> -----Original Message----- > From: Gyorgy Sarvari <[email protected]> > Sent: Monday, February 23, 2026 9:08 > To: Marko, Peter (FT D EU SK BFS1) <[email protected]>; > [email protected] > Subject: Re: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026- > 1642 > > I wonder, does this patch apply only to 1.24, or does it apply to the > other two recipes also (and it could be just shoved into the .inc file)?
I have sent additional patch to move both CVE patches to the inc file. Peter > > On 2/22/26 23:52, Peter Marko via lists.openembedded.org wrote: > > From: Peter Marko <[email protected]> > > > > Pick patch accorting to [1]. > > > > [1] https://security-tracker.debian.org/tracker/CVE-2026-1642 > > > > Signed-off-by: Peter Marko <[email protected]> > > --- > > v2: added patch annotations > > > > .../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++ > > .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + > > 2 files changed, 47 insertions(+) > > create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026- > 1642.patch > > > > diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch > b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch > > new file mode 100644 > > index 0000000000..d6c636e54d > > --- /dev/null > > +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch > > @@ -0,0 +1,46 @@ > > +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 > 2001 > > +From: Roman Arutyunyan <[email protected]> > > +Date: Thu, 29 Jan 2026 13:27:32 +0400 > > +Subject: [PATCH] Upstream: detect premature plain text response from SSL > > + backend. > > + > > +When connecting to a backend, the connection write event is triggered > > +first in most cases. However if a response arrives quickly enough, both > > +read and write events can be triggered together within the same event loop > > +iteration. In this case the read event handler is called first and the > > +write event handler is called after it. > > + > > +SSL initialization for backend connections happens only in the write event > > +handler since SSL handshake starts with sending Client Hello. Previously, > > +if a backend sent a quick plain text response, it could be parsed by the > > +read event handler prior to starting SSL handshake on the connection. > > +The change adds protection against parsing such responses on SSL-enabled > > +connections. > > + > > +CVE: CVE-2026-1642 > > +Upstream-Status: Backport > [https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f8 > 5b6e] > > +Signed-off-by: Peter Marko <[email protected]> > > +--- > > + src/http/ngx_http_upstream.c | 9 +++++++++ > > + 1 file changed, 9 insertions(+) > > + > > +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c > > +index df577ad67..cadc74479 100644 > > +--- a/src/http/ngx_http_upstream.c > > ++++ b/src/http/ngx_http_upstream.c > > +@@ -2441,6 +2441,15 @@ > ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t > *u) > > + return; > > + } > > + > > ++#if (NGX_HTTP_SSL) > > ++ if (u->ssl && c->ssl == NULL) { > > ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, > > ++ "upstream prematurely sent response"); > > ++ ngx_http_upstream_next(r, u, > NGX_HTTP_UPSTREAM_FT_ERROR); > > ++ return; > > ++ } > > ++#endif > > ++ > > + u->state->bytes_received += n; > > + > > + u->buffer.last += n; > > diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta- > webserver/recipes-httpd/nginx/nginx_1.24.0.bb > > index e288b19da3..93a27ebd56 100644 > > --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb > > +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb > > @@ -3,6 +3,7 @@ require nginx.inc > > LIC_FILES_CHKSUM = > "file://LICENSE;md5=175abb631c799f54573dc481454c8632" > > > > SRC_URI:append = " file://CVE-2025-23419.patch" > > +SRC_URI:append = " file://CVE-2026-1642.patch" > > > > SRC_URI[sha256sum] = > "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124553): https://lists.openembedded.org/g/openembedded-devel/message/124553 Mute This Topic: https://lists.openembedded.org/mt/117948481/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
