mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 05:49:57 +00:00
nginx: patch CVE-2026-1642
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-1642 Pick the commit that was identified by the reporter on the oss-sec mailing list[1] [1]: https://www.openwall.com/lists/oss-security/2026/02/05/1 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
committed by
Anuj Mittal
Anuj Mittal
parent
8c9f62ea1b
commit
83e564a365
@@ -0,0 +1,46 @@
|
|||||||
|
From 12a0f6a27e77b09807c93d9e4f8605c0dc37e21f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Thu, 29 Jan 2026 13:27:32 +0400
|
||||||
|
Subject: [PATCH] Upstream: detect premature plain text response from SSL
|
||||||
|
backend.
|
||||||
|
|
||||||
|
When connecting to a backend, the connection write event is triggered
|
||||||
|
first in most cases. However if a response arrives quickly enough, both
|
||||||
|
read and write events can be triggered together within the same event loop
|
||||||
|
iteration. In this case the read event handler is called first and the
|
||||||
|
write event handler is called after it.
|
||||||
|
|
||||||
|
SSL initialization for backend connections happens only in the write event
|
||||||
|
handler since SSL handshake starts with sending Client Hello. Previously,
|
||||||
|
if a backend sent a quick plain text response, it could be parsed by the
|
||||||
|
read event handler prior to starting SSL handshake on the connection.
|
||||||
|
The change adds protection against parsing such responses on SSL-enabled
|
||||||
|
connections.
|
||||||
|
|
||||||
|
CVE: CVE-2026-1642
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
src/http/ngx_http_upstream.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
|
||||||
|
index 3ae822b..6c310d8 100644
|
||||||
|
--- a/src/http/ngx_http_upstream.c
|
||||||
|
+++ b/src/http/ngx_http_upstream.c
|
||||||
|
@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if (NGX_HTTP_SSL)
|
||||||
|
+ if (u->ssl && c->ssl == NULL) {
|
||||||
|
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||||
|
+ "upstream prematurely sent response");
|
||||||
|
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
u->state->bytes_received += n;
|
||||||
|
|
||||||
|
u->buffer.last += n;
|
||||||
@@ -27,6 +27,7 @@ SRC_URI = " \
|
|||||||
file://CVE-2024-7347-2.patch \
|
file://CVE-2024-7347-2.patch \
|
||||||
file://CVE-2025-53859.patch \
|
file://CVE-2025-53859.patch \
|
||||||
file://CVE-2025-23419.patch \
|
file://CVE-2025-23419.patch \
|
||||||
|
file://CVE-2026-1642.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
inherit siteinfo update-rc.d useradd systemd
|
inherit siteinfo update-rc.d useradd systemd
|
||||||
|
|||||||
Reference in New Issue
Block a user