mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
nginx: patch CVE-2026-1642
Pick patch accorting to [1]. [1] https://security-tracker.debian.org/tracker/CVE-2026-1642 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Peter Marko
committed by
Gyorgy Sarvari
Gyorgy Sarvari
parent
3e3bd7acfc
commit
3c1286f8b3
@@ -0,0 +1,46 @@
|
||||
From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001
|
||||
From: Roman Arutyunyan <arut@nginx.com>
|
||||
Date: Thu, 29 Jan 2026 13:27:32 +0400
|
||||
Subject: [PATCH] Upstream: detect premature plain text response from SSL
|
||||
backend.
|
||||
|
||||
When connecting to a backend, the connection write event is triggered
|
||||
first in most cases. However if a response arrives quickly enough, both
|
||||
read and write events can be triggered together within the same event loop
|
||||
iteration. In this case the read event handler is called first and the
|
||||
write event handler is called after it.
|
||||
|
||||
SSL initialization for backend connections happens only in the write event
|
||||
handler since SSL handshake starts with sending Client Hello. Previously,
|
||||
if a backend sent a quick plain text response, it could be parsed by the
|
||||
read event handler prior to starting SSL handshake on the connection.
|
||||
The change adds protection against parsing such responses on SSL-enabled
|
||||
connections.
|
||||
|
||||
CVE: CVE-2026-1642
|
||||
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e]
|
||||
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||
---
|
||||
src/http/ngx_http_upstream.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
|
||||
index df577ad67..cadc74479 100644
|
||||
--- a/src/http/ngx_http_upstream.c
|
||||
+++ b/src/http/ngx_http_upstream.c
|
||||
@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
||||
return;
|
||||
}
|
||||
|
||||
+#if (NGX_HTTP_SSL)
|
||||
+ if (u->ssl && c->ssl == NULL) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||
+ "upstream prematurely sent response");
|
||||
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
|
||||
+ return;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
u->state->bytes_received += n;
|
||||
|
||||
u->buffer.last += n;
|
||||
@@ -3,6 +3,7 @@ require nginx.inc
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
|
||||
|
||||
SRC_URI:append = " file://CVE-2025-23419.patch"
|
||||
SRC_URI:append = " file://CVE-2026-1642.patch"
|
||||
|
||||
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user