nginx: fix CVE-2026-28753scarthgap

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160367 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753 [3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2026-04-09 23:22:07 +1200
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15 14:12:18 +0530
commit: 5124ac4a658899158f4a7a2ddf1d2ca931ec7d0e (patch)
tree: d4509ea98af62590e96ffd74c6f95f462635fe28 /meta-webserver
parent: 24459e3f5c236726a27f74e8b748daaf265fdcb3 (diff)
download: meta-openembedded-scarthgap.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
new file mode 100644
index 0000000000..de27ffad2a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
@@ -0,0 +1,93 @@
+From 7e705808a8568a091a8ecf418ed9f77914304fcc Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 26 Feb 2026 11:52:53 +0400
+Subject: [PATCH] Mail: host validation.
+Now host name resolved from client address is validated to only contain
+the characters specified in RFC 1034, Section 3.5.  The validation allows
+to avoid injections when using the resolved host name in auth_http and
+smtp proxy.
+Reported by Asim Viladi Oglu Manizada, Colin Warren,
+Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
+Bird Liu (Lanzhou University).
+(cherry picked from commit 6a8513761fb327f67fcc6cfcf1ad216887e2589f)
+CVE: CVE-2026-28753
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
+index e68ceedfd..e477741c8 100644
+--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
+@@ -13,6 +13,7 @@
+ 
+ 
+ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
+static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
+ static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
+ static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
+ static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
+@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+         return;
+     }
+ 
+    if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                      "%V resolved to invalid host name \"%V\"",
+                      &c->addr_text, &ctx->name);
+
+        s->host = smtp_tempunavail;
+
+        ngx_resolve_addr_done(ctx);
+
+        ngx_mail_smtp_greeting(s, s->connection);
+
+        return;
+    }
+
+     c->log->action = "in resolving client hostname";
+ 
+     s->host.data = ngx_pstrdup(c->pool, &ctx->name);
+@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+ }
+ 
+ 
+static ngx_int_t
+ngx_mail_smtp_validate_host(ngx_str_t *name)
+{
+    u_char      ch;
+    ngx_uint_t  i;
+
+    if (name->len == 0) {
+        return NGX_DECLINED;
+    }
+
+    for (i = 0; i < name->len; i++) {
+        ch = name->data[i];
+
+        /* allow only characters from RFC 1034, Section 3.5 */
+
+        if ((ch >= 'a' && ch <= 'z')
+            || (ch >= 'A' && ch <= 'Z')
+            || (ch >= '0' && ch <= '9')
+            || ch == '-' || ch == '.')
+        {
+            continue;
+        }
+
+        return NGX_DECLINED;
+    }
+
+    return NGX_OK;
+}
+
+
+ static void
+ ngx_mail_smtp_resolve_name(ngx_event_t *rev)
+ {
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index cdd351fb12..d493a66ce9 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -7,6 +7,7 @@ SRC_URI:append = " \
                  file://CVE-2026-28755.patch \
                  file://CVE-2026-27651.patch \
                  file://CVE-2026-27654.patch \
+                  file://CVE-2026-28753.patch \
 "
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2026-04-09 23:22:07 +1200
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-15 14:12:18 +0530
commit	5124ac4a658899158f4a7a2ddf1d2ca931ec7d0e (patch)
tree	d4509ea98af62590e96ffd74c6f95f462635fe28 /meta-webserver
parent	24459e3f5c236726a27f74e8b748daaf265fdcb3 (diff)
download	meta-openembedded-scarthgap.tar.gz

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch new file mode 100644 index 0000000000..de27ffad2a --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
@@ -0,0 +1,93 @@
		1	From 7e705808a8568a091a8ecf418ed9f77914304fcc Mon Sep 17 00:00:00 2001
		2	From: Roman Arutyunyan <arut@nginx.com>
		3	Date: Thu, 26 Feb 2026 11:52:53 +0400
		4	Subject: [PATCH] Mail: host validation.
		5
		6	Now host name resolved from client address is validated to only contain
		7	the characters specified in RFC 1034, Section 3.5. The validation allows
		8	to avoid injections when using the resolved host name in auth_http and
		9	smtp proxy.
		10
		11	Reported by Asim Viladi Oglu Manizada, Colin Warren,
		12	Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
		13	Bird Liu (Lanzhou University).
		14
		15	(cherry picked from commit 6a8513761fb327f67fcc6cfcf1ad216887e2589f)
		16
		17	CVE: CVE-2026-28753
		18	Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f]
		19	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		20	---
		21	src/mail/ngx_mail_smtp_handler.c \| 45 ++++++++++++++++++++++++++++++++
		22	1 file changed, 45 insertions(+)
		23
		24	diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
		25	index e68ceedfd..e477741c8 100644
		26	--- a/src/mail/ngx_mail_smtp_handler.c
		27	+++ b/src/mail/ngx_mail_smtp_handler.c
		28	@@ -13,6 +13,7 @@
		29
		30
		31	static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
		32	+static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
		33	static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
		34	static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
		35	static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
		36	@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
		37	return;
		38	}
		39
		40	+ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
		41	+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
		42	+ "%V resolved to invalid host name \"%V\"",
		43	+ &c->addr_text, &ctx->name);
		44	+
		45	+ s->host = smtp_tempunavail;
		46	+
		47	+ ngx_resolve_addr_done(ctx);
		48	+
		49	+ ngx_mail_smtp_greeting(s, s->connection);
		50	+
		51	+ return;
		52	+ }
		53	+
		54	c->log->action = "in resolving client hostname";
		55
		56	s->host.data = ngx_pstrdup(c->pool, &ctx->name);
		57	@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
		58	}
		59
		60
		61	+static ngx_int_t
		62	+ngx_mail_smtp_validate_host(ngx_str_t *name)
		63	+{
		64	+ u_char ch;
		65	+ ngx_uint_t i;
		66	+
		67	+ if (name->len == 0) {
		68	+ return NGX_DECLINED;
		69	+ }
		70	+
		71	+ for (i = 0; i < name->len; i++) {
		72	+ ch = name->data[i];
		73	+
		74	+ /* allow only characters from RFC 1034, Section 3.5 */
		75	+
		76	+ if ((ch >= 'a' && ch <= 'z')
		77	+ \|\| (ch >= 'A' && ch <= 'Z')
		78	+ \|\| (ch >= '0' && ch <= '9')
		79	+ \|\| ch == '-' \|\| ch == '.')
		80	+ {
		81	+ continue;
		82	+ }
		83	+
		84	+ return NGX_DECLINED;
		85	+ }
		86	+
		87	+ return NGX_OK;
		88	+}
		89	+
		90	+
		91	static void
		92	ngx_mail_smtp_resolve_name(ngx_event_t *rev)
		93	{


diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index cdd351fb12..d493a66ce9 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -7,6 +7,7 @@ SRC_URI:append = " \
7	file://CVE-2026-28755.patch \	7	file://CVE-2026-28755.patch \
8	file://CVE-2026-27651.patch \	8	file://CVE-2026-27651.patch \
9	file://CVE-2026-27654.patch \	9	file://CVE-2026-27654.patch \
		10	file://CVE-2026-28753.patch \
10	"	11	"
11		12
12	SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"	13	SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"