[meta-webserver,scarthgap,7/8] nginx: fix CVE-2026-28753

Message ID	20260409112208.1119823-7-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.215.173, mailfrom: ankur.tyagi85@gmail.com) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-webserver][scarthgap][PATCH 7/8] nginx: fix CVE-2026-28753 Date: Thu, 9 Apr 2026 23:22:07 +1200 Message-ID: <20260409112208.1119823-7-ankur.tyagi85@gmail.com> In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com> References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,scarthgap,1/8] libvncserver: fix CVE-2026-32853 \| expand [meta-oe,scarthgap,1/8] libvncserver: fix CVE-2026-32853 [meta-oe,scarthgap,2/8] libvncserver: fix CVE-2026-32854 [meta-networking,scarthgap,3/8] mbedtls: upgrade 3.6.5 -> 3.6.6 [meta-oe,scarthgap,4/8] nodejs: upgrade 20.20.0 -> 20.20.2 [meta-webserver,scarthgap,5/8] nginx: fix CVE-2026-27651 [meta-webserver,scarthgap,6/8] nginx: fix CVE-2026-27654 [meta-webserver,scarthgap,7/8] nginx: fix CVE-2026-28753 [meta-webserver,scarthgap,8/8] nginx: fix CVE-2026-32647

Message ID

20260409112208.1119823-7-ankur.tyagi85@gmail.com

State

New

Headers

From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-webserver][scarthgap][PATCH 7/8] nginx: fix CVE-2026-28753
Date: Thu,  9 Apr 2026 23:22:07 +1200
Message-ID: <20260409112208.1119823-7-ankur.tyagi85@gmail.com>
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,scarthgap,1/8] libvncserver: fix CVE-2026-32853 | expand

Commit Message

Ankur Tyagi April 9, 2026, 11:22 a.m. UTC

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160367
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-28753.patch   | 93 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
new file mode 100644
index 0000000000..de27ffad2a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
@@ -0,0 +1,93 @@ 
+From 7e705808a8568a091a8ecf418ed9f77914304fcc Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 26 Feb 2026 11:52:53 +0400
+Subject: [PATCH] Mail: host validation.
+
+Now host name resolved from client address is validated to only contain
+the characters specified in RFC 1034, Section 3.5.  The validation allows
+to avoid injections when using the resolved host name in auth_http and
+smtp proxy.
+
+Reported by Asim Viladi Oglu Manizada, Colin Warren,
+Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
+Bird Liu (Lanzhou University).
+
+(cherry picked from commit 6a8513761fb327f67fcc6cfcf1ad216887e2589f)
+
+CVE: CVE-2026-28753
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
+index e68ceedfd..e477741c8 100644
+--- a/src/mail/ngx_mail_smtp_handler.c
++++ b/src/mail/ngx_mail_smtp_handler.c
+@@ -13,6 +13,7 @@
+ 
+ 
+ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
+ static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
+ static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
+ static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
+@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+         return;
+     }
+ 
++    if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
++        ngx_log_error(NGX_LOG_ERR, c->log, 0,
++                      "%V resolved to invalid host name \"%V\"",
++                      &c->addr_text, &ctx->name);
++
++        s->host = smtp_tempunavail;
++
++        ngx_resolve_addr_done(ctx);
++
++        ngx_mail_smtp_greeting(s, s->connection);
++
++        return;
++    }
++
+     c->log->action = "in resolving client hostname";
+ 
+     s->host.data = ngx_pstrdup(c->pool, &ctx->name);
+@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+ }
+ 
+ 
++static ngx_int_t
++ngx_mail_smtp_validate_host(ngx_str_t *name)
++{
++    u_char      ch;
++    ngx_uint_t  i;
++
++    if (name->len == 0) {
++        return NGX_DECLINED;
++    }
++
++    for (i = 0; i < name->len; i++) {
++        ch = name->data[i];
++
++        /* allow only characters from RFC 1034, Section 3.5 */
++
++        if ((ch >= 'a' && ch <= 'z')
++            || (ch >= 'A' && ch <= 'Z')
++            || (ch >= '0' && ch <= '9')
++            || ch == '-' || ch == '.')
++        {
++            continue;
++        }
++
++        return NGX_DECLINED;
++    }
++
++    return NGX_OK;
++}
++
++
+ static void
+ ngx_mail_smtp_resolve_name(ngx_event_t *rev)
+ {
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index b1f4f8d009..80cd5e1609 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -5,6 +5,7 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
 SRC_URI:append = " file://CVE-2023-44487.patch \
                    file://CVE-2026-27651.patch \
                    file://CVE-2026-27654.patch \
+                   file://CVE-2026-28753.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"

[meta-webserver,scarthgap,7/8] nginx: fix CVE-2026-28753

Commit Message

Patch