--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:nginx
User: [email protected]
Usertags: pu
[ Reason ]
backport changes from upstream nginx, fixes for buffer overflow
vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow
vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647),
mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753)
and OCSP result bypass vulnerability in stream (CVE-2026-28755)
[ Impact ]
If update will not be approved, 6 CVE remains open.
[ Tests ]
I have tested it manualy on Debian trixie.
And also I've also use automated test in salsa.debian.org
[ Risks ]
The change contains 6 changes, all changeds are small.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Carbon copy from upstream changelog:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
Thanks to Calif.io in collaboration with Claude and Anthropic
Research.
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
Thanks to Prabhav Srinath (sprabhav7).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
Thanks to Xint Code and Pavel Kohout (Aisle Research).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
Thanks to Arkadi Vainbrand.
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan
University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
University).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
Thanks to Mufeed VH of Winfunc Research.
[ Other info ]
All patches used to fix CVE problems are from upstream unchanged commits.
d/p/CVE-2026-27651.patch
d/p/CVE-2026-27654.patch
d/p/CVE-2026-27784.patch
d/p/CVE-2026-28753.patch
d/p/CVE-2026-28755.patch
d/p/CVE-2026-32647.patch
debdiff:
diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog
--- nginx-1.26.3/debian/changelog 2026-02-10 07:47:34.000000000 +0100
+++ nginx-1.26.3/debian/changelog 2026-03-30 19:41:51.000000000 +0200
@@ -1,3 +1,19 @@
+nginx (1.26.3-3+deb13u3) trixie; urgency=medium
+
+ * backport changes from upstream nginx, fixes for buffer overflow
+ vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow
+ vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784,
CVE-2026-32647),
+ mail session authentication vulnerabilities (CVE-2026-27651,
CVE-2026-28753)
+ and OCSP result bypass vulnerability in stream (CVE-2026-28755)
+ * d/p/CVE-2026-27651.patch add
+ * d/p/CVE-2026-27654.patch add
+ * d/p/CVE-2026-27784.patch add
+ * d/p/CVE-2026-28753.patch add
+ * d/p/CVE-2026-28755.patch add
+ * d/p/CVE-2026-32647.patch add
+
+ -- Jan MojžÃÅ¡ <[email protected]> Mon, 30 Mar 2026 17:41:51 +0000
+
nginx (1.26.3-3+deb13u2) trixie-security; urgency=medium
* d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642.
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27651.patch
nginx-1.26.3/debian/patches/CVE-2026-27651.patch
--- nginx-1.26.3/debian/patches/CVE-2026-27651.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-27651.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,31 @@
+Origin:
https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c
+From: Sergey Kandaurov <[email protected]>
+Date: Wed, 18 Mar 2026 16:39:37 +0400
+Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
+
+Previously, it was not properly cleared retaining length as part of
+authenticating with CRAM-MD5 and APOP methods that expect to receive
+password in auth response. This resulted in null pointer dereference
+and worker process crash in subsequent auth attempts with CRAM-MD5.
+
+Reported by Arkadi Vainbrand.
+---
+ src/mail/ngx_mail_auth_http_module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mail/ngx_mail_auth_http_module.c
b/src/mail/ngx_mail_auth_http_module.c
+index 4ca6d6e24..3e5095a2d 100644
+--- a/src/mail/ngx_mail_auth_http_module.c
++++ b/src/mail/ngx_mail_auth_http_module.c
+@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s,
ngx_pool_t *pool,
+ b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") -
1);
+ b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
+
+- s->passwd.data = NULL;
++ ngx_str_null(&s->passwd);
+ }
+
+ b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27654.patch
nginx-1.26.3/debian/patches/CVE-2026-27654.patch
--- nginx-1.26.3/debian/patches/CVE-2026-27654.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-27654.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,78 @@
+Origin:
https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82
+From: Roman Arutyunyan <[email protected]>
+Date: Mon, 16 Mar 2026 20:13:03 +0400
+Subject: [PATCH] Dav: destination length validation for COPY and MOVE.
+
+Previously, when alias was used in a location with Dav COPY or MOVE
+enabled, and the destination URI was shorter than the alias, integer
+underflow could happen in ngx_http_map_uri_to_path(), which could
+result in heap buffer overwrite, followed by a possible segfault.
+With some implementations of memcpy(), the segfault could be avoided
+and the overwrite could result in a change of the source or destination
+file names to be outside of the location root.
+
+Reported by Calif.io in collaboration with Claude and Anthropic Research.
+---
+ src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 13 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_dav_module.c
b/src/http/modules/ngx_http_dav_module.c
+index cfb98929e..4619b139a 100644
+--- a/src/http/modules/ngx_http_dav_module.c
++++ b/src/http/modules/ngx_http_dav_module.c
+@@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r,
ngx_http_dav_loc_conf_t *dlcf)
+ static ngx_int_t
+ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
+ {
+- u_char *p, *host, *last, ch;
+- size_t len, root;
+- ngx_err_t err;
+- ngx_int_t rc, depth;
+- ngx_uint_t overwrite, slash, dir, flags;
+- ngx_str_t path, uri, duri, args;
+- ngx_tree_ctx_t tree;
+- ngx_copy_file_t cf;
+- ngx_file_info_t fi;
+- ngx_table_elt_t *dest, *over;
+- ngx_ext_rename_file_t ext;
+- ngx_http_dav_copy_ctx_t copy;
+- ngx_http_dav_loc_conf_t *dlcf;
++ u_char *p, *host, *last, ch;
++ size_t len, root;
++ ngx_err_t err;
++ ngx_int_t rc, depth;
++ ngx_uint_t overwrite, slash, dir, flags;
++ ngx_str_t path, uri, duri, args;
++ ngx_tree_ctx_t tree;
++ ngx_copy_file_t cf;
++ ngx_file_info_t fi;
++ ngx_table_elt_t *dest, *over;
++ ngx_ext_rename_file_t ext;
++ ngx_http_dav_copy_ctx_t copy;
++ ngx_http_dav_loc_conf_t *dlcf;
++ ngx_http_core_loc_conf_t *clcf;
+
+ if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+@@ -644,6 +645,18 @@ destination_done:
+ return NGX_HTTP_CONFLICT;
+ }
+
++ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
++
++ if (clcf->alias
++ && clcf->alias != NGX_MAX_SIZE_T_VALUE
++ && duri.len < clcf->alias)
++ {
++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++ "client sent invalid \"Destination\" header: \"%V\"",
++ &dest->value);
++ return NGX_HTTP_BAD_REQUEST;
++ }
++
+ depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
+
+ if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27784.patch
nginx-1.26.3/debian/patches/CVE-2026-27784.patch
--- nginx-1.26.3/debian/patches/CVE-2026-27784.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-27784.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,84 @@
+Origin:
https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018
+From: Roman Arutyunyan <[email protected]>
+Date: Mon, 2 Mar 2026 21:12:34 +0400
+Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
+
+Previously, a 32-bit overflow could happen while validating atom entries
+count. This allowed processing of an invalid atom with entrires beyond
+its boundaries with reads and writes outside of the allocated mp4 buffer.
+
+Reported by Prabhav Srinath (sprabhav7).
+---
+ src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c
b/src/http/modules/ngx_http_mp4_module.c
+index 173d8ad54..678d6296c 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ "mp4 time-to-sample entries:%uD", entries);
+
+ if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
+- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 stts atom too small", mp4->file.name.data);
+@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ atom->last = atom_table;
+
+ if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
+- + entries * sizeof(uint32_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 stss atom too small", mp4->file.name.data);
+@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ atom->last = atom_table;
+
+ if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
+- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 ctts atom too small", mp4->file.name.data);
+@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ "sample-to-chunk entries:%uD", entries);
+
+ if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
+- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 stsc atom too small", mp4->file.name.data);
+@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+
+ if (size == 0) {
+ if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
+- + entries * sizeof(uint32_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 stsz atom too small",
+@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD",
entries);
+
+ if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
+- + entries * sizeof(uint32_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 stco atom too small", mp4->file.name.data);
+@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size)
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD",
entries);
+
+ if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
+- + entries * sizeof(uint64_t) > atom_data_size)
++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 co64 atom too small", mp4->file.name.data);
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-28753.patch
nginx-1.26.3/debian/patches/CVE-2026-28753.patch
--- nginx-1.26.3/debian/patches/CVE-2026-28753.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-28753.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,90 @@
+Origin:
https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f
+From: Roman Arutyunyan <[email protected]>
+Date: Thu, 26 Feb 2026 11:52:53 +0400
+Subject: [PATCH] Mail: host validation.
+
+Now host name resolved from client address is validated to only contain
+the characters specified in RFC 1034, Section 3.5. The validation allows
+to avoid injections when using the resolved host name in auth_http and
+smtp proxy.
+
+Reported by Asim Viladi Oglu Manizada, Colin Warren,
+Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
+Bird Liu (Lanzhou University).
+---
+ src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/src/mail/ngx_mail_smtp_handler.c
b/src/mail/ngx_mail_smtp_handler.c
+index 1e26c2c8d..97bbd7063 100644
+--- a/src/mail/ngx_mail_smtp_handler.c
++++ b/src/mail/ngx_mail_smtp_handler.c
+@@ -13,6 +13,7 @@
+
+
+ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
+ static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
+ static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
+ static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
+@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t
*ctx)
+ return;
+ }
+
++ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
++ ngx_log_error(NGX_LOG_ERR, c->log, 0,
++ "%V resolved to invalid host name \"%V\"",
++ &c->addr_text, &ctx->name);
++
++ s->host = smtp_tempunavail;
++
++ ngx_resolve_addr_done(ctx);
++
++ ngx_mail_smtp_greeting(s, s->connection);
++
++ return;
++ }
++
+ c->log->action = "in resolving client hostname";
+
+ s->host.data = ngx_pstrdup(c->pool, &ctx->name);
+@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t
*ctx)
+ }
+
+
++static ngx_int_t
++ngx_mail_smtp_validate_host(ngx_str_t *name)
++{
++ u_char ch;
++ ngx_uint_t i;
++
++ if (name->len == 0) {
++ return NGX_DECLINED;
++ }
++
++ for (i = 0; i < name->len; i++) {
++ ch = name->data[i];
++
++ /* allow only characters from RFC 1034, Section 3.5 */
++
++ if ((ch >= 'a' && ch <= 'z')
++ || (ch >= 'A' && ch <= 'Z')
++ || (ch >= '0' && ch <= '9')
++ || ch == '-' || ch == '.')
++ {
++ continue;
++ }
++
++ return NGX_DECLINED;
++ }
++
++ return NGX_OK;
++}
++
++
+ static void
+ ngx_mail_smtp_resolve_name(ngx_event_t *rev)
+ {
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-28755.patch
nginx-1.26.3/debian/patches/CVE-2026-28755.patch
--- nginx-1.26.3/debian/patches/CVE-2026-28755.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-28755.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,44 @@
+Origin:
https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8
+From: Sergey Kandaurov <[email protected]>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c
b/src/stream/ngx_stream_ssl_module.c
+index ea0b112b8..85a74ce1d 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -410,6 +410,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ long rc;
+ X509 *cert;
+ ngx_int_t rv;
++ const char *str;
+ ngx_connection_t *c;
+ ngx_stream_ssl_srv_conf_t *sscf;
+
+@@ -460,6 +461,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+
+ X509_free(cert);
+ }
++
++ if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client SSL certificate verify error: %s", str);
++
++ ngx_ssl_remove_cached_session(c->ssl->session_ctx,
++
(SSL_get0_session(c->ssl->connection)));
++ return NGX_ERROR;
++ }
+ }
+
+ return NGX_OK;
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/CVE-2026-32647.patch
nginx-1.26.3/debian/patches/CVE-2026-32647.patch
--- nginx-1.26.3/debian/patches/CVE-2026-32647.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2026-32647.patch 2026-03-30
19:41:51.000000000 +0200
@@ -0,0 +1,74 @@
+Origin:
https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc
+From: Roman Arutyunyan <[email protected]>
+Date: Sat, 21 Feb 2026 12:04:36 +0400
+Subject: [PATCH] Mp4: avoid zero size buffers in output.
+
+Previously, data validation checks did not cover the cases when the output
+contained empty buffers. Such buffers are considered illegal and produce
+"zero size buf in output" alerts. The change rejects the mp4 files which
+produce such alerts.
+
+Also, the change fixes possible buffer overread and overwrite that could
+happen while processing empty stco and co64 atoms, as reported by
+Pavel Kohout (Aisle Research) and Tim Becker.
+---
+ src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c
b/src/http/modules/ngx_http_mp4_module.c
+index 445fab1cd..173d8ad54 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+ }
+ }
+
+- if (end_offset < start_offset) {
+- end_offset = start_offset;
++ if (end_offset <= start_offset) {
++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++ "no data between start time and end time in \"%s\"",
++ mp4->file.name.data);
++ return NGX_ERROR;
+ }
+
+ mp4->moov_size += 8;
+@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+
+ *prev = &mp4->mdat_atom;
+
+- if (start_offset > mp4->mdat_data.buf->file_last) {
++ if (start_offset >= mp4->mdat_data.buf->file_last) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 mdat atom in \"%s\"",
+ mp4->file.name.data);
+@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
+ if (data) {
+ entries = trak->sample_sizes_entries;
+
+- if (trak->start_sample > entries) {
++ if (trak->start_sample >= entries) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 stsz samples in \"%s\"",
+ mp4->file.name.data);
+@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
+ return NGX_ERROR;
+ }
+
+- if (trak->start_chunk > trak->chunks) {
++ if (trak->start_chunk >= trak->chunks) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 stco chunks in \"%s\"",
+ mp4->file.name.data);
+@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
+ return NGX_ERROR;
+ }
+
+- if (trak->start_chunk > trak->chunks) {
++ if (trak->start_chunk >= trak->chunks) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 co64 chunks in \"%s\"",
+ mp4->file.name.data);
+--
+2.51.0
+
diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series
--- nginx-1.26.3/debian/patches/series 2026-02-10 07:47:34.000000000 +0100
+++ nginx-1.26.3/debian/patches/series 2026-03-30 19:41:51.000000000 +0200
@@ -3,3 +3,9 @@
nginx-ssl_cert_cb_yield.patch
CVE-2025-53859.patch
CVE-2026-1642.patch
+CVE-2026-27651.patch
+CVE-2026-27654.patch
+CVE-2026-27784.patch
+CVE-2026-28753.patch
+CVE-2026-28755.patch
+CVE-2026-32647.patch
--- End Message ---
