* SECURITY UPDATE: response injection from SSL upstream when a MITM-positioned backend delivers a plain text response before the TLS handshake completes - debian/patches/CVE-2026-1642.patch: reject plain text reads in ngx_http_upstream_process_header when u->ssl is set but c->ssl is NULL - CVE-2026-1642 * SECURITY UPDATE: memory disclosure and worker crash in ngx_http_scgi_module and ngx_http_uwsgi_module when scgi_pass or uwsgi_pass is configured and a MITM-positioned upstream returns an invalid status line, due to header parsing resuming with a stale r->state after the status-line fallback - debian/patches/CVE-2026-42946.patch: reset r->state to 0 in the NGX_ERROR fallback branch of ngx_http_scgi_process_status_line and ngx_http_uwsgi_process_status_line before delegating to the generic header parser - CVE-2026-42946