* SECURITY UPDATE: detect premature plain text response from SSL upstream (TLS plaintext injection) - debian/patches/CVE-2026-1642.patch: detect premature plain text response from SSL upstream (TLS plaintext injection) - CVE-2026-1642 * SECURITY UPDATE: fix NULL pointer dereference clearing s->passwd in mail auth http requests - debian/patches/CVE-2026-27651.patch: fix NULL pointer dereference clearing s->passwd in mail auth http requests - CVE-2026-27651 * SECURITY UPDATE: destination length validation for WebDAV COPY and MOVE (heap buffer overflow) - debian/patches/CVE-2026-27654.patch: destination length validation for WebDAV COPY and MOVE (heap buffer overflow) - CVE-2026-27654 * SECURITY UPDATE: fix integer overflow on 32-bit platforms in ngx_http_mp4_module - debian/patches/CVE-2026-27784.patch: fix integer overflow on 32-bit platforms in ngx_http_mp4_module - CVE-2026-27784 * SECURITY UPDATE: avoid zero size buffers in ngx_http_mp4_module output (out-of-bounds access) - debian/patches/CVE-2026-32647.patch: avoid zero size buffers in ngx_http_mp4_module output (out-of-bounds access) - CVE-2026-32647 * SECURITY UPDATE: reject unsafe characters in URIs and headers set via the Lua API (HTTP response splitting) - debian/modules/nginx-lua/src/ngx_http_lua_util.c, debian/modules/nginx-lua/src/ngx_http_lua_util.h, debian/modules/nginx-lua/src/ngx_http_lua_uri.c, debian/modules/nginx-lua/src/ngx_http_lua_headers_in.c, debian/modules/nginx-lua/src/ngx_http_lua_headers_out.c, debian/modules/nginx-lua/src/ngx_http_lua_control.c: validate arguments of the Lua APIs that mutate a URI or a request/response header so control characters raise an error instead of being silently truncated. - CVE-2020-36309