summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch46
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb1
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
new file mode 100644
index 0000000000..0f20d1c157
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
@@ -0,0 +1,46 @@
1From 12bb8081dcfdecc38fbff9283f8d8c66dc3d29ae Mon Sep 17 00:00:00 2001
2From: Roman Arutyunyan <arut@nginx.com>
3Date: Thu, 29 Jan 2026 13:27:32 +0400
4Subject: [PATCH] Upstream: detect premature plain text response from SSL
5 backend.
6
7When connecting to a backend, the connection write event is triggered
8first in most cases. However if a response arrives quickly enough, both
9read and write events can be triggered together within the same event loop
10iteration. In this case the read event handler is called first and the
11write event handler is called after it.
12
13SSL initialization for backend connections happens only in the write event
14handler since SSL handshake starts with sending Client Hello. Previously,
15if a backend sent a quick plain text response, it could be parsed by the
16read event handler prior to starting SSL handshake on the connection.
17The change adds protection against parsing such responses on SSL-enabled
18connections.
19
20CVE: CVE-2026-1642
21Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 src/http/ngx_http_upstream.c | 9 +++++++++
25 1 file changed, 9 insertions(+)
26
27diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
28index de0f92a..69dda96 100644
29--- a/src/http/ngx_http_upstream.c
30+++ b/src/http/ngx_http_upstream.c
31@@ -2507,6 +2507,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
32 return;
33 }
34
35+#if (NGX_HTTP_SSL)
36+ if (u->ssl && c->ssl == NULL) {
37+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
38+ "upstream prematurely sent response");
39+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
40+ return;
41+ }
42+#endif
43+
44 u->state->bytes_received += n;
45
46 u->buffer.last += n;
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
index c08c8539c4..0282388817 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
@@ -8,3 +8,4 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593"
8 8
9SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27" 9SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27"
10 10
11SRC_URI += "file://CVE-2026-1642.patch"