nginx: patch CVE-2026-42946

Backport patches [1] and [2] mentioned in [3].

[1] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e

[2] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd

[3] https://security-tracker.debian.org/tracker/CVE-2026-42946

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch

@@ -0,0 +1,46 @@
+From 7b45e652cc7e91fbc60cbb5f41eb4608e706bc03 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 29 Apr 2026 21:56:51 +0400
+Subject: [PATCH 1/2] Upstream: reset parsing state after invalid status line
+
+Previously, it was possible to start parsing headers with a wrong
+parsing state after status line was not recognized, as a fallback
+used in the scgi and uwsgi modules.
+
+Reported by Leo Lin.
+
+CVE: CVE-2026-42946
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/http/modules/ngx_http_scgi_module.c  | 1 +
+ src/http/modules/ngx_http_uwsgi_module.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
+index 9fc18dc..3259820 100644
+--- a/src/http/modules/ngx_http_scgi_module.c
++++ b/src/http/modules/ngx_http_scgi_module.c
+@@ -1029,6 +1029,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
+ 
+     if (rc == NGX_ERROR) {
+         u->process_header = ngx_http_scgi_process_header;
++        r->state = 0;
+         return ngx_http_scgi_process_header(r);
+     }
+ 
+diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
+index e4f721b..93bcad7 100644
+--- a/src/http/modules/ngx_http_uwsgi_module.c
++++ b/src/http/modules/ngx_http_uwsgi_module.c
+@@ -1257,6 +1257,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
+ 
+     if (rc == NGX_ERROR) {
+         u->process_header = ngx_http_uwsgi_process_header;
++        r->state = 0;
+         return ngx_http_uwsgi_process_header(r);
+     }
+ 
+-- 
+2.43.0
+

meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch

@@ -0,0 +1,91 @@
+From 7b5bea14a2a7a784751a8f86559bd3c3f109ed5b Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 29 Apr 2026 23:02:20 +0400
+Subject: [PATCH 2/2] Upstream: fixed parsing of split status lines
+
+If the first response line was split across reads and it didn't appear
+a status line, the portion already processed was lost.  To preserve ABI,
+the change reuses r->header_name_start for proper backtracking on status
+line fallback.
+
+CVE: CVE-2026-42946
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/http/modules/ngx_http_proxy_module.c | 5 +++++
+ src/http/modules/ngx_http_scgi_module.c  | 5 +++++
+ src/http/modules/ngx_http_uwsgi_module.c | 5 +++++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
+index 9cc202c..19cbfa3 100644
+--- a/src/http/modules/ngx_http_proxy_module.c
++++ b/src/http/modules/ngx_http_proxy_module.c
+@@ -1814,6 +1814,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
+ 
+     u = r->upstream;
+ 
++    if (r->state == 0) {
++        r->header_name_start = u->buffer.pos;
++    }
++
+     rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status);
+ 
+     if (rc == NGX_AGAIN) {
+@@ -1821,6 +1825,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
+     }
+ 
+     if (rc == NGX_ERROR) {
++        u->buffer.pos = r->header_name_start;
+ 
+ #if (NGX_HTTP_CACHE)
+ 
+diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
+index 3259820..a04fd47 100644
+--- a/src/http/modules/ngx_http_scgi_module.c
++++ b/src/http/modules/ngx_http_scgi_module.c
+@@ -1021,6 +1021,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
+ 
+     u = r->upstream;
+ 
++    if (r->state == 0) {
++        r->header_name_start = u->buffer.pos;
++    }
++
+     rc = ngx_http_parse_status_line(r, &u->buffer, status);
+ 
+     if (rc == NGX_AGAIN) {
+@@ -1029,6 +1033,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
+ 
+     if (rc == NGX_ERROR) {
+         u->process_header = ngx_http_scgi_process_header;
++        u->buffer.pos = r->header_name_start;
+         r->state = 0;
+         return ngx_http_scgi_process_header(r);
+     }
+diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
+index 93bcad7..749254f 100644
+--- a/src/http/modules/ngx_http_uwsgi_module.c
++++ b/src/http/modules/ngx_http_uwsgi_module.c
+@@ -1249,6 +1249,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
+ 
+     u = r->upstream;
+ 
++    if (r->state == 0) {
++        r->header_name_start = u->buffer.pos;
++    }
++
+     rc = ngx_http_parse_status_line(r, &u->buffer, status);
+ 
+     if (rc == NGX_AGAIN) {
+@@ -1257,6 +1261,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
+ 
+     if (rc == NGX_ERROR) {
+         u->process_header = ngx_http_uwsgi_process_header;
++        u->buffer.pos = r->header_name_start;
+         r->state = 0;
+         return ngx_http_uwsgi_process_header(r);
+     }
+-- 
+2.43.0
+

meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb

@@ -12,6 +12,8 @@ SRC_URI:append = " \
                   file://CVE-2026-40701.patch \
                   file://CVE-2026-42934.patch \
                   file://CVE-2026-42945.patch \
+                  file://CVE-2026-42946-01.patch \
+                  file://CVE-2026-42946-02.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"