nginx: patch CVE-2026-1642

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-1642 Note: this is only for v1.29.1. v1.28.x recipe contains this fix already. Pick the commit that was identified by the reporter on the oss-sec mailing list[1] [1]: https://www.openwall.com/lists/oss-security/2026/02/05/1 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2026-02-24 20:04:44 +01:00 · 2026-02-24 20:04:44 +01:00 · d811647686
commit d811647686
parent ed8e7c6fb5
2 changed files with 47 additions and 0 deletions
--- a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
@ -0,0 +1,46 @@
+From 12bb8081dcfdecc38fbff9283f8d8c66dc3d29ae Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 29 Jan 2026 13:27:32 +0400
+Subject: [PATCH] Upstream: detect premature plain text response from SSL
+ backend.
+
+When connecting to a backend, the connection write event is triggered
+first in most cases.  However if a response arrives quickly enough, both
+read and write events can be triggered together within the same event loop
+iteration.  In this case the read event handler is called first and the
+write event handler is called after it.
+
+SSL initialization for backend connections happens only in the write event
+handler since SSL handshake starts with sending Client Hello.  Previously,
+if a backend sent a quick plain text response, it could be parsed by the
+read event handler prior to starting SSL handshake on the connection.
+The change adds protection against parsing such responses on SSL-enabled
+connections.
+
+CVE: CVE-2026-1642
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a59f5f099a89dc8eaebd48077292313f9f7e33e3]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/http/ngx_http_upstream.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index de0f92a..69dda96 100644
+--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
+@@ -2507,6 +2507,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+             return;
+         }
+ 
+#if (NGX_HTTP_SSL)
+        if (u->ssl && c->ssl == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "upstream prematurely sent response");
+            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+            return;
+        }
+#endif
+
+         u->state->bytes_received += n;
+ 
+         u->buffer.last += n;
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
@ -8,3 +8,4 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593"

 SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27"

+SRC_URI += "file://CVE-2026-1642.patch"