mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
nginx: patch CVE-2026-40701
Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 [2] https://security-tracker.debian.org/tracker/CVE-2026-40701 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
f1d78e9527
commit
167e8b64dd
@@ -0,0 +1,73 @@
|
|||||||
|
From 7abc2a59d5d65bb981be7cababb029d60c995719 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Tue, 21 Apr 2026 14:51:41 +0400
|
||||||
|
Subject: [PATCH] OCSP: resolve cleanup on connection close
|
||||||
|
|
||||||
|
Previously, when a client SSL connection was terminated (typically due to a
|
||||||
|
timeout) while resolving an OCSP responder, the OCSP context was freed, but
|
||||||
|
the resolve context was not. This resulted in use-after-free on resolve
|
||||||
|
completion.
|
||||||
|
|
||||||
|
Reported by Leo Lin.
|
||||||
|
|
||||||
|
CVE: CVE-2026-40701
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1]
|
||||||
|
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||||
|
---
|
||||||
|
src/event/ngx_event_openssl_stapling.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
|
||||||
|
index e3fa8c4..2aaf99b 100644
|
||||||
|
--- a/src/event/ngx_event_openssl_stapling.c
|
||||||
|
+++ b/src/event/ngx_event_openssl_stapling.c
|
||||||
|
@@ -111,6 +111,7 @@ struct ngx_ssl_ocsp_ctx_s {
|
||||||
|
|
||||||
|
ngx_resolver_t *resolver;
|
||||||
|
ngx_msec_t resolver_timeout;
|
||||||
|
+ ngx_resolver_ctx_t *resolve;
|
||||||
|
|
||||||
|
ngx_msec_t timeout;
|
||||||
|
|
||||||
|
@@ -1303,6 +1304,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
|
||||||
|
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
|
||||||
|
"ssl ocsp done");
|
||||||
|
|
||||||
|
+ if (ctx->resolve) {
|
||||||
|
+ ngx_resolve_name_done(ctx->resolve);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (ctx->peer.connection) {
|
||||||
|
ngx_close_connection(ctx->peer.connection);
|
||||||
|
}
|
||||||
|
@@ -1395,7 +1400,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
|
||||||
|
resolve->data = ctx;
|
||||||
|
resolve->timeout = ctx->resolver_timeout;
|
||||||
|
|
||||||
|
+ ctx->resolve = resolve;
|
||||||
|
+
|
||||||
|
if (ngx_resolve_name(resolve) != NGX_OK) {
|
||||||
|
+ ctx->resolve = NULL;
|
||||||
|
ngx_ssl_ocsp_error(ctx);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -1484,6 +1492,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
|
||||||
|
}
|
||||||
|
|
||||||
|
ngx_resolve_name_done(resolve);
|
||||||
|
+ ctx->resolve = NULL;
|
||||||
|
|
||||||
|
ngx_ssl_ocsp_connect(ctx);
|
||||||
|
return;
|
||||||
|
@@ -1491,6 +1500,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
|
||||||
|
failed:
|
||||||
|
|
||||||
|
ngx_resolve_name_done(resolve);
|
||||||
|
+ ctx->resolve = NULL;
|
||||||
|
+
|
||||||
|
ngx_ssl_ocsp_error(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
@@ -9,6 +9,7 @@ SRC_URI:append = " \
|
|||||||
file://CVE-2026-27654.patch \
|
file://CVE-2026-27654.patch \
|
||||||
file://CVE-2026-28753.patch \
|
file://CVE-2026-28753.patch \
|
||||||
file://CVE-2026-32647.patch \
|
file://CVE-2026-32647.patch \
|
||||||
|
file://CVE-2026-40701.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
||||||
|
|||||||
Reference in New Issue
Block a user