diff --git a/nginx-1.26.3-CVE-2026-1642.patch b/nginx-1.26.3-CVE-2026-1642.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a258dcdbe7cff230ce62e10664c2031e2b0e20c --- /dev/null +++ b/nginx-1.26.3-CVE-2026-1642.patch @@ -0,0 +1,44 @@ +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. + + +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 2ce9f21..70c3b46 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; diff --git a/nginx.spec b/nginx.spec index 33d7896b3fe9b5b0c909359b6e3bd67565d3c36f..52c0a3e64f7b7fe900d08f53dfae2b3804199d58 100644 --- a/nginx.spec +++ b/nginx.spec @@ -27,7 +27,7 @@ Name: nginx Version: 1.26.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A high performance web server and reverse proxy server License: BSD URL: https://nginx.org @@ -52,6 +52,8 @@ Source210: UPGRADE-NOTES-1.6-to-1.10 Source300: https://github.com/arut/nginx-dav-ext-module/archive/v%{dav_ext_version}/nginx-dav-ext-module-%{dav_ext_version}.tar.gz Source301: https://github.com/openresty/headers-more-nginx-module/archive/v%{headers_more_version}/headers-more-nginx-module-%{headers_more_version}.tar.gz +Patch0001: nginx-1.26.3-CVE-2026-1642.patch + BuildRequires: make, gcc BuildRequires: openssl-devel, pcre2-devel, zlib-devel, systemd %if 0%{?with_gperftools} @@ -536,6 +538,10 @@ fi %changelog +* Tue Apr 14 2026 PkgAgent Robot - 1.26.3-3 +- [Type] security +- [DESC] Fix CVE-2026-1642 vulnerability - detect premature plain text response from SSL backend + * Mon Mar 09 2026 zidonghuang - 1.26.3-2 - [Type] enhancement - [DESC] add nginx-dav-ext-module and headers-more-nginx-module for full WebDAV support