From bc2c5a31f3ae64b5b3a69f71b1f78b053bff466e Mon Sep 17 00:00:00 2001
From: Zac Blazic <zacblazic@gmail.com>
Date: Mon, 18 May 2026 16:22:43 +0200
Subject: [PATCH 1/2] Upgrade nginx to v1.31.0

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ed5cef2..aa7307b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM nginx:1.27.4-bookworm
+FROM nginx:1.31.0-trixie
 
 ENV NGINX_ENTRYPOINT_QUIET_LOGS=1
 

From 6cf72d4ef96196b25a3ffe7403ae3326f447b447 Mon Sep 17 00:00:00 2001
From: Zac Blazic <zacblazic@gmail.com>
Date: Mon, 18 May 2026 16:22:43 +0200
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9f5d64..8179a21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.31.0
+
+* Upgrade to Nginx 1.31.0 to address CVE-2026-42945 (heap buffer overflow in `ngx_http_rewrite_module`).
+* Switch base from Debian Bookworm (12) to Debian Trixie (13). Upstream Nginx no longer publishes a `-bookworm` tag for 1.31.0.
+
 ## 1.27.4
 
 * Upgrade to Nginx 1.27.4.