diff options
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch | 46 | ||||
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch new file mode 100644 index 0000000000..0f20d1c157 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From 12bb8081dcfdecc38fbff9283f8d8c66dc3d29ae Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roman Arutyunyan <arut@nginx.com> | ||
| 3 | Date: Thu, 29 Jan 2026 13:27:32 +0400 | ||
| 4 | Subject: [PATCH] Upstream: detect premature plain text response from SSL | ||
| 5 | backend. | ||
| 6 | |||
| 7 | When connecting to a backend, the connection write event is triggered | ||
| 8 | first in most cases. However if a response arrives quickly enough, both | ||
| 9 | read and write events can be triggered together within the same event loop | ||
| 10 | iteration. In this case the read event handler is called first and the | ||
| 11 | write event handler is called after it. | ||
| 12 | |||
| 13 | SSL initialization for backend connections happens only in the write event | ||
| 14 | handler since SSL handshake starts with sending Client Hello. Previously, | ||
| 15 | if a backend sent a quick plain text response, it could be parsed by the | ||
| 16 | read event handler prior to starting SSL handshake on the connection. | ||
| 17 | The change adds protection against parsing such responses on SSL-enabled | ||
| 18 | connections. | ||
| 19 | |||
| 20 | CVE: CVE-2026-1642 | ||
| 21 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3] | ||
| 22 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 23 | --- | ||
| 24 | src/http/ngx_http_upstream.c | 9 +++++++++ | ||
| 25 | 1 file changed, 9 insertions(+) | ||
| 26 | |||
| 27 | diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c | ||
| 28 | index de0f92a..69dda96 100644 | ||
| 29 | --- a/src/http/ngx_http_upstream.c | ||
| 30 | +++ b/src/http/ngx_http_upstream.c | ||
| 31 | @@ -2507,6 +2507,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) | ||
| 32 | return; | ||
| 33 | } | ||
| 34 | |||
| 35 | +#if (NGX_HTTP_SSL) | ||
| 36 | + if (u->ssl && c->ssl == NULL) { | ||
| 37 | + ngx_log_error(NGX_LOG_ERR, c->log, 0, | ||
| 38 | + "upstream prematurely sent response"); | ||
| 39 | + ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); | ||
| 40 | + return; | ||
| 41 | + } | ||
| 42 | +#endif | ||
| 43 | + | ||
| 44 | u->state->bytes_received += n; | ||
| 45 | |||
| 46 | u->buffer.last += n; | ||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb index c08c8539c4..0282388817 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb | |||
| @@ -8,3 +8,4 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593" | |||
| 8 | 8 | ||
| 9 | SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27" | 9 | SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27" |
| 10 | 10 | ||
| 11 | SRC_URI += "file://CVE-2026-1642.patch" | ||
