done, Herman! Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
(In reply to Herman Viaene from comment #13) > I got it!!! > All config files were as you explained, but .... > For some reason I cann't remember, I had port 8000/tcp open in MCC personal > firewall. Deleted that, let MCC configure the firewall again and restarted > nginx. Now I get the correct page. > Let it go... My best guess is you test a cache or proxy an that was redirecting to index page in webserver-base
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0245.html
Status: NEW => RESOLVEDResolution: (none) => FIXED