summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-04-09 23:22:05 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-15 14:12:18 +0530
commit958cca39870ffba7e657b28cc25ee107fb57a2b8 (patch)
treecbd6c9908f070efc5d224b601a1c49eb055288af
parent0ef4a2ecee12e2145c868ab7c049c5298de9e02d (diff)
downloadmeta-openembedded-958cca39870ffba7e657b28cc25ee107fb57a2b8.tar.gz
nginx: fix CVE-2026-27651
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160383 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651 [3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch34
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb1
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch
new file mode 100644
index 0000000000..b639b1a158
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch
@@ -0,0 +1,34 @@
1From 4f32484e99671d107d0d6c27c0c674f528d8c9ca Mon Sep 17 00:00:00 2001
2From: Sergey Kandaurov <pluknet@nginx.com>
3Date: Wed, 18 Mar 2026 16:39:37 +0400
4Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
5
6Previously, it was not properly cleared retaining length as part of
7authenticating with CRAM-MD5 and APOP methods that expect to receive
8password in auth response. This resulted in null pointer dereference
9and worker process crash in subsequent auth attempts with CRAM-MD5.
10
11Reported by Arkadi Vainbrand.
12
13(cherry picked from commit 0f71dd8ea94ab8c123413b2e465be12a35392e9c)
14
15CVE: CVE-2026-27651
16Upstream-Status: Backport [https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c]
17Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
18---
19 src/mail/ngx_mail_auth_http_module.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
23index 27f64b92e..d931183ae 100644
24--- a/src/mail/ngx_mail_auth_http_module.c
25+++ b/src/mail/ngx_mail_auth_http_module.c
26@@ -1325,7 +1325,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
27 b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
28 b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
29
30- s->passwd.data = NULL;
31+ ngx_str_null(&s->passwd);
32 }
33
34 b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index 17dab85788..b57ee49813 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
5SRC_URI:append = " \ 5SRC_URI:append = " \
6 file://CVE-2023-44487.patch \ 6 file://CVE-2023-44487.patch \
7 file://CVE-2026-28755.patch \ 7 file://CVE-2026-28755.patch \
8 file://CVE-2026-27651.patch \
8" 9"
9 10
10SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" 11SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"