Details: https://nvd.nist.gov/vuln/detail/CVE-2026-1642
Note: this is only for v1.29.1. v1.28.x recipe contains this fix already. Pick the commit that was identified by the reporter on the oss-sec mailing list[1] [1]: https://www.openwall.com/lists/oss-security/2026/02/05/1 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.29.1.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch new file mode 100644 index 0000000000..0f20d1c157 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch @@ -0,0 +1,46 @@ +From 12bb8081dcfdecc38fbff9283f8d8c66dc3d29ae Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <[email protected]> +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. + +CVE: CVE-2026-1642 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index de0f92a..69dda96 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2507,6 +2507,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb index c08c8539c4..0282388817 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb @@ -8,3 +8,4 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593" SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27" +SRC_URI += "file://CVE-2026-1642.patch"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124589): https://lists.openembedded.org/g/openembedded-devel/message/124589 Mute This Topic: https://lists.openembedded.org/mt/117981633/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
