diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-09 23:22:05 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-15 14:12:18 +0530 |
| commit | 958cca39870ffba7e657b28cc25ee107fb57a2b8 (patch) | |
| tree | cbd6c9908f070efc5d224b601a1c49eb055288af | |
| parent | 0ef4a2ecee12e2145c868ab7c049c5298de9e02d (diff) | |
| download | meta-openembedded-958cca39870ffba7e657b28cc25ee107fb57a2b8.tar.gz | |
nginx: fix CVE-2026-27651
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160383
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch | 34 | ||||
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | 1 |
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch new file mode 100644 index 0000000000..b639b1a158 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From 4f32484e99671d107d0d6c27c0c674f528d8c9ca Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Sergey Kandaurov <pluknet@nginx.com> | ||
| 3 | Date: Wed, 18 Mar 2026 16:39:37 +0400 | ||
| 4 | Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests. | ||
| 5 | |||
| 6 | Previously, it was not properly cleared retaining length as part of | ||
| 7 | authenticating with CRAM-MD5 and APOP methods that expect to receive | ||
| 8 | password in auth response. This resulted in null pointer dereference | ||
| 9 | and worker process crash in subsequent auth attempts with CRAM-MD5. | ||
| 10 | |||
| 11 | Reported by Arkadi Vainbrand. | ||
| 12 | |||
| 13 | (cherry picked from commit 0f71dd8ea94ab8c123413b2e465be12a35392e9c) | ||
| 14 | |||
| 15 | CVE: CVE-2026-27651 | ||
| 16 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c] | ||
| 17 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 18 | --- | ||
| 19 | src/mail/ngx_mail_auth_http_module.c | 2 +- | ||
| 20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 21 | |||
| 22 | diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c | ||
| 23 | index 27f64b92e..d931183ae 100644 | ||
| 24 | --- a/src/mail/ngx_mail_auth_http_module.c | ||
| 25 | +++ b/src/mail/ngx_mail_auth_http_module.c | ||
| 26 | @@ -1325,7 +1325,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, | ||
| 27 | b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); | ||
| 28 | b->last = ngx_copy(b->last, s->salt.data, s->salt.len); | ||
| 29 | |||
| 30 | - s->passwd.data = NULL; | ||
| 31 | + ngx_str_null(&s->passwd); | ||
| 32 | } | ||
| 33 | |||
| 34 | b->last = ngx_cpymem(b->last, "Auth-Protocol: ", | ||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index 17dab85788..b57ee49813 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | |||
| @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632" | |||
| 5 | SRC_URI:append = " \ | 5 | SRC_URI:append = " \ |
| 6 | file://CVE-2023-44487.patch \ | 6 | file://CVE-2023-44487.patch \ |
| 7 | file://CVE-2026-28755.patch \ | 7 | file://CVE-2026-28755.patch \ |
| 8 | file://CVE-2026-27651.patch \ | ||
| 8 | " | 9 | " |
| 9 | 10 | ||
| 10 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" | 11 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" |
