From patchwork Thu Apr  9 11:22:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85671
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1D7CBEA3C51
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:22 +0000 (UTC)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com
 [209.85.210.169])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.129545.1775733740235674651
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:20 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=HN7AquxG;
 spf=pass (domain: gmail.com, ip: 209.85.210.169,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f169.google.com with SMTP id
 d2e1a72fcca58-82cef263bedso399952b3a.0
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733739; x=1776338539;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=LA1xSsPqJxTngjXxTb6dN+SCY62J7aQYxoayaL47oWg=;
        b=HN7AquxGMLE03jlvTAP5DTEqaNe9qnpREZek1ZiI47Hs1QWT9wZoZDqaUQLyij3FmO
         STGZWnYMYmpIrP4ZbgkUpxSDBDbk9ij8XdSITEna5TxUlF/aAegd3nstsGK/vAaxeDci
         Ijdl+9t841lnQxXt7kDcv+iDB0IJmEu+ZwMPCGndPU48ch1ogRT2SaGgAkZ5bbsNFnoX
         gC9BW/6Z9btC0/SK8+XMHaPhy2TSnvIrbM4Yv4ulFWNoeUsjXzXQtq5/zwm52S8lbrJ/
         I7ZxHjMnN6EEAsyQaOpyDtzxyQ9iF/81ONXZiXcc7qzVI9wVgNvDnZadggy8ao0H6062
         Glzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733739; x=1776338539;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LA1xSsPqJxTngjXxTb6dN+SCY62J7aQYxoayaL47oWg=;
        b=XzZ6VQfwlDCY7yGMEOYdXo76I0x6iiUwW0wHPTSInxw8U+Eqy6uAygcyREki4Zxm5V
         gD93HLlaAUpf2mDiwweKmB/54wlWLuUMlVzpghzlYdzl8j981aw9Qz0ZEKM/8xE/lsuC
         S+frFkyDUlML/d5fOeszdB8MwyihkKU7UF0px4OoSczIAeNNxFduoApVK2EFY/yu8Mwo
         V0BTcQrXSxtf0iACk9EKWbFqlTvXqJp/eMhZDgk1fdmJw6NilQ3gAXdkJxYpKZ/Hp5bA
         FAizgUh4OgSehnImjdJtJwdMjYIhgkoQnYiV+eRtcqxiIOWEY5+7RYAy2z90zyBYP2c0
         1AfA==
X-Gm-Message-State: AOJu0YyNFmqtJnZ91mvD0dgU1ox8GqkF6xKkEl8BYYqB+FENdspwvH0C
	8V2XuEFgWnuimktoHqwSi/nFtIe6HFn5VrGjEWQnYx3cTiX8v1qo23duA8wf8+U8
X-Gm-Gg: AeBDievruVXt8+MSaKJoXzTqpFhaYDsHUkrOn3nVPF9YotBn9Il06dAlWa34OV//LJe
	3uDOsC4tqkzsjUul9EMiXSpIomZXxsHtosQhMQmFcblavFYQBT/O6AWnlm25ZA4JZef5OIfsj69
	IwRyoc6kjdnXLuZDTOR6DmW7Kv/jq8LCFpovlTtaAZ7gamijQovENPJLRAb5azZYkNFSQkNm99S
	Xo2do9DLI5uHGGE1/VdYdUBsy0dWUzMws8AicTvgugpMqHRFP/vW5EeZNri2HMmfDI9aXwcdmfx
	KWgdpAtW3EI/3funsf7+T2wuEU5IK6o2kEUnrPVYy/1cLKD+23l/crrYaJkgXsZc1rCfh3FFmtk
	cGKSzoh0km5Te2Wkn2QSSADsiPqD/TGKZ52nn08YzwstkQhFMIvMxb6s1dfC0ic9zGJR3MyCG2E
	vNDXJJ8UaUpEsDGF84QhtrnyWIlWuQp8kA42I=
X-Received: by 2002:a05:6a00:1785:b0:82a:79d7:cf6 with SMTP id
 d2e1a72fcca58-82dd8944863mr3244578b3a.2.1775733739324;
        Thu, 09 Apr 2026 04:22:19 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:18 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 1/8] libvncserver: fix CVE-2026-32853
Date: Thu,  9 Apr 2026 23:22:01 +1200
Message-ID: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:22 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126188

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32853

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libvncserver/CVE-2026-32853.patch         | 76 +++++++++++++++++++
 .../libvncserver/libvncserver_0.9.14.bb       |  4 +-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch

diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch
new file mode 100644
index 0000000000..be426932db
--- /dev/null
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32853.patch
@@ -0,0 +1,76 @@
+From 24cac3821d1665a4ed0501e6056925ef9ee53b99 Mon Sep 17 00:00:00 2001
+From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
+Date: Sun, 22 Mar 2026 20:35:49 +0100
+Subject: [PATCH] libvncclient: add bounds checks to UltraZip subrectangle
+ parsing
+
+HandleUltraZipBPP() iterates over sub-rectangles using numCacheRects
+(derived from the attacker-controlled rect.r.x) without validating
+that the pointer stays within the decompressed data buffer. A malicious
+server can set a large numCacheRects value, causing heap out-of-bounds
+reads via the memcpy calls in the parsing loop.
+
+Add bounds checks before reading the 12-byte subrect header and before
+advancing the pointer by the raw pixel data size. Use uint64_t for the
+raw data size calculation to prevent integer overflow on 32-bit platforms.
+
+(cherry picked from commit 009008e2f4d5a54dd71f422070df3af7b3dbc931)
+
+CVE: CVE-2026-32853
+Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libvncclient/ultra.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/libvncclient/ultra.c b/libvncclient/ultra.c
+index 1d3aaba6..5633b8cb 100644
+--- a/libvncclient/ultra.c
++++ b/libvncclient/ultra.c
+@@ -126,6 +126,7 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+   int toRead=0;
+   int inflateResult=0;
+   unsigned char *ptr=NULL;
++  unsigned char *ptr_end=NULL;
+   lzo_uint uncompressedBytes = ry + (rw * 65535);
+   unsigned int numCacheRects = rx;
+ 
+@@ -194,11 +195,18 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+   
+   /* Put the uncompressed contents of the update on the screen. */
+   ptr = (unsigned char *)client->raw_buffer;
++  ptr_end = ptr + uncompressedBytes;
+   for (i=0; i<numCacheRects; i++)
+   {
+     unsigned short sx, sy, sw, sh;
+     unsigned int se;
+ 
++    /* subrect header: sx(2) + sy(2) + sw(2) + sh(2) + se(4) = 12 bytes */
++    if (ptr + 12 > ptr_end) {
++      rfbClientLog("UltraZip: subrect %d header exceeds decompressed data bounds\n", i);
++      return FALSE;
++    }
++
+     memcpy((char *)&sx, ptr, 2); ptr += 2;
+     memcpy((char *)&sy, ptr, 2); ptr += 2;
+     memcpy((char *)&sw, ptr, 2); ptr += 2;
+@@ -213,8 +221,13 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ 
+     if (se == rfbEncodingRaw)
+     {
++        uint64_t rawBytes = (uint64_t)sw * sh * (BPP / 8);
++        if (rawBytes > (size_t)(ptr_end - ptr)) {
++          rfbClientLog("UltraZip: subrect %d raw data exceeds decompressed data bounds\n", i);
++          return FALSE;
++        }
+         client->GotBitmap(client, (unsigned char *)ptr, sx, sy, sw, sh);
+-        ptr += ((sw * sh) * (BPP / 8));
++        ptr += (size_t)rawBytes;
+     }
+   }  
+ 
+@@ -222,3 +235,4 @@ HandleUltraZipBPP (rfbClient* client, int rx, int ry, int rw, int rh)
+ }
+ 
+ #undef CARDBPP
++
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
index 6f271ee0d3..11efd7cc0f 100644
--- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
@@ -44,7 +44,9 @@ FILES:libvncclient = "${libdir}/libvncclient.*"
 
 inherit cmake pkgconfig
 
-SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https"
+SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \
+           file://CVE-2026-32853.patch \
+"
 SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"
 
 S = "${WORKDIR}/git"

From patchwork Thu Apr  9 11:22:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85678
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4039BEA3C5C
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:42 +0000 (UTC)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.129830.1775733742976265804
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=pt3hvof3;
 spf=pass (domain: gmail.com, ip: 209.85.210.179,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-824c9da9928so922774b3a.3
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733742; x=1776338542;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JV2oBXKgpg38zvLwL8wMTrLbvylol7tMVqZKACZUdLU=;
        b=pt3hvof3ao9mJ9WnjSQbWhufM95xXZm0prUq66XmmdIFpHlNKLotY10tOs968L8/FZ
         ISrmVd2fdNzyudTCLf0ix4hhET8bgru2zZToHdffSCsau8ciSa8Xty7KZisiTt6zsYw/
         DEh/zxdxEkRWadkUOwHc4r+EjsY8bkbaw6tq3EgGDqEMopAHpdpwWBRYbYIsPOTAZM8S
         k5BocTV2y2X5nn2xF17lgqLVQNHt5r+8RubK4tZB0OUDuYhWvdfIev0yC/UE+1mjJBPA
         z3bCrY8rC2PeOCCzN4QsxlQyD575JTIyoGOnEd4AVXK/YMrpfZDbGdvVFyql0S3HBh+T
         STiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733742; x=1776338542;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=JV2oBXKgpg38zvLwL8wMTrLbvylol7tMVqZKACZUdLU=;
        b=Uc0IzJmBDMi3RkZUMMERHxDQkJcMkq/9jRk/19Jsh6JNBOE2yDnXfDs6H5TsTZkKdE
         h0xnGzeACRK6QGASjSktgG5TCaCEzPjgDglVirUGiuRN5cMW2BvsvbJam7DkLwOMF3AM
         aHzz8LQuRrikF/2muR+m0MMZ61QsMbZZ60r5GNnK9MGdRSSqklRHz3TvBe2kypKpOQ3S
         cE42FAsK4bnxTJjDAhHJcyO84jVvqjNSagXsuoufMmjX08n5uNwHTqc02uZFQpce3CXe
         hDGAeYBG3qtfSLSzLTqhiyxnLa0gTxX2rK/kOzGcnZZaHWFVxPa1r2Po+u6XYi/BNVe8
         JO3g==
X-Gm-Message-State: AOJu0Yw+Gz4IN/B32v0/JupKdA0TTGRMcCCgisOh/mi2Q+XxhO0iqDve
	YEuqlyp205c3Y1F8E5kiSEOPPlN709PZEAB21JpGGym4YN9m85Fpgj5R/uoHWHmN
X-Gm-Gg: AeBDieup5ouPFfduunDM+Y/7kYhU3BzRsIO0P5rJsEjm76IMjJffHUXxfbspK3PwSiH
	L8Kat7dM0E1OCeNOvQic/g+7xc2eZRDheluerYUiwK6C/jPrNbaazrG30N/Cpx+P/D6EIQGAoud
	5Hixj9w+E9y6AYL7TuI/bseceVdQhF6HugjCzrTr1Tn0Qv5R1MqUru7b61mGDhZg0pdHZG6X/BC
	OMpMUTxeXHYgMM2heAr3xsXGBi6F7dSZSvQRd7j9yRoq9wU4DU6Y2NhhgiNey5LNc4ytLmb0w2X
	6JAfI1Mmn7A9VcWxnzrN5VG+BHsHJMjJBzZokIl6okTb8+l/UzFVIwVi9Qc93j/BGq5vIYLp4ED
	dLAGTz0tDeBFDjemxXDoY7YK45ait4qeBKqtLrTSVh6lF5rntyk/SV0bErywdFpXQyczCZIi5Xh
	fgpr4H4pYlmbEq0IW26tBeEFqwhROSqODRPCo=
X-Received: by 2002:a05:6a00:4fc1:b0:81f:3afe:281e with SMTP id
 d2e1a72fcca58-82d0da3336amr25722143b3a.3.1775733741969;
        Thu, 09 Apr 2026 04:22:21 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:21 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 2/8] libvncserver: fix CVE-2026-32854
Date: Thu,  9 Apr 2026 23:22:02 +1200
Message-ID: <20260409112208.1119823-2-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126189

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32854

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libvncserver/CVE-2026-32854.patch         | 66 +++++++++++++++++++
 .../libvncserver/libvncserver_0.9.14.bb       |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch

diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch
new file mode 100644
index 0000000000..a89026951b
--- /dev/null
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver/CVE-2026-32854.patch
@@ -0,0 +1,66 @@
+From df092d3a89460be3b14a2a07859493a7afafcd1d Mon Sep 17 00:00:00 2001
+From: Kazuma Matsumoto <269371721+y637F9QQ2x@users.noreply.github.com>
+Date: Thu, 19 Mar 2026 17:42:00 +0900
+Subject: [PATCH] libvncserver: fix NULL pointer dereferences in httpd proxy
+ handlers
+
+httpProcessInput() passes the return value of strchr() to atoi()
+and strncmp() without checking for NULL. If a CONNECT request
+contains no colon, or a GET request contains no slash, strchr()
+returns NULL, leading to a segmentation fault.
+
+Add NULL checks before using the strchr() return values.
+
+(cherry picked from commit dc78dee51a7e270e537a541a17befdf2073f5314)
+
+CVE: CVE-2026-32854
+Upstream-Status: Backport [https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libvncserver/httpd.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
+index 96a6eb2b..c066de47 100644
+--- a/libvncserver/httpd.c
++++ b/libvncserver/httpd.c
+@@ -331,10 +331,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+ 
+ 
+     /* Process the request. */
+-    if(rfbScreen->httpEnableProxyConnect) {
++if(rfbScreen->httpEnableProxyConnect) {
+ 	const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
+ 	if(!strncmp(buf, "CONNECT ", 8)) {
+-	    if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
++	    char *colon = strchr(buf, ':');
++	    if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
+ 		rfbErr("httpd: CONNECT format invalid.\n");
+ 		rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
+ 		httpCloseSock(rfbScreen);
+@@ -347,14 +348,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
+ 	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
+ 	    return;
+ 	}
+-	if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
+-	    /* proxy connection */
+-	    rfbLog("httpd: client asked for /proxied.connection\n");
+-	    rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+-	    rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+-	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
+-	    return;
+-	}	   
++	if (!strncmp(buf, "GET ",4)) {
++	    char *slash = strchr(buf, '/');
++	    if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
++		/* proxy connection */
++		rfbLog("httpd: client asked for /proxied.connection\n");
++		rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
++		rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
++		rfbScreen->httpSock = RFB_INVALID_SOCKET;
++		return;
++	    }
++	}
+     }
+ 
+     if (strncmp(buf, "GET ", 4)) {
diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
index 11efd7cc0f..6ef10b5037 100644
--- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
+++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb
@@ -46,6 +46,7 @@ inherit cmake pkgconfig
 
 SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https \
            file://CVE-2026-32853.patch \
+           file://CVE-2026-32854.patch \
 "
 SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028"
 

From patchwork Thu Apr  9 11:22:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85672
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 09257EA3C54
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:32 +0000 (UTC)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com
 [209.85.210.181])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.129547.1775733746134323902
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:26 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=E+SPl5p9;
 spf=pass (domain: gmail.com, ip: 209.85.210.181,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f181.google.com with SMTP id
 d2e1a72fcca58-82a655cfab5so802259b3a.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733745; x=1776338545;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AJLxd5Yw7ky7PfUu/npff9FZXXRiKlVh9H3xFWyw04o=;
        b=E+SPl5p9CZkyzFlAZ+oLB2dBSladxmFkfUMRgw5NiyClhj4IclzBD6fTlborR/rDFl
         ktOXdmuWM1ZssuA8kRdDsWup8sMtsjGI/wtCiP3wZwIF1Rwy3K+pCd3mhLp96mIAMiZc
         DntqRcMDiLlp8HtjkxStDKaTX5vZ91KRphERLDjkDkfTLhVd0sE4OaLRG882ycc2s0+V
         75ax0m2F4zyotcKOloCBjW/xqkQDMZQQlW2cF9/4SyQUXKbXldFmlQqau3EpbNWOyQNo
         6HKTX3D2e1cfXpC3qwny6z1vkN8XsjklhDmsOcWb/Wh8JYM13j1cfYrwQ2cRlQDYeH3e
         5MIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733745; x=1776338545;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=AJLxd5Yw7ky7PfUu/npff9FZXXRiKlVh9H3xFWyw04o=;
        b=hZonp1pOqAZCy+hvtu1HtSj4hWK/RZlp6yH/huVTGQuiDxgYUEziZtJV/sIZeqttwX
         IZBnGzvs/Chj/nDFWHosmqvpOozJ4w9me0R8LC3aV2yTwHprpzE5RgEroBAlMF3USsoC
         zOc5JyZu0i9aeOMwxChnr5Hl548jik8yLXpvkbg07ypCgup/0Kpxy0tIkiB1WMgKBCo2
         TRdw9jrN1dmWSe5cBLRckBd14sseSx4mS64GR7I3mg5HYUQqolc4JinCcad8ef+UKxC9
         uau8Q788Mz6kBB1HpaWfNDfIBnFft4hjP7fsxk8CtIHJBMQW6fwCT7hwefbKt3fqA+sm
         AtsA==
X-Gm-Message-State: AOJu0YxOUAxpWg64xuBS4uDiQOMvPepc1vbDokuimIDwwMWgp2PIzCy2
	mrdAh2kdiI3tf8JtnyFHSN1tv5NXw7lb1BMQLuJakW+RFYwo1Q8gjcsEe1TLVBb1
X-Gm-Gg: AeBDievIHGE/h4OigU5YXitbE/v7mB14JNYj8K7SjHZqzEktVI59XDrhXn2/Wti/sYW
	NikDCQvkQ0mSpEm/PNA8oVIMKP2R8up9dNvhWj4wLxlacZCXutyEQ+i2SbIcRlyGRYszwNTbn16
	4miyCM0YxihKh60TZ+CDCdhIZCsi97e1kjKhGi4fgHi1HdJZXxSXtf+2EhAnq7ZmLd42VK1k9Zo
	i0eOnsrHM4HKizPvGyxZSoT7b2vK6l8Zb9gwrMHJwl9BP2oVGu42KRtKjo83vvqAwqzWdtf3+Su
	JoN9D0lXUYosQu2DxqooixlgALcNjUj7ysBpQOhG3ih+my8uvCxSe7pmq4Sxs1oxqk3oc1y0/TD
	ecI8neE6zmFb83flz5i5qSCMH2NC48p0YqmFOyg7VJwXrywdcsR+NFyZ+19wDvyjNEnQYwgpeMi
	dkntNXAbrDI7YytvE6HkKJpB/ul7a6qmQEGYk=
X-Received: by 2002:a05:6a00:aa09:b0:82c:b808:4c59 with SMTP id
 d2e1a72fcca58-82dd8b0e0e3mr3321547b3a.46.1775733745326;
        Thu, 09 Apr 2026 04:22:25 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:24 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Gyorgy Sarvari <skandigraun@gmail.com>,
	Khem Raj <khem.raj@oss.qualcomm.com>,
	Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-networking][scarthgap][PATCH 3/8] mbedtls: upgrade 3.6.5 ->
 3.6.6
Date: Thu,  9 Apr 2026 23:22:03 +1200
Message-ID: <20260409112208.1119823-3-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126190

From: Gyorgy Sarvari <skandigraun@gmail.com>

Contains fixes for CVE-2026-25833, CVE-2026-25834, CVE-2026-25835,
CVE-2026-34872, CVE-2026-34873, CVE-2026-34874 and CVE-2026-34875.

Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6

Ptests passed:

root@qemux86:~# ptest-runner mbedtls
START: ptest-runner
2026-04-09T10:41
BEGIN: /usr/lib/mbedtls/ptest
...
...
DURATION: 508
END: /usr/lib/mbedtls/ptest
2026-04-09T10:49
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit fe1b038cd814102b317c6896f265019909a67de8)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../mbedtls/{mbedtls_3.6.5.bb => mbedtls_3.6.6.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_3.6.5.bb => mbedtls_3.6.6.bb} (98%)

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.5.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb
similarity index 98%
rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.5.bb
rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb
index eec39ac85e..cedbc90ccf 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.5.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb
@@ -27,7 +27,7 @@ SRC_URI = "gitsm://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls
            file://run-ptest \
            "
 
-SRCREV = "e185d7fd85499c8ce5ca2a54f5cf8fe7dbe3f8df"
+SRCREV = "0bebf8b8c7f07abe3571ded48a11aa907a1ffb20"
 
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 

From patchwork Thu Apr  9 11:22:04 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85673
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0DACFEA3C51
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:32 +0000 (UTC)
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com
 [209.85.210.175])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.129549.1775733748695707876
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:28 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=lR+iwN5D;
 spf=pass (domain: gmail.com, ip: 209.85.210.175,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f175.google.com with SMTP id
 d2e1a72fcca58-82d03827316so355392b3a.0
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733748; x=1776338548;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9z0x8yNmeR6ktb2X4EuzKfg0riD1hi7p/c9EuKxfNWA=;
        b=lR+iwN5DmHwoom/uDOb0GdPRnFL4zXF9QoToXVtzTLQfb7aqiAQPAcTmRXcRQdIJC7
         KVjbE6RAmJENhIwLw63LP2zPfQ4E+dgZ97vYnyNqJrcjiBq50CmSkmStnPf7LMGNx3Dp
         xDhftLS1Qds6qR+2HRwlovhiV7x6UAGEXeWOwICCaoQMeailW9oKBQe/3CkULebGSl8y
         dLgwSkUyNHccli9PeLwHa6rBiVoZ7pA4CDSoQ0dotSYLN2bwG5U/xbmI9C3mPh4MSNKL
         HhBgLZd8SvFbBU5JRAnr/b8q0P/0slCS7T8mrPWqWFMl62WU4McwqHJ2nW0i5thpya9x
         cxsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733748; x=1776338548;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=9z0x8yNmeR6ktb2X4EuzKfg0riD1hi7p/c9EuKxfNWA=;
        b=fU1hBLhutnkcsbTw0CxTRADLVL8CB4jvspcURUA7hfoy/9/GzmPbhmPq1+SuVlelbI
         aY7PmIQ8sZdcOxBdQ8heMis4LYONJ/3aVPfgrBxz+ZoaNX/E1HGYzlYOTmCJ1kSJX/mG
         4A1IB/NYsERemRVPOTG6SoiNnDlEBokVeQuXXqmTF152CI+RFWTxh3tbbqxYsZlV6o3L
         34QlPwyIjZc+F3nFHxi0+Kq29suohnQR9/intzYTcrqbbDYg5x1dce8Q4ZLzMSotgLGO
         im94GmTCY6eJ6sEpyylGRmUtR/rsQ1aHOnfo+6Hfavi52PNzs7Wc3+KczZbbV/NZjcgW
         iXZg==
X-Gm-Message-State: AOJu0YzbwFmEpbUlj6k7grYYQihIXXikXnBaCEw37ljENSHR2i5zNutK
	PgJL8K5Zv7dSEWfPW9EpcdWONdmRB2/a2cYXNbiDd6Jq3DFyXmRFAnqzs4qzXOoH
X-Gm-Gg: AeBDieuNEBodjlhlBbv6eu+1TTEDmpm6y1KbetmitZtIpQPWByD3QjBsHibEGTP2Syw
	3L1x7CH3stM+ZkjpRrFU92GITn6GvskUk/PevBI0ClhUL7DjTDM3gEV+sHa/yxEdsdVO8Sl3mdt
	F+RYJKKbwODqdlU4w4WXoA9JRgGRtspL/jkuA2aPryZ1qiyp/MSZRbUQAPN6m0UaAwTXlic6CF6
	X0DdD8O1iOXcrEnWExQg+eYHiKsn86eNjkrlF90KEkkoiO8sU0HIxR1r1h8jIDN+9pYvCrM+JaI
	yfE7+6Q99BV/0zbtxii4DK2mDIZakkxQRtbnkLvfbEoa2JL/ws4vh0wj2UKq9ZkHqbBksmCPKQu
	LpddVtKUjT2Wi3V6BAD3bFS0zo0Z2cIaQgGqKU7Pw08N1xYQXNgNJqDxdQZNiBojFITfBROqoYC
	OKw/+CGbl7SIRH2558WG9D6vxL+hzREa5XRCE=
X-Received: by 2002:a05:6a00:4615:b0:82c:1cd0:2f7e with SMTP id
 d2e1a72fcca58-82dd8b1bb87mr2991075b3a.20.1775733747870;
        Thu, 09 Apr 2026 04:22:27 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:27 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH 4/8] nodejs: upgrade 20.20.0 ->
 20.20.2
Date: Thu,  9 Apr 2026 23:22:04 +1200
Message-ID: <20260409112208.1119823-4-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126191

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

License Update: Update minimatch to the Blue Oak Model License[1]

nodejs LTS releases containing security and bugfixes.

https://nodejs.org/en/blog/release/v20.20.1
https://nodejs.org/en/blog/release/v20.20.2

[1] https://github.com/nodejs/node/commit/f0ef221b0d458d9358c6e6e49094da475e86c229

Ptests passed:

root@qemux86:~# ptest-runner nodejs
START: ptest-runner
2026-04-09T10:37
BEGIN: /usr/lib/nodejs/ptest
Running main() from /usr/src/debug/nodejs/20.20.2/deps/googletest/src/gtest_main.cc
[==========] Running 152 tests from 23 test suites.
[----------] Global test environment set-up.
...
...
[----------] Global test environment tear-down
[==========] 152 tests from 23 test suites ran. (30533 ms total)
[  PASSED  ] 152 tests.
PASS: nodejs
DURATION: 31
END: /usr/lib/nodejs/ptest
2026-04-09T10:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nodejs/{nodejs_20.20.0.bb => nodejs_20.20.2.bb}           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-devtools/nodejs/{nodejs_20.20.0.bb => nodejs_20.20.2.bb} (98%)

diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.20.2.bb
similarity index 98%
rename from meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb
rename to meta-oe/recipes-devtools/nodejs/nodejs_20.20.2.bb
index 5882319804..aa6189da60 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_20.20.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.20.2.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
 HOMEPAGE = "http://nodejs.org"
 LICENSE = "MIT & ISC & BSD-2-Clause & BSD-3-Clause & Artistic-2.0 & Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ac91fab5dbaf757274d2b29888f943ef"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b8b1791ae7a2ae99e12e2caf6218c890"
 
 CVE_PRODUCT = "nodejs node.js"
 
@@ -33,7 +33,7 @@ SRC_URI:append:class-target = " \
 SRC_URI:append:toolchain-clang:powerpc64le = " \
            file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \
            "
-SRC_URI[sha256sum] = "5294d9d2915620e819e6892fd7e545b98d650bad36dae54e6527eaac482add98"
+SRC_URI[sha256sum] = "7aeeacdb858299e09a3e0510d4bb8b266923894a9e3ac0058ba89d4ecf4a4cca"
 
 S = "${WORKDIR}/node-v${PV}"
 

From patchwork Thu Apr  9 11:22:05 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85674
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0A309EA3C55
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:42 +0000 (UTC)
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
 [209.85.215.174])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.129831.1775733751212144974
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=roj6/0Kz;
 spf=pass (domain: gmail.com, ip: 209.85.215.174,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f174.google.com with SMTP id
 41be03b00d2f7-c76b87931b8so508849a12.2
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733750; x=1776338550;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JyavM5VXDL60PETTPUzIEQ5luOV0hyNpXUe2cPfmOLs=;
        b=roj6/0KzTBObG6nzpcSdVxjETO2DQv42hqasX3G5vQgcM+I6bw7+v9ITIFmKhFM7r8
         rGBaq8+WOQO98YcI6XJlZ01sVTQf19Zytx9nw5gPgHYiaZqv9+DBjB3/VEBJqU9wbP/C
         qmKEHD+aVUEFbsfjVtuLvBpGEwjT3cG5qGvocax9btlUWClTYHF1RB7WVtw3RqfNLkaE
         O/See3eVnPWbbrPs/ynrD/fOAdBMtZLBA2kmijQnN90zr56bTzx8kP2uv8Sma2zdSFBz
         Mp+KkmH0uxbEA+laj3SrCAu5wJkSLYWExWG4zn+IJu46G48V4DAZESpCf1wYP8zAt9X9
         vfLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733750; x=1776338550;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=JyavM5VXDL60PETTPUzIEQ5luOV0hyNpXUe2cPfmOLs=;
        b=IQgoFTR1k4OQeEFcmI2sMB9UxpDvOCIE389jxfhxIL9ej4HQcEqIhiahIcq3PQWKYl
         /WIfCQqqy5pf7zKy+pLAc1Ujk96MvHt5AMgFltDR20kbYJmxTcu1rWRdpCXkQUc0z6ad
         VHoAAbdGtPg3OK0R0AJZ8WMu3KZlCwFAd7hMt4nzEnQB+2hGpR50bOaUncMIpuJghwgu
         TTRpPfLt+eqo7MOvX006sz5t2O3S68EtZ0hPbWYko2ge9fumyt4V5fJ98mVoYmtLhN2t
         7C3Vv7fvYb+sqMRhfXIK84wGwzvjXyr0FAR56BCCsTL7Ny4a+4P7jLSpstM7P5T3hbZy
         khmA==
X-Gm-Message-State: AOJu0Yx6Wdu0koiHOrtDZTbKTJq0gDPh/BcIE5C7BtR5ljXuv3N3HODk
	pptHuUbCKSGSnZNAG8iMdkpNDY1IPYcD0xOHvxPnbu4hvHJujptU2vOItxW3IJWb
X-Gm-Gg: AeBDietfyfLR1Elw4jnv8cXGHt3OxBzvBlBzdkXycr+kSnYGmGPUTDLGptfWSdvetHk
	ESD8tZ/0u4U8QqP04UpQ4/vL7cLnXNLcAXlx4htj8rC8pSnrbJKdrT+tsAYLyV5fgSji3WcQyER
	PcK7yqLvG4/VNPzcYDabrNRjrCrBZzQbMiZr53+aqsHk7HUx5Kwg3DajpdrQfTFYHlsN/JlPsNu
	wAFxco+oVum7SrQY3FysuIUYDik4NJA9jyWSvwOglFbOorm7qZYD3oG2oslYX6z5geZuM2C/Nj4
	BPhmiIhtz8sD+Oinf6EcPeUP+po7mclIiwQH6oV8CSj6IK2PdIT6WBX+fJOG0AyNNp2J+JL1p0o
	oEl3XuG8+zwJ+svdijnK8vJC8/hJNqHNMyOtJzlAh0USBxln5sZcvtPqcYllD9+ZCtl0F9Smo0N
	jep5HrfKss/e0u6EvXMf2yLzUjaQ0uiCdaS2Q=
X-Received: by 2002:a05:6a20:9194:b0:398:7b18:837b with SMTP id
 adf61e73a8af0-39f2ee8797fmr25178451637.25.1775733750291;
        Thu, 09 Apr 2026 04:22:30 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:29 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-webserver][scarthgap][PATCH 5/8] nginx: fix CVE-2026-27651
Date: Thu,  9 Apr 2026 23:22:05 +1200
Message-ID: <20260409112208.1119823-5-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126192

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160383
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[3] https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-27651.patch   | 34 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  4 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch
new file mode 100644
index 0000000000..b639b1a158
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27651.patch
@@ -0,0 +1,34 @@
+From 4f32484e99671d107d0d6c27c0c674f528d8c9ca Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 18 Mar 2026 16:39:37 +0400
+Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
+
+Previously, it was not properly cleared retaining length as part of
+authenticating with CRAM-MD5 and APOP methods that expect to receive
+password in auth response.  This resulted in null pointer dereference
+and worker process crash in subsequent auth attempts with CRAM-MD5.
+
+Reported by Arkadi Vainbrand.
+
+(cherry picked from commit 0f71dd8ea94ab8c123413b2e465be12a35392e9c)
+
+CVE: CVE-2026-27651
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/mail/ngx_mail_auth_http_module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
+index 27f64b92e..d931183ae 100644
+--- a/src/mail/ngx_mail_auth_http_module.c
++++ b/src/mail/ngx_mail_auth_http_module.c
+@@ -1325,7 +1325,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
+         b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
+         b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
+ 
+-        s->passwd.data = NULL;
++        ngx_str_null(&s->passwd);
+     }
+ 
+     b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index e5666f6fe6..d99dd873c6 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -2,7 +2,9 @@ require nginx.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
 
-SRC_URI:append = " file://CVE-2023-44487.patch"
+SRC_URI:append = " file://CVE-2023-44487.patch \
+                   file://CVE-2026-27651.patch \
+"
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
 

From patchwork Thu Apr  9 11:22:06 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85677
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 33B48EA3C59
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:42 +0000 (UTC)
Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com
 [209.85.215.170])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.129834.1775733754246481001
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=fH0Hpn4P;
 spf=pass (domain: gmail.com, ip: 209.85.215.170,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f170.google.com with SMTP id
 41be03b00d2f7-c70ea5e9e9dso359122a12.1
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733753; x=1776338553;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ey6SSs+dx5KDutut6Dzgvfl1ss9qEGlGIhKKHHHTfig=;
        b=fH0Hpn4PAPjJYFbrhNYoMmIAe78DOY7tVtF2eAsh2FNcvK2BbbAuEI4HdS+0czfP+i
         izvlfvGF/q/Y1ScPkfFEP1v7l+trX0fbcIPPm6v5pYqPeSIyGcGm7KhaQ6/1Im8lHSH/
         QAm0g6rO4LPOCzbyCJDtFX2cE33eL0wxWRuMLpfbRBSBSTdFyDH8WWEBZxa1n7gDjjle
         Jv3V2juTDFaT7pOtJ9IkDtCp3y28w36KYT99ekttJ4VfszY2kiFQ1YvuYeDf4KonMNbD
         FGZQ+0LKsyW8JD9OgzCM8jrn97/5pi6zfcTEn0RfCUUzTL+LAJJOOPxUz7b8Xx0u21kF
         rZOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733753; x=1776338553;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Ey6SSs+dx5KDutut6Dzgvfl1ss9qEGlGIhKKHHHTfig=;
        b=e8cJ+zvfXh5+j1lSNBsF8QTlQPZOQns6Gq/ZZgHgmlBlfOr4pcnWdA41wlIRdyeyGY
         YNf7qhf+HGw1aAgNY1lLNFo7p8lMuCa5U/15gQz44hXnE15MIR7mwCgdbNHYnYxEaZTo
         EzGc//XOlX4Pz/4SJoFgp2Y52b4pdzDJm9PmgxXnGKfjaRjl3XP8o3LqH8OJwgWZtorj
         /tehxp2orOSwkLFM8fOqjSSfpnvT2v8T2jjsm2MgLct6EgiR23ULb2q/T52Bv+GJscKd
         XfOt65wSZZivLvYkj23yw16psaYgZjjnw9uPUWlsKpvLFkJr1LJcm6b5S7l9gotzxLKV
         HNyA==
X-Gm-Message-State: AOJu0Yz8MCvGivOg3MdUhTaC2W1KlZIq5EUTs8UGReMMlrHBCJzl/ZVM
	R17hbewWp+ggc5ugzjDkpWyc2KdtEpacDKqXBQG6sLO7eNSuHy9QxjY6Du2t1OQD
X-Gm-Gg: AeBDieu0SuprpwA0SuKlI/0GVknAenBexC4O9Gomb1r3TfBIPvt3xSK6oMxS36URmQn
	f8tE4qFOu5WdDAwBwGFnM/HglX0B0eqyIP8zfJEpM5C2d4Rz04U1Jt4sJUx6K+oMm3F1Q+vRaJo
	qRqfnZ1x3cRuONFjhw0Ha2owY5jPss1T+tl0wfJwlypRa8jKr9sWARLP3ohunNpqGxT+z9GmB4f
	NDyzfnkQUk0XYcouRYhVbhTXlV6IZMg92xR5fFtfcSm+89qCI9gSx88yXiyF27mYZjhEhA46KRQ
	rtW+BdzmzkDZxq2nQ3jikqeL8HiA4deNlSkNQardtoo+pNcAQMS7em/PFZDweIoe7938vv5lMWI
	nt1HlFeaERtRhvD3wxgE6WgHn7wbvrZK8QJF0A5bpupOy/eMdDQ/ismGpPrq/dF9VKZB9WaddWA
	NEx8+X87wWuLiklhPXORPJCNmiW4JT8FVBEJA=
X-Received: by 2002:a05:6a21:3399:b0:398:c351:aa0e with SMTP id
 adf61e73a8af0-39fc81c29dcmr3800880637.25.1775733753411;
        Thu, 09 Apr 2026 04:22:33 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:32 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-webserver][scarthgap][PATCH 6/8] nginx: fix CVE-2026-27654
Date: Thu,  9 Apr 2026 23:22:06 +1200
Message-ID: <20260409112208.1119823-6-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126193

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160382
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-27654.patch   | 81 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch
new file mode 100644
index 0000000000..b85c6621e9
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch
@@ -0,0 +1,81 @@
+From be39034fa93a4d44b52de9b7a463754eda56e712 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 16 Mar 2026 20:13:03 +0400
+Subject: [PATCH] Dav: destination length validation for COPY and MOVE.
+
+Previously, when alias was used in a location with Dav COPY or MOVE
+enabled, and the destination URI was shorter than the alias, integer
+underflow could happen in ngx_http_map_uri_to_path(), which could
+result in heap buffer overwrite, followed by a possible segfault.
+With some implementations of memcpy(), the segfault could be avoided
+and the overwrite could result in a change of the source or destination
+file names to be outside of the location root.
+
+Reported by Calif.io in collaboration with Claude and Anthropic Research.
+
+(cherry picked from commit a1d18284e0a173c4ef2b28425535d0f640ae0a82)
+
+CVE: CVE-2026-27654
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 13 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
+index cfb98929e..4619b139a 100644
+--- a/src/http/modules/ngx_http_dav_module.c
++++ b/src/http/modules/ngx_http_dav_module.c
+@@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r, ngx_http_dav_loc_conf_t *dlcf)
+ static ngx_int_t
+ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
+ {
+-    u_char                   *p, *host, *last, ch;
+-    size_t                    len, root;
+-    ngx_err_t                 err;
+-    ngx_int_t                 rc, depth;
+-    ngx_uint_t                overwrite, slash, dir, flags;
+-    ngx_str_t                 path, uri, duri, args;
+-    ngx_tree_ctx_t            tree;
+-    ngx_copy_file_t           cf;
+-    ngx_file_info_t           fi;
+-    ngx_table_elt_t          *dest, *over;
+-    ngx_ext_rename_file_t     ext;
+-    ngx_http_dav_copy_ctx_t   copy;
+-    ngx_http_dav_loc_conf_t  *dlcf;
++    u_char                    *p, *host, *last, ch;
++    size_t                     len, root;
++    ngx_err_t                  err;
++    ngx_int_t                  rc, depth;
++    ngx_uint_t                 overwrite, slash, dir, flags;
++    ngx_str_t                  path, uri, duri, args;
++    ngx_tree_ctx_t             tree;
++    ngx_copy_file_t            cf;
++    ngx_file_info_t            fi;
++    ngx_table_elt_t           *dest, *over;
++    ngx_ext_rename_file_t      ext;
++    ngx_http_dav_copy_ctx_t    copy;
++    ngx_http_dav_loc_conf_t   *dlcf;
++    ngx_http_core_loc_conf_t  *clcf;
+ 
+     if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+@@ -644,6 +645,18 @@ destination_done:
+         return NGX_HTTP_CONFLICT;
+     }
+ 
++    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
++
++    if (clcf->alias
++        && clcf->alias != NGX_MAX_SIZE_T_VALUE
++        && duri.len < clcf->alias)
++    {
++        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                      "client sent invalid \"Destination\" header: \"%V\"",
++                      &dest->value);
++        return NGX_HTTP_BAD_REQUEST;
++    }
++
+     depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
+ 
+     if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index d99dd873c6..b1f4f8d009 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
 
 SRC_URI:append = " file://CVE-2023-44487.patch \
                    file://CVE-2026-27651.patch \
+                   file://CVE-2026-27654.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"

From patchwork Thu Apr  9 11:22:07 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85676
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4051EEA3C5D
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:42 +0000 (UTC)
Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com
 [209.85.215.173])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.129836.1775733756930084517
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:36 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=MSpiAP5W;
 spf=pass (domain: gmail.com, ip: 209.85.215.173,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pg1-f173.google.com with SMTP id
 41be03b00d2f7-c76bde70ec9so321843a12.2
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733756; x=1776338556;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0E+5NPe5QWe2CClN0gn9UN84+uYDhtJF8Z4fHHyOACM=;
        b=MSpiAP5WE+XIqKdLsrX4FmzrEIvnHNQWI4qnoqdKNPx9uyyWLV49zttkKwIrBxXRmY
         pUxpr0liP1yQz8smruEhl+mt8toSsyUK5T/QIiRzSEAEUQRn/1i19UGMPlD6XL9MjAWi
         seN2BslRW0h/CsKcMuOUy6coi/IS9jFKLi2B7bGRPmxpw5rO7ABgP/xRLkXaMSy5mjmg
         Ac8WTgfNbyv/gUBkRgseEFK5UDvm/gLJBScYi+31J85iauDR5jO0f3X51UfX65XCJ/mm
         E+nR9vNim2adAvzIfDCYkPMpDyCV/WhFU4TfmZz2isei62SbLE0kBn98Ui8Hh+BbVvD4
         SW+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733756; x=1776338556;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=0E+5NPe5QWe2CClN0gn9UN84+uYDhtJF8Z4fHHyOACM=;
        b=EnD8FwMgCH0i5xKUmmc9XujislI1Bi2Z+P8x504hSJL+UaBSoXr1yfvcNU4wUL/2wE
         3Ei4HjuvBCWdzdf2X4TVj5BxvUyeYHifRnZQC6PAAPNdyjT4xaHVyC/ADuIT92maHlJ1
         beabW3IE+223R/hKDnCkYC5NhziB6iSoYGPmi93bgD/pwynO3Flm7QAJE/2srwOL/pUL
         KqeWnfDZCMdq9548/5Ezh9bs+YPpcE8TXIKOxKYy3U+S3HHuTEuKdSt2P7OQr2xgEEAJ
         lbq2Dgu8/gSRbGoQSjVPNKAgx8cgGEwC/pVihpsti/D6vNqXO0hBEk+5F3Ro433ol5hb
         u3Lw==
X-Gm-Message-State: AOJu0YyqGUNmQb7FIzsrkSxdU6lGTxe/bXoOVRZGAVuSBqZgHNf4EgRB
	wb93AHBypWByZfCYLn/oAC3CbaZXi+5aQ7mEuRkMnpPSC107YJAz4rLETDbl1RrF
X-Gm-Gg: AeBDieuWsFY8fGwn5lHdJqiYrEIiTmXHezrrkz3iBOvobzS78BbTQZeXtygjQP5d/z1
	fMNgshi9G8+Y/v2b36hY6+g1P226C0UVAsu8MExw5eUiTqzkzyWEXyOod9vYgNGNTDGQ77GCalI
	gjt4Ey1wx1qI12Djx3OW88cGmkvWtJ4vl8S0Txejm51Rxpkq9g22rfeHkMVPjVGWqZHRC2v+9hW
	T/cECFclWitbLaJ4R2v+ffNuGXB7jpGNBcyx5/rtl48aisCyvlDWDc/tXcvfzFtC/vbNTrS6tzk
	2C1BygKuRzMcLyVwSt+TPIVCYlu/w/I0WJuMNsXLvovStIbIc4b1YJ7XDu6TEoq6c2EyKrAn9rA
	IMU/fhgSGp99ejzmxV/MdLYqzuok2YZ1KBBvWGuP1xk11UjSGAHTl53nGVCjlYjaCAbAzDYG2N6
	f68IG7rBNsxkPhQhZmrKj0PkK8mbYUqCmQonU=
X-Received: by 2002:a05:6a20:1611:b0:398:9794:32ed with SMTP id
 adf61e73a8af0-39fc80ddc96mr4358613637.12.1775733756130;
        Thu, 09 Apr 2026 04:22:36 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:35 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-webserver][scarthgap][PATCH 7/8] nginx: fix CVE-2026-28753
Date: Thu,  9 Apr 2026 23:22:07 +1200
Message-ID: <20260409112208.1119823-7-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126194

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160367
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-28753.patch   | 93 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  1 +
 2 files changed, 94 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
new file mode 100644
index 0000000000..de27ffad2a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28753.patch
@@ -0,0 +1,93 @@
+From 7e705808a8568a091a8ecf418ed9f77914304fcc Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 26 Feb 2026 11:52:53 +0400
+Subject: [PATCH] Mail: host validation.
+
+Now host name resolved from client address is validated to only contain
+the characters specified in RFC 1034, Section 3.5.  The validation allows
+to avoid injections when using the resolved host name in auth_http and
+smtp proxy.
+
+Reported by Asim Viladi Oglu Manizada, Colin Warren,
+Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
+Bird Liu (Lanzhou University).
+
+(cherry picked from commit 6a8513761fb327f67fcc6cfcf1ad216887e2589f)
+
+CVE: CVE-2026-28753
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
+index e68ceedfd..e477741c8 100644
+--- a/src/mail/ngx_mail_smtp_handler.c
++++ b/src/mail/ngx_mail_smtp_handler.c
+@@ -13,6 +13,7 @@
+ 
+ 
+ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
+ static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
+ static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
+ static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
+@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+         return;
+     }
+ 
++    if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
++        ngx_log_error(NGX_LOG_ERR, c->log, 0,
++                      "%V resolved to invalid host name \"%V\"",
++                      &c->addr_text, &ctx->name);
++
++        s->host = smtp_tempunavail;
++
++        ngx_resolve_addr_done(ctx);
++
++        ngx_mail_smtp_greeting(s, s->connection);
++
++        return;
++    }
++
+     c->log->action = "in resolving client hostname";
+ 
+     s->host.data = ngx_pstrdup(c->pool, &ctx->name);
+@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
+ }
+ 
+ 
++static ngx_int_t
++ngx_mail_smtp_validate_host(ngx_str_t *name)
++{
++    u_char      ch;
++    ngx_uint_t  i;
++
++    if (name->len == 0) {
++        return NGX_DECLINED;
++    }
++
++    for (i = 0; i < name->len; i++) {
++        ch = name->data[i];
++
++        /* allow only characters from RFC 1034, Section 3.5 */
++
++        if ((ch >= 'a' && ch <= 'z')
++            || (ch >= 'A' && ch <= 'Z')
++            || (ch >= '0' && ch <= '9')
++            || ch == '-' || ch == '.')
++        {
++            continue;
++        }
++
++        return NGX_DECLINED;
++    }
++
++    return NGX_OK;
++}
++
++
+ static void
+ ngx_mail_smtp_resolve_name(ngx_event_t *rev)
+ {
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index b1f4f8d009..80cd5e1609 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
 SRC_URI:append = " file://CVE-2023-44487.patch \
                    file://CVE-2026-27651.patch \
                    file://CVE-2026-27654.patch \
+                   file://CVE-2026-28753.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"

From patchwork Thu Apr  9 11:22:08 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Tyagi <ankur.tyagi85@gmail.com>
X-Patchwork-Id: 85675
Return-Path: <ankur.tyagi85@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 262AEEA3C57
	for <webhook@archiver.kernel.org>; Thu,  9 Apr 2026 11:22:42 +0000 (UTC)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.129838.1775733759604656508
 for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:39 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20251104 header.b=T99bAQ+3;
 spf=pass (domain: gmail.com, ip: 209.85.210.179,
 mailfrom: ankur.tyagi85@gmail.com)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-82c20b9fb15so449887b3a.3
        for <openembedded-devel@lists.openembedded.org>;
 Thu, 09 Apr 2026 04:22:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775733759; x=1776338559;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8agm0sHa15rJymjDmpT7Tbpcjs32i/Hc3VOROgePjEo=;
        b=T99bAQ+3CE9osWF29XinsSheb6BlPIiP26DjkaDGQtD6S55/GpLsx5tjYXeQw7nOTD
         omDzgtRLeBsys+uHpwnBYrAEjWKWbCWKB64+VSMK81Dl7njqQTwz3BlzR1K1uSVykp5z
         FHWQWCBslLwiE9WOKh6zEzvqyrbr9jIYRvPG/p2Uc76uXX6kEGCw3l4eEgb2Oy1bboC7
         JtPDCGsAZk9E2hiSk82FVgLF+8KD5u2M+Dv74/Wq1VRUTunZrzI3Z1uo0BB4LcHl4q70
         JxmYXa7ipYvtk2uFlTLQWoXj2BEm0TyhQl4bVZE7fycjb0hM4E3hxY5jHMtH2wz29J4n
         sOgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775733759; x=1776338559;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8agm0sHa15rJymjDmpT7Tbpcjs32i/Hc3VOROgePjEo=;
        b=aBYqnDXkdhRKHceUWyJQhHt/qu5nuKCzljRzPuW3FLg4iOg1Z3XgwHEROJPDyj/Hkd
         B4xRAbMMAZREzHNBVMcBvR+OTSK1yWI8Slq4Iayv39wkDV2B5JaSIO7FiFbkvbZJFNZ8
         LEfKr31H7s37vCqzkI2awScvFQgrCavX1qfSe/bLdwRGvaV3FERIec6k6EwKTvt3mIxo
         Go9N3BQt8aNjFoB7tiOtJP+/97G6BXRNy0z60dP+El6icCj7xsWBtCUjC0dBfaerX7ku
         SylD7vMhJJjOVL8Gy4BupNbe2oUh+r3hSmbZA4ryJkuh9kE1tMma/eIQ+pk0+F8shpC6
         Ja7g==
X-Gm-Message-State: AOJu0Yw04daSqJfyx/0zxufyur6Q/ree07nzzugm2nmBwflbkeGblMaA
	A8GVj/Kpy/zzuaNr9RlJQbgkSvgEe2pb/skdAKAEyOVPKdr4JWn7Esqk7gdqqbfZ
X-Gm-Gg: AeBDieuA+T1PBSnGj+IcuirNWHkIXTof6UNq58jH1Nm8q+dL3tUFpe23WT5OePam14B
	sDZBElgdu8EMIPoUdWJec80mqqyjUsizlijbWSMH1qx+ne88CH8sqiwPDKP4xvarT/6JcXqOOUb
	1/N+u05S578duOI5DXGG+D9YyjYfxcNgtv7hP3OgsZq/Cdg7QbOUhZYMkk6XkAacNxPclIoHptX
	wBjLhXHkV6tVKIrh9M4ifTHvSpgfbR6XKJb1tGvBIxMTXS10wWEGRg8wUZJt3dbJo8mPsTD17k7
	kdidGbnz0PQpIS5vpsy7YQU5Dl5J+Xjusb4Q/+RilF9HD6XEXoUyV73Kz33TVI7pNnmXY9fIO2g
	BL/OC/b23k/UeGp4W0CZO0p2KhMoJsFrRj+Rbvf6usIyEn+fKW04F9qM9k5hECD4eOIi+gGPlUQ
	rg8P45oeEXSIsiDToOfhdukS3JT/wDVJZkCKDIp+PrQcLEpw==
X-Received: by 2002:a05:6a00:460e:b0:82c:9897:70ef with SMTP id
 d2e1a72fcca58-82dd8a8a1cemr3469866b3a.27.1775733758662;
        Thu, 09 Apr 2026 04:22:38 -0700 (PDT)
Received: from NVAPF55DW0D-IPD.. ([203.211.108.51])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9b3ccc8sm30046666b3a.19.2026.04.09.04.22.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 09 Apr 2026 04:22:38 -0700 (PDT)
From: ankur.tyagi85@gmail.com
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
Subject: [oe][meta-webserver][scarthgap][PATCH 8/8] nginx: fix CVE-2026-32647
Date: Thu,  9 Apr 2026 23:22:08 +1200
Message-ID: <20260409112208.1119823-8-ankur.tyagi85@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Thu, 09 Apr 2026 11:22:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/126195

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commits[3][4] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc
[4] https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-32647-1.patch | 77 ++++++++++++++++
 .../nginx/nginx-1.24.0/CVE-2026-32647-2.patch | 87 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  2 +
 3 files changed, 166 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch
new file mode 100644
index 0000000000..506a3fb887
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch
@@ -0,0 +1,77 @@
+From c694db97c62f33d621e73937a63e7b5c206c16c9 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Sat, 21 Feb 2026 12:04:36 +0400
+Subject: [PATCH] Mp4: avoid zero size buffers in output.
+
+Previously, data validation checks did not cover the cases when the output
+contained empty buffers.  Such buffers are considered illegal and produce
+"zero size buf in output" alerts.  The change rejects the mp4 files which
+produce such alerts.
+
+Also, the change fixes possible buffer overread and overwrite that could
+happen while processing empty stco and co64 atoms, as reported by
+Pavel Kohout (Aisle Research) and Tim Becker.
+
+(cherry picked from commit a172c880cb51f882a5dc999437e8b3a4f87630cc)
+
+CVE: CVE-2026-32647
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 041ad263b..13d87cd6a 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+         }
+     }
+ 
+-    if (end_offset < start_offset) {
+-        end_offset = start_offset;
++    if (end_offset <= start_offset) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "no data between start time and end time in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
+     }
+ 
+     mp4->moov_size += 8;
+@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+ 
+     *prev = &mp4->mdat_atom;
+ 
+-    if (start_offset > mp4->mdat_data.buf->file_last) {
++    if (start_offset >= mp4->mdat_data.buf->file_last) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 mdat atom in \"%s\"",
+                       mp4->file.name.data);
+@@ -3416,7 +3419,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
+     if (data) {
+         entries = trak->sample_sizes_entries;
+ 
+-        if (trak->start_sample > entries) {
++        if (trak->start_sample >= entries) {
+             ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                           "start time is out mp4 stsz samples in \"%s\"",
+                           mp4->file.name.data);
+@@ -3591,7 +3594,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
+         return NGX_ERROR;
+     }
+ 
+-    if (trak->start_chunk > trak->chunks) {
++    if (trak->start_chunk >= trak->chunks) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 stco chunks in \"%s\"",
+                       mp4->file.name.data);
+@@ -3806,7 +3809,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
+         return NGX_ERROR;
+     }
+ 
+-    if (trak->start_chunk > trak->chunks) {
++    if (trak->start_chunk >= trak->chunks) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 co64 chunks in \"%s\"",
+                       mp4->file.name.data);
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch
new file mode 100644
index 0000000000..80bf94f5f1
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch
@@ -0,0 +1,87 @@
+From 1742d7fe92ed355ffa5aa68609b96f00f582f3d6 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 2 Mar 2026 21:12:34 +0400
+Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
+
+Previously, a 32-bit overflow could happen while validating atom entries
+count.  This allowed processing of an invalid atom with entrires beyond
+its boundaries with reads and writes outside of the allocated mp4 buffer.
+
+Reported by Prabhav Srinath (sprabhav7).
+
+(cherry picked from commit b23ac73b00313d159a99636c21ef71b828781018)
+
+CVE: CVE-2026-32647
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 13d87cd6a..015e42c51 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "mp4 time-to-sample entries:%uD", entries);
+ 
+     if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
+-        + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 stts atom too small", mp4->file.name.data);
+@@ -2600,7 +2600,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom->last = atom_table;
+ 
+     if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
+-        + entries * sizeof(uint32_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 stss atom too small", mp4->file.name.data);
+@@ -2805,7 +2805,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom->last = atom_table;
+ 
+     if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
+-        + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 ctts atom too small", mp4->file.name.data);
+@@ -2987,7 +2987,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "sample-to-chunk entries:%uD", entries);
+ 
+     if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
+-        + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 stsc atom too small", mp4->file.name.data);
+@@ -3365,7 +3365,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     if (size == 0) {
+         if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
+-            + entries * sizeof(uint32_t) > atom_data_size)
++            + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+         {
+             ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                           "\"%s\" mp4 stsz atom too small",
+@@ -3524,7 +3524,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
+ 
+     if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
+-        + entries * sizeof(uint32_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 stco atom too small", mp4->file.name.data);
+@@ -3740,7 +3740,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
+ 
+     if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
+-        + entries * sizeof(uint64_t) > atom_data_size)
++        + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
+     {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "\"%s\" mp4 co64 atom too small", mp4->file.name.data);
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index 80cd5e1609..ab15c10596 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -6,6 +6,8 @@ SRC_URI:append = " file://CVE-2023-44487.patch \
                    file://CVE-2026-27651.patch \
                    file://CVE-2026-27654.patch \
                    file://CVE-2026-28753.patch \
+                   file://CVE-2026-32647-1.patch \
+                   file://CVE-2026-32647-2.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"