From 167e8b64dd9557406c39b6c0bc142ac0fd3a63dc Mon Sep 17 00:00:00 2001 From: "Theo Gaige (Schneider Electric)" Date: Wed, 20 May 2026 16:24:35 +0200 Subject: [PATCH] nginx: patch CVE-2026-40701 Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 [2] https://security-tracker.debian.org/tracker/CVE-2026-40701 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay Signed-off-by: Anuj Mittal --- .../nginx/nginx-1.24.0/CVE-2026-40701.patch | 73 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch new file mode 100644 index 0000000000..63bd7bd24e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch @@ -0,0 +1,73 @@ +From 7abc2a59d5d65bb981be7cababb029d60c995719 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 21 Apr 2026 14:51:41 +0400 +Subject: [PATCH] OCSP: resolve cleanup on connection close + +Previously, when a client SSL connection was terminated (typically due to a +timeout) while resolving an OCSP responder, the OCSP context was freed, but +the resolve context was not. This resulted in use-after-free on resolve +completion. + +Reported by Leo Lin. + +CVE: CVE-2026-40701 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/event/ngx_event_openssl_stapling.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index e3fa8c4..2aaf99b 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -111,6 +111,7 @@ struct ngx_ssl_ocsp_ctx_s { + + ngx_resolver_t *resolver; + ngx_msec_t resolver_timeout; ++ ngx_resolver_ctx_t *resolve; + + ngx_msec_t timeout; + +@@ -1303,6 +1304,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, + "ssl ocsp done"); + ++ if (ctx->resolve) { ++ ngx_resolve_name_done(ctx->resolve); ++ } ++ + if (ctx->peer.connection) { + ngx_close_connection(ctx->peer.connection); + } +@@ -1395,7 +1400,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) + resolve->data = ctx; + resolve->timeout = ctx->resolver_timeout; + ++ ctx->resolve = resolve; ++ + if (ngx_resolve_name(resolve) != NGX_OK) { ++ ctx->resolve = NULL; + ngx_ssl_ocsp_error(ctx); + return; + } +@@ -1484,6 +1492,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + } + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; + + ngx_ssl_ocsp_connect(ctx); + return; +@@ -1491,6 +1500,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + failed: + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; ++ + ngx_ssl_ocsp_error(ctx); + } + +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index b732e92b18..b4bb1ccc67 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -9,6 +9,7 @@ SRC_URI:append = " \ file://CVE-2026-27654.patch \ file://CVE-2026-28753.patch \ file://CVE-2026-32647.patch \ + file://CVE-2026-40701.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"