summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch46
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch91
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb2
3 files changed, 139 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch
new file mode 100644
index 0000000000..2418f69afc
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch
@@ -0,0 +1,46 @@
1From 7b45e652cc7e91fbc60cbb5f41eb4608e706bc03 Mon Sep 17 00:00:00 2001
2From: Sergey Kandaurov <pluknet@nginx.com>
3Date: Wed, 29 Apr 2026 21:56:51 +0400
4Subject: [PATCH 1/2] Upstream: reset parsing state after invalid status line
5
6Previously, it was possible to start parsing headers with a wrong
7parsing state after status line was not recognized, as a fallback
8used in the scgi and uwsgi modules.
9
10Reported by Leo Lin.
11
12CVE: CVE-2026-42946
13Upstream-Status: Backport [https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e]
14Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
15---
16 src/http/modules/ngx_http_scgi_module.c | 1 +
17 src/http/modules/ngx_http_uwsgi_module.c | 1 +
18 2 files changed, 2 insertions(+)
19
20diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
21index 9fc18dc..3259820 100644
22--- a/src/http/modules/ngx_http_scgi_module.c
23+++ b/src/http/modules/ngx_http_scgi_module.c
24@@ -1029,6 +1029,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
25
26 if (rc == NGX_ERROR) {
27 u->process_header = ngx_http_scgi_process_header;
28+ r->state = 0;
29 return ngx_http_scgi_process_header(r);
30 }
31
32diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
33index e4f721b..93bcad7 100644
34--- a/src/http/modules/ngx_http_uwsgi_module.c
35+++ b/src/http/modules/ngx_http_uwsgi_module.c
36@@ -1257,6 +1257,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
37
38 if (rc == NGX_ERROR) {
39 u->process_header = ngx_http_uwsgi_process_header;
40+ r->state = 0;
41 return ngx_http_uwsgi_process_header(r);
42 }
43
44--
452.43.0
46
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch
new file mode 100644
index 0000000000..089bd46a26
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch
@@ -0,0 +1,91 @@
1From 7b5bea14a2a7a784751a8f86559bd3c3f109ed5b Mon Sep 17 00:00:00 2001
2From: Sergey Kandaurov <pluknet@nginx.com>
3Date: Wed, 29 Apr 2026 23:02:20 +0400
4Subject: [PATCH 2/2] Upstream: fixed parsing of split status lines
5
6If the first response line was split across reads and it didn't appear
7a status line, the portion already processed was lost. To preserve ABI,
8the change reuses r->header_name_start for proper backtracking on status
9line fallback.
10
11CVE: CVE-2026-42946
12Upstream-Status: Backport [https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd]
13Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
14---
15 src/http/modules/ngx_http_proxy_module.c | 5 +++++
16 src/http/modules/ngx_http_scgi_module.c | 5 +++++
17 src/http/modules/ngx_http_uwsgi_module.c | 5 +++++
18 3 files changed, 15 insertions(+)
19
20diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
21index 9cc202c..19cbfa3 100644
22--- a/src/http/modules/ngx_http_proxy_module.c
23+++ b/src/http/modules/ngx_http_proxy_module.c
24@@ -1814,6 +1814,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
25
26 u = r->upstream;
27
28+ if (r->state == 0) {
29+ r->header_name_start = u->buffer.pos;
30+ }
31+
32 rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status);
33
34 if (rc == NGX_AGAIN) {
35@@ -1821,6 +1825,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
36 }
37
38 if (rc == NGX_ERROR) {
39+ u->buffer.pos = r->header_name_start;
40
41 #if (NGX_HTTP_CACHE)
42
43diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
44index 3259820..a04fd47 100644
45--- a/src/http/modules/ngx_http_scgi_module.c
46+++ b/src/http/modules/ngx_http_scgi_module.c
47@@ -1021,6 +1021,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
48
49 u = r->upstream;
50
51+ if (r->state == 0) {
52+ r->header_name_start = u->buffer.pos;
53+ }
54+
55 rc = ngx_http_parse_status_line(r, &u->buffer, status);
56
57 if (rc == NGX_AGAIN) {
58@@ -1029,6 +1033,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
59
60 if (rc == NGX_ERROR) {
61 u->process_header = ngx_http_scgi_process_header;
62+ u->buffer.pos = r->header_name_start;
63 r->state = 0;
64 return ngx_http_scgi_process_header(r);
65 }
66diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
67index 93bcad7..749254f 100644
68--- a/src/http/modules/ngx_http_uwsgi_module.c
69+++ b/src/http/modules/ngx_http_uwsgi_module.c
70@@ -1249,6 +1249,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
71
72 u = r->upstream;
73
74+ if (r->state == 0) {
75+ r->header_name_start = u->buffer.pos;
76+ }
77+
78 rc = ngx_http_parse_status_line(r, &u->buffer, status);
79
80 if (rc == NGX_AGAIN) {
81@@ -1257,6 +1261,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
82
83 if (rc == NGX_ERROR) {
84 u->process_header = ngx_http_uwsgi_process_header;
85+ u->buffer.pos = r->header_name_start;
86 r->state = 0;
87 return ngx_http_uwsgi_process_header(r);
88 }
89--
902.43.0
91
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index f9e40fa27f..26352a8814 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -12,6 +12,8 @@ SRC_URI:append = " \
12 file://CVE-2026-40701.patch \ 12 file://CVE-2026-40701.patch \
13 file://CVE-2026-42934.patch \ 13 file://CVE-2026-42934.patch \
14 file://CVE-2026-42945.patch \ 14 file://CVE-2026-42945.patch \
15 file://CVE-2026-42946-01.patch \
16 file://CVE-2026-42946-02.patch \
15" 17"
16 18
17SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" 19SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"