summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch46
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx.inc1
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
new file mode 100644
index 0000000000..7cbdda6adc
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
@@ -0,0 +1,46 @@
1From 12a0f6a27e77b09807c93d9e4f8605c0dc37e21f Mon Sep 17 00:00:00 2001
2From: Roman Arutyunyan <arut@nginx.com>
3Date: Thu, 29 Jan 2026 13:27:32 +0400
4Subject: [PATCH] Upstream: detect premature plain text response from SSL
5 backend.
6
7When connecting to a backend, the connection write event is triggered
8first in most cases. However if a response arrives quickly enough, both
9read and write events can be triggered together within the same event loop
10iteration. In this case the read event handler is called first and the
11write event handler is called after it.
12
13SSL initialization for backend connections happens only in the write event
14handler since SSL handshake starts with sending Client Hello. Previously,
15if a backend sent a quick plain text response, it could be parsed by the
16read event handler prior to starting SSL handshake on the connection.
17The change adds protection against parsing such responses on SSL-enabled
18connections.
19
20CVE: CVE-2026-1642
21Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 src/http/ngx_http_upstream.c | 9 +++++++++
25 1 file changed, 9 insertions(+)
26
27diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
28index 3ae822b..6c310d8 100644
29--- a/src/http/ngx_http_upstream.c
30+++ b/src/http/ngx_http_upstream.c
31@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
32 return;
33 }
34
35+#if (NGX_HTTP_SSL)
36+ if (u->ssl && c->ssl == NULL) {
37+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
38+ "upstream prematurely sent response");
39+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
40+ return;
41+ }
42+#endif
43+
44 u->state->bytes_received += n;
45
46 u->buffer.last += n;
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index 865d7f86ee..722e2508d4 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -27,6 +27,7 @@ SRC_URI = " \
27 file://CVE-2024-7347-2.patch \ 27 file://CVE-2024-7347-2.patch \
28 file://CVE-2025-53859.patch \ 28 file://CVE-2025-53859.patch \
29 file://CVE-2025-23419.patch \ 29 file://CVE-2025-23419.patch \
30 file://CVE-2026-1642.patch \
30" 31"
31 32
32inherit siteinfo update-rc.d useradd systemd 33inherit siteinfo update-rc.d useradd systemd