summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTheo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>2026-05-20 16:24:35 +0200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-05-21 09:56:21 +0530
commit167e8b64dd9557406c39b6c0bc142ac0fd3a63dc (patch)
treeb2263d10c079be5bb407ff4c022ac9e2dfaa80d2
parentf1d78e95277e4a74a71a75098da88edb2927b9a6 (diff)
downloadmeta-openembedded-167e8b64dd9557406c39b6c0bc142ac0fd3a63dc.tar.gz
nginx: patch CVE-2026-40701
Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 [2] https://security-tracker.debian.org/tracker/CVE-2026-40701 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch73
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb1
2 files changed, 74 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch
new file mode 100644
index 0000000000..63bd7bd24e
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch
@@ -0,0 +1,73 @@
1From 7abc2a59d5d65bb981be7cababb029d60c995719 Mon Sep 17 00:00:00 2001
2From: Roman Arutyunyan <arut@nginx.com>
3Date: Tue, 21 Apr 2026 14:51:41 +0400
4Subject: [PATCH] OCSP: resolve cleanup on connection close
5
6Previously, when a client SSL connection was terminated (typically due to a
7timeout) while resolving an OCSP responder, the OCSP context was freed, but
8the resolve context was not. This resulted in use-after-free on resolve
9completion.
10
11Reported by Leo Lin.
12
13CVE: CVE-2026-40701
14Upstream-Status: Backport [https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1]
15Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
16---
17 src/event/ngx_event_openssl_stapling.c | 11 +++++++++++
18 1 file changed, 11 insertions(+)
19
20diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
21index e3fa8c4..2aaf99b 100644
22--- a/src/event/ngx_event_openssl_stapling.c
23+++ b/src/event/ngx_event_openssl_stapling.c
24@@ -111,6 +111,7 @@ struct ngx_ssl_ocsp_ctx_s {
25
26 ngx_resolver_t *resolver;
27 ngx_msec_t resolver_timeout;
28+ ngx_resolver_ctx_t *resolve;
29
30 ngx_msec_t timeout;
31
32@@ -1303,6 +1304,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
33 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
34 "ssl ocsp done");
35
36+ if (ctx->resolve) {
37+ ngx_resolve_name_done(ctx->resolve);
38+ }
39+
40 if (ctx->peer.connection) {
41 ngx_close_connection(ctx->peer.connection);
42 }
43@@ -1395,7 +1400,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
44 resolve->data = ctx;
45 resolve->timeout = ctx->resolver_timeout;
46
47+ ctx->resolve = resolve;
48+
49 if (ngx_resolve_name(resolve) != NGX_OK) {
50+ ctx->resolve = NULL;
51 ngx_ssl_ocsp_error(ctx);
52 return;
53 }
54@@ -1484,6 +1492,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
55 }
56
57 ngx_resolve_name_done(resolve);
58+ ctx->resolve = NULL;
59
60 ngx_ssl_ocsp_connect(ctx);
61 return;
62@@ -1491,6 +1500,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
63 failed:
64
65 ngx_resolve_name_done(resolve);
66+ ctx->resolve = NULL;
67+
68 ngx_ssl_ocsp_error(ctx);
69 }
70
71--
722.43.0
73
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index b732e92b18..b4bb1ccc67 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -9,6 +9,7 @@ SRC_URI:append = " \
9 file://CVE-2026-27654.patch \ 9 file://CVE-2026-27654.patch \
10 file://CVE-2026-28753.patch \ 10 file://CVE-2026-28753.patch \
11 file://CVE-2026-32647.patch \ 11 file://CVE-2026-32647.patch \
12 file://CVE-2026-40701.patch \
12" 13"
13 14
14SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" 15SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"