From patchwork Wed May 20 14:24:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88541 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 300A2CD4F3C for ; Wed, 20 May 2026 14:25:01 +0000 (UTC) Received: from mx-relay26-hz12-if1.hornetsecurity.com (mx-relay26-hz12-if1.hornetsecurity.com [94.100.139.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13452.1779287095951806304 for ; Wed, 20 May 2026 07:24:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=Tjye7Tyk; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.226, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate26-hz12.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.65.127, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=du2pr03cu002.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=dcxvMQX4+U1SebB1nNai7RD7hZ8hs33WoxeL8bkFt7g=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779287093; b=JhDiL+FCs1VQ9NF7PmXTsSmLcjUVZyPgE8iPtAywTnU5RdQilDT/RPPApZKXVygdy/ZkAkVO VNgeNd+aqtdd7EcVwR3kCQNNQ2CytzW2D0C0UfkQC49N2wFkQsL4fTALI8hrvnoQ1Rad0MMNfYJ oHjo3JjnpdxCrMxrhpRITfyHLsZ+1u/KTRwNJ6VS1ZxZ3MJuaOz1QOiQxePstCTOz0+0Eunn95L sFqu2UHMecEVYPzZr1dVWjXdH8wk4euR9r/iUjrXn63V10MNeAiILi5e/+tQVK+gEAu8VIA9j7T Uwl7uvW1AjAszkTGK7PJkszJxImMU3Zos9MSic34gLvlQ== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779287093; b=gJwFcSlIIKXBLO1LWCOtBAEBZgG2X/1ARzOZRVnwpYj7gGTN8Eyweb71ckAmKZMwHvB5w9+T m/6prZYNdCxGYOvUQCmXjEcViCtnjTR12Pe2JSRQboIKni03kOQOvtfvCfGKtV4jwOxs4CXoHW4 LPPvuZvb1xuvxCAR/iqTmGeAMLLoXTCVIF96GprD39a5n89xJ0cYpajFqguhOlLizgchA1a4k14 5PqGrBdktpfG1w5dQiVcIv9PEMQfjBmGxTJbiM9i1ur3OcM2gbSerJ5pQS62U4w6PvqWrHeejnq v1J8PTUQsgu756rIa89Z1+JJOhYuXK6SubF7CjQvQLl0Q== Received: from mail-northeuropeazon11021127.outbound.protection.outlook.com ([52.101.65.127]) by mx-gate26-hz12; Wed, 20 May 2026 16:24:53 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yaBuLo+OnB8zY6L0YbeeZheFybTNjApqArtSpETXJzEDgrXXX+hkywUREpOGxcZnNRaw8Hl8tUGYDlA7480QR4J2CEoaJPiw6jMaDxBal6sDAR4Q6fJ0W/jjn5CbJv98qx8cgjqN03p7riKDk0JHLyW9rbi+U8M+7BVz0Wq9Rye0i8tOzj5N6QzjpmECwGREt8xvEcIoNMJs0+oBId6svMkxQeV77N43bHiAVt+BBeim/rlifCUeNptY48kaIpwIan26m0HwmvD5XxLW7o104VlYBlg6DuLQOGaMcOfAttnMF/ZmrJa0rAbBrua29GX7XVxVIW1IBg3j9u/DacyLJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dcxvMQX4+U1SebB1nNai7RD7hZ8hs33WoxeL8bkFt7g=; b=hGj+xS3Eo1/FRQJKqKpLyLu5Gv9ZFOC8w+7QeRarkKitPtUzuHXAW0KSH6KogqBNlfNB6o4H2yiVmAShnKROmc9pcX/h4Lw6cs1yfQ3nkVi6Gs0xJEH12KYhLVpsj0TstaFdEIrEga0UBWeIllaYMiE08BhYZYrQna/0QsExMPkltc31oeNPlvMiTMHCDY3iuzMhlYLwKbzxL5MqWVbF0Tu7Pgv9GtO3tiL6jfjD0unbAXbduXJU76OGGHozfVXFIYOITTlcp1muxBsyvMVSbyHBJdhJpj9E58lfox6zweRtoYPvO/xrS1U63fwCRv5lA5t/Dqs1Lkw7eyLrYmDzCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dcxvMQX4+U1SebB1nNai7RD7hZ8hs33WoxeL8bkFt7g=; b=Tjye7Tyk9fM4Y4Qcvrh4kdzcUEnompE/YU2RdRAJxaTKV0Se3JqYjPkPCXrhZQXnbhhYLic5VgUq9kdi2nH3PQvsV3Y3H1xJ+Zczf1DykqqnkHhGjgVr/8ONl5VdQGFJ7y9ADN56IYNoWRPyp71gzTdBZJ4qP00Q3BXXhK2eJNdv3da7Mv0jw7nz7H46kv2AEN8+L99VPsdiKCpyInrZ1eIn+67Dnx+PzH+ds0Y2iJx9sS5dwFnMfIQV4No/Wz74Mba0ly6pxGstorqAz/EefpmRk2/CoglyKVDAltcBYa77Stb8f0afSOekqisyK+kK3EoHjsJEqyXcIiITrBwYYQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PAWP192MB2388.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:46f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 14:24:46 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 14:24:46 +0000 From: tgaige.opensource@witekio.com To: openembedded-devel@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [meta-webserver][scarthgap][PATCH 1/4] nginx: patch CVE-2026-40701 Date: Wed, 20 May 2026 16:24:35 +0200 Message-ID: <20260520142438.2126939-1-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: ZR0P278CA0021.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:1c::8) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PAWP192MB2388:EE_ X-MS-Office365-Filtering-Correlation-Id: 7c7c92cf-544f-4acc-dcc4-08deb67b8b01 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|13003099007|38350700014|56012099003|18002099003; X-Microsoft-Antispam-Message-Info: QlSsyApuD1dDKvmDj9w09dqDZPijEE5gtKbLAa3GPBu1/MkCV5thepn7i+gKCT8hizFfid6C6+TKJD8kSWr9I8G4ZGgKzwmdS0HfP1f/gxF8jcT/L+rNMoXyX4LedKyPVDExYsCfCBhJH3WkR6QeXTn/uhDQ+cx9kHwE0TIHIhOKA4KVo4FjAUNyH6ZVJxZcywDXFH79zOKW2oaMT6hYgl5JO0Z8V3kppboP0/DqJqGO1Uy4Ns6TyGWT77QBbyDpTN0x+WiJxjWYkOeUfviR2KJH35vNFnufG+rY38zMLRPrbtkgloNE52hpUVmRNHouykXczroYUrkxPKOXjyYsNrDuR0GQuTdPwf5UvgCP3JvRvtPCPEKj5qFjFCCycX2tFaazdPqSliS0O/5EmP84E+l/i8NfNoNS0ofmWM7jDhmOgf2tL3Mk5N0GTTbRDyXSOnS7YT8cN50UFnIAcmEWrtGVGKKHb2XMxRhHQHzDnRY1zjkhWtwQIm6tJw9Y7aLGHMiNFZZvymIak0Xoy4xZA+KUzgDcKqGYaxSjbymcdHNn+0nyEHFR25BTRMb61hO/+uprqBZSY4OZl2U0WCujIhyEJ1e9L/COD+OcFuhbLwSVVlsOUfh08jJBxEMfLxEkIGAm2RSdoQgpghd9p7/bZqK0tGlaehjmJZveBFFPllffWoq55WE4UkP9HX/gg0xPAFc+bWm5nXGhbjaeFHw9VNOQd/AStnsd9IVdCcciRDuOiAgqpna+bamLIGBZ7bPO X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(13003099007)(38350700014)(56012099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: L7j1IxB2+hi/82nznjOEUU6p7o80WWY4ahPwpKPSaZKCHJRQxVi69eNejVJ+twsqXpj+0RVj+FSpztbtqbN0dXUh1uUNfFDrzDfR95fcomxqVpSU8Fp7wBJOvJHP+qUU5skzjyRG15kCqg/R095DFkwoJwmiJP/eYkF8d7oYy1ncPnMOhflieSmUVMf/hselC5FtgHrBdgua03L82WiPTAdZpDM7/Iz3vcHFcIIpGmk8bXpa6y33Y6wQm5k7PIoy74bNy7hfgEO5US0pzZC/E1n5BFJLiWuc3KPrgSUG8/hcdNzUIEoYbZ0LLG5m7+X7qSlu/arRx9jtiJ+iqZZBm+ivdT59VaDRtUJDejnj/o+BXJll4Kd9o1DWqWa6bv0XIukVzHi9bnKFIHPKn+nYzsVmMkBKdRpuYUIVkb2HoENPa0WW0USjAMPl0jC9XgTsWp4fuSVvrnsF8Sae541i5sE05jRR1LUoYhyljYY32O0/vS5vUHfVvOxv1hBpLC9R2w8huA/Hmo0wlpZqKxoVZ4Bt0DMVZ/acU5CnoKk9HogXWwBOVrk+2CmHrNOlRe6iojS6VDoT4459SeUirJ6XxEY6DY59qk9PrnDHL1zY+4w8txDxapo43bM01HnuEAcLGRx0/aaZonNxUvAgu+PS9h4JjPLzFpXYk+LHHyWBigo8m1QipeCf8JCsN15ghhsH22LTJMBZ5WPpQ0wcIJfs9RMt/iTKu1Hzl12RmNLDmq84rYdw8I0c5pLx3lRflY1vAdH9FY8WuoIISOegLslVygfZjwyHn93oJ3A0nNgF7j/4SGA2Vr6fAF862NHmkRr1WEV6rS39thR9+ulYlUWG5HBMEcVRIvKtEjbEgPtZIPz4EOSfET6CVVqwL78Kythj4002EgKA0+oXxFe+ZPV2yD9m1yBbv84mgyc/cBH/q5ctLGc/NYj5wEs4SubjrT+rk77txFo9QOoNSdP289IAIanG7TAVcSPRLEKls+tqiItTe+j++Z5fEDV0x+g3zrdLooPW+NcsAJQ1lNEZP02ZK1M+6UwUKvZ4hvlznuQ7EjoZlWXq22TIonD4jLOKlahpTDVV/9agdewMwnbYfS9fG2LCJ+Qsa67mqBT8b3X+VECkbch7T0IosxopSgZkBvnjUD3nKqkA+OshZsK7SMvhoTgb8kDEZPwxF73RrP5f46ZhPvWTwzOojCmGfMKJFQzdi/NA0Q4dnoSrIatuR1t1a94vdrMkR12r9W+CuZk1QZrNBVCb9/5vFG0xWxYhFNcyINcfAxQpn5OU/d5tC1QW1zimOrhdyFSr2K8ukF7TIOwXWgUZcynUqLR7fzS7D8JzmSpANa10wUqCqdho/v6S4sxpdYbLszvxRaDYyvAaMI716w27s5w9Ql0lVQuuEXuOr1ZT4UKp3zV/R2Xfzn7iJn91naSdIGSjPzty7FxfT3rQPaTOvzwHMDoAOpLWjCOLvno5n+HnF8dTVIFS1Ie2RJj/MeYIWIkTxblBRNsUzfIRFvvlKW3n6a6TYD/z5Q2SsQTszbP+GCUUvmSvb8Ic0IDjvtJ1QdX1uYat/YirLo+nyC3DcyrQLlcUSIIHzIwCd2WMYwImBFQgE7sfoCvBL6KwmX8BiCCDSKOgze9Djzy1tlCgMeVuEoee7NkeNyQd3mfN066if85rQ6Ugg576YD+83/5c+gdDMhHs4xPJpSLauKIjrKrwCNpkW18ZDr9vcvd1XYnNUg6CHLta4r/olw== X-Exchange-RoutingPolicyChecked: Si4cVU7L7jw9YTHQntEmXi0wY4UPJOBVWFM1bgNMlJULG1TWMEJm6is7Lv/K8+fc7Rg3/w6C1r3aPWN336tt/rX+Hc7oGtdaoN5zlsqkSWx6AfNIcBQWslIspHdPOWfCJypfGYVC8rKCiyQrhmWRYWq4DRMlkD5j8mXaW/LcbMxa3k8fpvpBrt0XEXobDrhX0UfI/gCJ58+SHSWHDvmsqK+YxJ9n4LFpij4+yd24X2pKSE2Kwk3kvvNTV6LcTkiy1JADoNiaKswS0vXfb+KUBemBdG0NY1oskRaXbB19s6r3ktZORXnHJtNreUnPiFic1ViVzMKi0F5NXN815hT9Hg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: YMdaIo0OJhCN1dTCT3M7kC8BfbHS7Quj7QC7/DUqDy8o76Geks1F61qRvUQHI1YtRd4NaX6uaBPiPHMaOTfoD5w8QwFLNmeW1mlOKbS5/VNRWwqA1BGAAp4RmdC3Awy65Eqoxed1qeFB+jgBENxPDtxt/1569jUiM8i8EphW9y+vZ+0XWsbxQVkWzmYArrj+NxEM/ZWnH+RlQTX603IJnmJ9y3vJ7AndoZ2FMKLdsXcXfQ7b9U4S3OHgzl4DEQw0iIQGEP7WZz7nNZUEdpm9NICUlL5dnUXR2GiRMxpSwxVcxBwJeF+A5NzuD9N8G4bRl8T1d+M9dRv5EFnTSoclKmtJ+6sTAu2hipYgCZzpkjUbLPhZnGFrW84F1T2Bxh1oeZ8s3gCbMSn3aQX3uqVLpLS93b5UTJ2puxhP2TQ5eUsxnhelEj3IZ2WNMsZ+D4NrW0QI/0NzrS8/gfx2uKjA6FU+Se6vYUQRaIdTnPsglVARD35o7UfD+5LP+rIk9TB6VRTcDyzXrxvIVnGbrufOolAhYpYGrbpZStsFp3gZfCm9g72cqbPgnsNj43lelIkNemVZCtCHZv7xGCTHAi6WaKQshm12JYtnRQNXeO5tzTI3uhEI0UZ9bbCJeQuyIpgD X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7c7c92cf-544f-4acc-dcc4-08deb67b8b01 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 14:24:46.4176 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mPaMcxdrIshbe2voLYiy7K0ELpEzAmDuRz8FZ/UjMo+h4qQ6UvJoLE2mdFe1G0nWSQTMmwsGMYX5OWWNjL+b+w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP192MB2388 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-devel@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate26-hz12 with 4gLDMP2KS2z1g3dN X-cloud-security-connect: mail-northeuropeazon11021127.outbound.protection.outlook.com[52.101.65.127], TLS=1, IP=52.101.65.127 X-cloud-security-Digest: 7c87cb9dc62c55d1403ab723568188b8 X-cloud-security: scantime:1.389 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 14:25:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127117 From: "Theo Gaige (Schneider Electric)" Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 [2] https://security-tracker.debian.org/tracker/CVE-2026-40701 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../nginx/nginx-1.24.0/CVE-2026-40701.patch | 73 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch new file mode 100644 index 0000000000..63bd7bd24e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-40701.patch @@ -0,0 +1,73 @@ +From 7abc2a59d5d65bb981be7cababb029d60c995719 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 21 Apr 2026 14:51:41 +0400 +Subject: [PATCH] OCSP: resolve cleanup on connection close + +Previously, when a client SSL connection was terminated (typically due to a +timeout) while resolving an OCSP responder, the OCSP context was freed, but +the resolve context was not. This resulted in use-after-free on resolve +completion. + +Reported by Leo Lin. + +CVE: CVE-2026-40701 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/event/ngx_event_openssl_stapling.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index e3fa8c4..2aaf99b 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -111,6 +111,7 @@ struct ngx_ssl_ocsp_ctx_s { + + ngx_resolver_t *resolver; + ngx_msec_t resolver_timeout; ++ ngx_resolver_ctx_t *resolve; + + ngx_msec_t timeout; + +@@ -1303,6 +1304,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, + "ssl ocsp done"); + ++ if (ctx->resolve) { ++ ngx_resolve_name_done(ctx->resolve); ++ } ++ + if (ctx->peer.connection) { + ngx_close_connection(ctx->peer.connection); + } +@@ -1395,7 +1400,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) + resolve->data = ctx; + resolve->timeout = ctx->resolver_timeout; + ++ ctx->resolve = resolve; ++ + if (ngx_resolve_name(resolve) != NGX_OK) { ++ ctx->resolve = NULL; + ngx_ssl_ocsp_error(ctx); + return; + } +@@ -1484,6 +1492,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + } + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; + + ngx_ssl_ocsp_connect(ctx); + return; +@@ -1491,6 +1500,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + failed: + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; ++ + ngx_ssl_ocsp_error(ctx); + } + +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index b732e92b18..b4bb1ccc67 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -9,6 +9,7 @@ SRC_URI:append = " \ file://CVE-2026-27654.patch \ file://CVE-2026-28753.patch \ file://CVE-2026-32647.patch \ + file://CVE-2026-40701.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" From patchwork Wed May 20 14:24:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88542 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10DE8CD4F3D for ; Wed, 20 May 2026 14:25:11 +0000 (UTC) Received: from mx-relay26-hz12-if1.hornetsecurity.com (mx-relay26-hz12-if1.hornetsecurity.com [94.100.139.226]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.13575.1779287100016148548 for ; Wed, 20 May 2026 07:25:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=Xz5qOYUC; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.226, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate26-hz12.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.65.127, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=du2pr03cu002.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=6JJhyctDba4Zk9dxOeA0V8O5bezlF1RaJU4ONbQtJAE=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779287098; b=jwwc+FQ70XVtut6Vi9o/i64+eULJoxChwqBPs/Ds12SnraB6cCqqRW8rrO4f9HeqqzM+alY3 y1Rvetc7PJwedpzJaDn/9Oxd3yWnGariSBBXro/jNl9lXtBG19k2sgTU+f0gAxTi0hlwCaUgj4b +SiaLhBWL89/mYhx2whWgqFOQoLhgOP501eQNwH1ZOYMHhDHD4ucyDlUI16H95r8MGeEK8J4JN6 1HBoGa9G4ytdWbJMwcOBpq4lD5fvdB6z4ZtM5Tvc2PWrGtVNOjzxigMErCJnIQGVJt1/O9yEHm1 Qhvt2mB3SPSiOnOqncbSNUlemuLWZtBRTvQbDPJXM5Cbg== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779287098; b=NH7X4kxYR1TZ78x1SgJ695aWIAEe1cOieZh8MyUu/Sz0tOYB5ugExDvuFQElkxYMvghHcm2w v+OpBq0WRMwRPVYA6zb8loGD1LVpXHhoypiPhG1jdrv5AsG5pnXiWED5ZOxwPwpT18bLTKrVkyC 45YgYDdolrlNJ5mSq0OyHAw7luNe9M2/lzyXSLTwkJvV9eHfYubgI/7e2w1KTgJ6dBj3PisTQmY E6mYdGXDI1ze7sVZKAPrFvKlUZxW2d0mYXYCTSef743jvqmEPh/qiVGh/2bSosVWnaE5kzgso+l 3G9T0LDtLFXn6NRT2BCDPzcAOetgXSC2/V+s4QMG8RCFA== Received: from mail-northeuropeazon11021127.outbound.protection.outlook.com ([52.101.65.127]) by mx-gate26-hz12; Wed, 20 May 2026 16:24:57 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dHjel1dpxCgvMWoN1KTD9Y1Pj35IBiEalHUpXkRcXmzt5Q+NoXKsrX0UXJvC2XDiIvSOjFLIdHRSIWiSJll7LAx38rmSRA2uxV3qPTu7bIB8BmV1LJhSNx8Q2i8IXGdH00A9VQPTJpAmVFvfz6gj0+wuN2XdOEfo2AarHAEFmZaOgcdhoW//2viQlnn1KR4sunU1gaDIRT2ZHq4q/0o/F7aacBdjhi+9kMlgvgyMv8yZeJrUpyXxmafNqeuAX+LXLQmT3sn6i+EP+E6CnxbQgo7b6eLdzGMtj9pCRrzVppUnpAdF7AYEgE0syc4rWRS7FxdxZkaNF+Zo1cHBZONsVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6JJhyctDba4Zk9dxOeA0V8O5bezlF1RaJU4ONbQtJAE=; b=TPY6OstpQwwIPXvrfXGmluPf3u6OGv79Jg76QtEMnfHNn+Vzld+Y0ItUaM12tsg6m+XJoulwWFjJwWfmca/b4F+YbAkMa36ditXN9dMAA4EbYNTDL1cjOs4TIV9fk8JwGV4J611hdT2DzLeVdr216OsgXDBQkDjVyMwfcrP8+Gn+wSF/oxuOHM2ru9RbPwR6qrhknl/bj08OOn51NAWw8Ns9bPO7xw4RgFazqMSItnkFemTsw5xUaW7DP3dcMD6bjqwhSZXcR1n0cxjB7eH4x6aTjrox5TwtB3fZHA/KGy2S3rugEBv1xruw8qDPR0+OmSrKOXXwRr6EESeKbs2qBA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6JJhyctDba4Zk9dxOeA0V8O5bezlF1RaJU4ONbQtJAE=; b=Xz5qOYUCjQEO7GhdziLL/z/1UpGO9O0Ln1nkwuBnB8NvOodiSf4JgFcCaioceE+BANqS8Xw7RoymWjVzPqpcK7bMV7J/olufBNz0bpoDj/qwlyVISnAAjVNts2/37UevNdGPXzwWsk/wemuP3YIRunkm6N+2Qe+a5yzfhtGQKzxHqw7ZzrQEPJpifOxna1wx/KZZti05xRvLBSQBjJHyBQnZGvxhjDHIoUkUQtP5qOYpn/m+uu5s6YAC7ueRYddR5dnl5yTpy0h7yw7HAMhraCbg2PhyW/30VNJ5FTXLDDgZb46/tq99p/Tc6xWKxxbDri4W02gqcI3keaOTGTDCEw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PAWP192MB2388.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:46f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 14:24:48 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 14:24:48 +0000 From: tgaige.opensource@witekio.com To: openembedded-devel@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [meta-webserver][scarthgap][PATCH 2/4] nginx: patch CVE-2026-42934 Date: Wed, 20 May 2026 16:24:36 +0200 Message-ID: <20260520142438.2126939-2-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520142438.2126939-1-tgaige.opensource@witekio.com> References: <20260520142438.2126939-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0021.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:1c::8) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PAWP192MB2388:EE_ X-MS-Office365-Filtering-Correlation-Id: f18dd5c3-bf26-4002-9bff-08deb67b8c7c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|13003099007|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: EyVSFSQ+szDxhTKcixZqVaZE1oOyoHqHmXdsIzfSKgo/6qYNKpdmhGwt2RYEUuwtpdVflgKUSNi8ncldIrOllHFHCUfRrAnHhfxzRLpazgcnQ0CGC4rXudPDIg3+NO6eFKK9TTVNSL0Rr0pflKha528Xupkjv2CKXE7V1fP/FKFMBspk+RwQV2rSLwERaFSCoBsldmhsz83ZZBAbyWg5QBe2queiss4/z765dUtOmXfg290eJBjGpWBodwOHPTR1yhyxh5WdRtVfQhsM8OdSY+N+nwG3DyiyQcnZClfkO4h/dKe6YXfoWQVB32D4tSSgNG9gKGVsH4CCx2fpG3EaYHhPUOej9/BoYioua/3KW/DYns8bSNMMBu+NNWf0qz9rcbJHvsZrwYvzUTbHL+JoOJKM0Mcz7iIgygLDXtWYurs43Eu3771K6uhWdU+rLW66N3HHpPhuX9BKyKB+1XyNg08pnC8W7jdZz367l7/8aJ4MehqK6Q1/GXxhd0rZgLTendmBzFyBThAqVD/GDS5R3G/I1L896x4GkJ9dQ1X0kcdEVl7n4BAPkYFScUeX+xgBw2zSP7h63b95695LZ87ux4S99LCLpsoDMz5Cr42L0Y6M5xqTiyqUyjRMm1/vgnf6R3xONuX8wzu0yEqzED8GSgl610la16qbj1X9cpWnUHmWUFqftaOdKXHSf0xArPVVPLADL76z73k+KQtDAJo1XAncSh0b/wuMKoVoinW6lhw/SV4ZLrYKGgc3vKGn1mB/ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(13003099007)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: kk7SqlAi/Kax0TBiVOEnfwB3vfbQIcX/Jysvnv73biPWWRco7Ej858qdBqfeTyxDyds3mYaiI2U50Eu4hbdwVlbUrcmjKFrPn5EeCUazwAX7B7qqHHsKP5fE8+ZnCrh35NU+lKxGg0snpXFwMXDhUehv6MX6epJOWqcOVTDDg57Q1cNKPKxBDkuzJTHG7su80hi/A0f0yBd6o9sI2JWxJDkIfyP0ej4W8BRs9eIwCtUoHJw4kVVamt7qeZzihEf9/LpcVxaI9FZg2riaRhwPUlOimONY41kQHARAVQZbisERxCP9YsE7KaTUODwsrwYllPfPj/k+NCtFtncVqVirm4cWJc+69j4OCFE1jveSKg7HaiN0/P3vXn9gWGaxJYANZrZVPxUgcgPF5plI2ATnqDPqqSFxXbeMzI4CF9x075KDdR4z3NylyCFUk5t1uDs89oCYYTpHfN2sX6OOe7MDc/Ol84XbyOJ8TpYfZCOlldjdz4dy9Bn4bpN1WhCXNuvxLjCQYW9pHEZlY/i/W1v5ZhtmO1pQ1VLzGFlKqgqQMoCf5PQpikz85WdYtwijuVMxIPEYxNelwZ16a5Ynz+GCw1s/JdTSev5ktdGfBPqMpO9Lk9/huoaRUi5hzQGfI2GMe1tGJBIl6FRTRo6vnfLoxA+nESypkRqJlwtQDj4eSVEo7R+lVZ2tZNqvfJwIDIb6/rlmHxI+vUp964oHnQvyen83fBjqAcYD1NWOU04F0ZXzlVE6qRwTAIADcdzYe9Nnsh770MKGqDs+q0GlHBUTHK8kPUhk1URxb94f2lOdrh6kvMA5pRwbo0DsGe+kltp3Q8YLR7HysIZJBlgTLzZoG9kXAzB+32UaWoAEdnVNI34l2RgFrfHYV9l4vSbfLoIzOYFg3UzNkWnMbB4B5Nr4+HqNyR7dXFKLgpBZWZZVFhXMNhktFsdoGwUHPO/wLCOU6SuMQBt35TPd49dKQATRmWUBkEuzNWgwDveRtDkQrdol/ZlfUqaMIOu2iVlZxnOuVqD2AETH1UugpxwZ6Aad7BYJZ88xDldUsxgQz6ypiDfrbQqUCkiHxjgFdL0Xl694bvnM4oLFzC7BgBHNZVJfWSU0W+MmGVe+DJVrqlNdJaODZxHsAxH4YwdW3e9Hy2k3pjzSq0GkMnIkyhEqH0BjykLbQxCccl1VMU3p1+t0ccahuOPhXJkV1fgVPRoKVjcYWU9OxWreeVEfme2mwNExjT3yooC3jX2VjaTrgMSxwpumyD0P95gPC3BCzXp4on0oYpBINLAXRLhCdyRB5yJgrGqJa5Clwx0/VyckYMPIpejA0ee5YPZhKodQuHMclB8MaUVwroNZxTbMKmVZ3ljbQbzTmL93AtKdJ6TsT35icGtkXiZuBkDBJdyMHTiofRgaFtmz8BM7l3+efMMOI3fpcGGqJYcpaEae4g+vfZu4UnTBQPQcu6Q4K3eZZPPoK9kOmryuNEP4lb/kcrKBrH6ysaCuo0KjqvgZbkBFg6MrSOt48OSAlubAtanPz/1h+3zfK8HP/8Me1MnHfZtXTP2Tuc4Y/EqPYABS1+MR9sxFRzU1d+REwI03WdNE0Sx3bfwbQ6IlsvJuAWALlmKWiHn65NIRWMR8MojUJHdt78yLIAPGC+rr8Hy0rs7A8V97LAWFwmHYo2isu2G0t4lYAHhr0+d6uB88nVpTZxLr7h9g1ew/Tfib4Rt2ob81Y8jXq1rqVX2zZSpbc06kI4mOmMaZFw== X-Exchange-RoutingPolicyChecked: mG1yO26WNS/QN3b9OQgVSni+/E2X6nLLGmYMcC1DEnAaDMsfINWKIsTKQE+pcL0GqHMBKpR+PyRMvEFqRtaVFRHg+0dax9F5uW+NCipDwquq4wcu4Ru8Vq9A3usgcEVgOqkGwV8Ev1aLnXw7kKG9er2jvBh2Gdoy6rhz063LFxmMTOP49MeTU/ofXNORja9nm7t4QofZG/nNiF71qIK9iKObQ2QOqN3qaQTEX8ysHgez6KYDMCQHBVb5+LQrZ3fJVhZzwCa/C4NE6QvlwhvMCtYwn2IroXoGXxr45U1JWfpf8OTZwugcyv0Dkef+r1N1Nw+EL6LFh/X9AK/hq6AxKA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 08yTJaHlfVpBdTm7Vy0svz9XEKC4bObCqGVyrbnrD4L49n/ajepHA3fROIK624WOSnbdZliHD2BE6woTVXRBybXwbiv5p7Ht9R6ypfA3jSsUXwPwpHhCja5QHokI3Zaa15gPyvs7KOXcFBaCA9tKeuuj2oKplBPSOi0QclXxW61aRyycgtIY79i4arEgeaJZ8Q+iz0yNUanCXj7yiH4/4ljZIr4vBu91yKCAkrrtQ4tvG4l7+3Fn+nHcuw1R6RjX0Dn9qQ2hSQtLkN9d1TCoF6SG54UL5RtR37RO4BoLRxKlSFP3WLTbCjzT4mOXfZsavjNgttHct+u5BBMyi1UeAapkdnBb2rJrcdVadxhnhY3/0nnxMcnIxcx6r/990CT68Y+3fNxTUAJtaVb1bU4nCoepgNVdRneoT2kt93RI10ke3ZXWqoWyOyWdiscVeLLdjdqTiLRrogVGseA94hFrsEOyJRUlLJAAds0drWQc/h8SY4OCTysuYaUWMDl3qXQzro6eNWX8rh8gmhanMoyml0pouZFzVefeXQc6KtFNXBuMN17bK7CH5j8as+Hn/1T7CTDKJxtO2aWfmC71PLg++lduIK0hmp6nGC0Yhb86LuVttWM9LyvSt6juPbkkJbRo X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: f18dd5c3-bf26-4002-9bff-08deb67b8c7c X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 14:24:48.8375 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QgVfhkRHsgApDsYcruxXDjrQ0AgVyjoEfLK1FCG44mGjsi9HY8gYdbBwu5quCJ5YapdrzBhCyCYHcnyvh45ZAw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP192MB2388 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-devel@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate26-hz12 with 4gLDMT57xsz1g3kr X-cloud-security-connect: mail-northeuropeazon11021127.outbound.protection.outlook.com[52.101.65.127], TLS=1, IP=52.101.65.127 X-cloud-security-Digest: 49a1848fb861610df3cffc10ce8173b3 X-cloud-security: scantime:1.335 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 14:25:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127118 From: "Theo Gaige (Schneider Electric)" Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a [2] https://security-tracker.debian.org/tracker/CVE-2026-42934 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../nginx/nginx-1.24.0/CVE-2026-42934.patch | 79 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 80 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42934.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42934.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42934.patch new file mode 100644 index 0000000000..b2a8142934 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42934.patch @@ -0,0 +1,79 @@ +From 9e8f535a9320a2f6bdc3ae9cf9e616ae0a29869e Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Sun, 12 Apr 2026 07:13:23 +0100 +Subject: [PATCH] Charset: fix buffer over-read in recode_from_utf8(). + +When a multi-byte UTF-8 character was split across 3+ single-byte +buffers, the saved bytes continuation path had two related bugs: + +ngx_utf8_decode() was called with the last saved-array index instead +of the byte count, causing it to report "incomplete" even when the +sequence was already complete. + +The subsequent ngx_memcpy() used that same index as the copy length, +reading past the input buffer boundary. + +CVE: CVE-2026-42934 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + .../modules/ngx_http_charset_filter_module.c | 20 ++++++------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c +index e52b96e..7a518e3 100644 +--- a/src/http/modules/ngx_http_charset_filter_module.c ++++ b/src/http/modules/ngx_http_charset_filter_module.c +@@ -689,7 +689,6 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + u_char c, *p, *src, *dst, *saved, **table; + uint32_t n; + ngx_buf_t *b; +- ngx_uint_t i; + ngx_chain_t *out, *cl, **ll; + + src = buf->pos; +@@ -783,18 +782,12 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset utf saved: %z", ctx->saved_len); + +- p = src; +- +- for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) { +- ctx->saved[i] = *p++; +- +- if (p == buf->last) { +- break; +- } +- } ++ len = ngx_min(NGX_UTF_LEN - ctx->saved_len, (size_t) (buf->last - src)); ++ ngx_memcpy(&ctx->saved[ctx->saved_len], src, len); ++ len += ctx->saved_len; + + saved = ctx->saved; +- n = ngx_utf8_decode(&saved, i); ++ n = ngx_utf8_decode(&saved, len); + + c = '\0'; + +@@ -810,7 +803,7 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + + /* incomplete UTF-8 symbol */ + +- if (i < NGX_UTF_LEN) { ++ if (len < NGX_UTF_LEN) { + out = ngx_http_charset_get_buf(pool, ctx); + if (out == NULL) { + return NULL; +@@ -823,8 +816,7 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + b->sync = 1; + b->shadow = buf; + +- ngx_memcpy(&ctx->saved[ctx->saved_len], src, i); +- ctx->saved_len += i; ++ ctx->saved_len = len; + + return out; + } +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index b4bb1ccc67..7a94cb6172 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -10,6 +10,7 @@ SRC_URI:append = " \ file://CVE-2026-28753.patch \ file://CVE-2026-32647.patch \ file://CVE-2026-40701.patch \ + file://CVE-2026-42934.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" From patchwork Wed May 20 14:24:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88544 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 396F8CD4F3C for ; Wed, 20 May 2026 14:25:11 +0000 (UTC) Received: from mx-relay26-hz12-if1.hornetsecurity.com (mx-relay26-hz12-if1.hornetsecurity.com [94.100.139.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13459.1779287105200242470 for ; Wed, 20 May 2026 07:25:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=dTye0XNZ; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.226, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate26-hz12.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.65.127, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=du2pr03cu002.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=KVhfc2fntCc2LVq1LVpxC9d1UPWVsasygTHjgkPzNGQ=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779287103; b=oSamZkG4QHSvf2e7YUUdbwSfIDOBRoHYIn3Ltzq43o9fvkxbX37mqWri4dsEeRJlWwnAT4gX PVjAkQF4Z7mQK/khMU8Iajs00UqbTpi1oHHX7sWfAnWHhp1cLQEP2lmb48dCNP2SfvYfOv6Qrec W4g3Tn+8LZNBje+db+Qsx+WQYB9LNCmBlyOQlC8J5CU+dEDRA+OWuLXOCaBIXFrigeJrSJ12DpC 6yesHYm9FGbi/TQZrIaXVgqLv9UD9tMiWCSDJbZg6WmA0azbrQl6selTkMLYK2/8OY4FbMVhk4J Wv3jpsTJJwTtut/V3qzG5aQvh85cS3th9W2FoxANIdBRQ== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779287103; b=o4S/xNBdfuXGiFEoN2RI4Kig+2fifxgUfwiwU3SqmiSgkOvbxXYgk5H7fgeJqSwDwfOCcUgR OV9rFoEO7qU3UKE27Wnbyf1TxV76zzmfkgiOHTb6cLMzzSYfH4JD7ScQzdgZ4ctPe7uxANhbTVb SL2dkAIkkPY7GUvVUvhG52e/Y/dCkdAP7j5Fzz8paMdWz+JRVgLLEx7RkXCoCwTSm6Bwl26Ic/g sezcgK/ABcI1Tkd9iX3c8/5sMRv97R2aVYNuYRjihehYFeTA74MxadSygDrkK9qRjPrQVEefnPG s69MqnXz7SE2jwLh+/uGPOX3vHXtl6wGXV22BPtPPHfiw== Received: from mail-northeuropeazon11021127.outbound.protection.outlook.com ([52.101.65.127]) by mx-gate26-hz12; Wed, 20 May 2026 16:25:03 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZUl1X0/OJpmZkpucmdZCDhM9pufWIvXtcwkTCjJDVCheyGkJek2YbxpeAdvmKm9EusheH47+gY/eY83icTv8ygI1bB6oOn87zImayOfRXP001jWnOwPcDvDvAuZ0nPC633yLRIQjmfYQWi2EjuIk6Zn9vS80FNjtKNYXY8n6S3DtqWDajNKm2IbkIB5jkrWUzceuHYu2QlFQpcIYviYVygTtRVay+ToXtuTSn+BVNfdfDxszlQvlEm5WrbE+JXcRPuwSTtkMe6BV3nbQgUywj6FWTCobsjWpO++lsZOkMeBkw2qDsZT2N5jER+Cuwioiug4+oO6Rh8hRXr2C+JUqZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KVhfc2fntCc2LVq1LVpxC9d1UPWVsasygTHjgkPzNGQ=; b=wjCp+s6Y28FgmCSisP63SKHdTq+9Kc129cssE7C+p0/GDfn/2r2+HTapcepIEm3rhgHT59w+OWFZCgDVaqOh8ik1rn07AJNzGtnqtarkTTzhiVMzn34ml7KURs8gSVoJElcI0Fi9NCiWyJN526Tkta/bzgyYYEtCAS/N4Ag4qkAfUatd4YOalQdWHWF+VLXt9qqvL4vTTksEqkY+xmUsNrGsGynjc9Z5YiVksC8AmzEAMV8bRUqGUJDWCqHaVicWv5cWGqGKNhmpVuvUM3uO1cs8q2ol1sQjRtNZR0ej5Nuavc/Hc+YiyF4TODBKg5z6hM91xXF+Jt9DRg9N+xu9Kg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KVhfc2fntCc2LVq1LVpxC9d1UPWVsasygTHjgkPzNGQ=; b=dTye0XNZXOIgkbR4aIgTCJ2bEAlqZZL/WO1aeLTdyuGE/lo6AD9cb27jLu/WXRIBf1q6pFkHOJdqlayIG0Zcu4R5uarC2sx2cPA+GheTPqvbQRtb0vpvZqv24ZQew0SDqQHgXDyF9yLVMl+jSGLruo0lPQl9OYhjpFxZQhaZUstnCK/k7bdcWWYrAsQPebPO7GPFkqgE5HXIBWbRn13uT/LiAhi/6k5HLf2JS340xaJYl/4E/Kocep3LtikRnbjnSBSDdKAztiolbPFwX1J6KgBO1YWlYybI7jQzLrchNrcfrkXFoFit3x1cBRj5u/tThU0jdQluGcftJN5pOyCTlA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PAWP192MB2388.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:46f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 14:24:50 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 14:24:50 +0000 From: tgaige.opensource@witekio.com To: openembedded-devel@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [meta-webserver][scarthgap][PATCH 3/4] nginx: patch CVE-2026-42945 Date: Wed, 20 May 2026 16:24:37 +0200 Message-ID: <20260520142438.2126939-3-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520142438.2126939-1-tgaige.opensource@witekio.com> References: <20260520142438.2126939-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0021.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:1c::8) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PAWP192MB2388:EE_ X-MS-Office365-Filtering-Correlation-Id: 7ab55540-883b-45a6-2692-08deb67b8db1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|13003099007|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: /R1Bq9j29XMIWJLLdqh+IkxtlgVOESMSvyfOeSa2ZFpPkcalHCpgm1vzDBVY1ERqlnRemqV+jQd3HxRnKL2LlAO0p7tomi9ODQCBbcJ8swp8oDPwtvYOx1hzIH0DzR4Gb4I7X67VN3lI+M+g9yhLJX/RRHixbQKfTAgLVs4rtOJuHNT4/hn2Ab2ERdVJJeQFaXjg7erQYNdPU3pXH+YwMcSjXxCN38eLjpokoFpIm8QtCkuEhTzeXoiTlueN1b+GkGW6nGN9QwGDrJx9ZKilk9LQWewb8oTXK+Wt0/kTG10sPjIy1MjSXwDC0s8lysaw658atuzoci8ctsM1zSUCUuFIB6KoFCqW8HQEmrI2ueRB3/TLQyc4oQ4SZfLyNbPHq7RsZLrfs7kKpw1ldQfmHcsZbYrNMuBEun65Sqj3AIF92XT35Td3Twyj8+pACjITw9uwzlo5ZzwE2G/aUfpdpQxb1hYSa792/IAJRJgXIiL5JlRA4Y8DqtSZpXgQ6/GXsV4Q7KKHgaC9lVPH3FKxes72/Xtk5JoWbU0h8oXKPOnSjThfDr6QYJowIYqZChjo6DHLk6DZmOphUYK1f5lt2GPOBULAvYguQqHn51Cys9h1r7qWOiTZpEPkQ79Q6Uwn/oxtn3ITzPnxbgzggwiK/qsTvaT8p2rvxuDV455eTp/LzBGcuOg+sK0fYaN+gW3yoE5G1Cr1+8ChlmCIHJs/pJ12RISNvHBdEUhiM6aeO4YUfe2QbFSbk58Qhfgz43Yf X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(13003099007)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jw6OTuQNhMUsXprV0CqJ31t7TM4LmgHhddFDme6j3/o9qXQWgLGI4nczqMHynwnWtktq5r5YARpgjNwhBJttB7aN6jXwn02qNFLJAoxhIKndTyh+Z1QwpeHp5IHutz/T36TOt4rDIOBL0c771G7bxg3PuBbClRX8RJ1+a3rloVoT9qWoT0gakS8hmJAN89lpRMLwCAkhdvAxUROeIC6FkODESMkw18g/fXAReNZD2hrol/EWsew/rSzDFiHSSlUpcRa6Z5iwFMRQgaC/ntLY6X+yERbdNJ+I5PgxZ0fsmiJ/geSn96cxewIHLWM35yBx8iVkI3KCJXyoi292NDynCU/xcx1KO6zg0cSFlbkr8GyVK/sEW88fBMqFPbWwpwFj5oE6h8MlTmtiADLMpq0CIhwpRk1D/rcu/hiilwgYsDw064wjYesH0Cs39jnK01HitC9dxVMK/8Kfra0O9mV53h5yq+kDeylQYAL8utCmEPSM9Cn1l3mVFpF2az/33C4BmHwUq9af2ePiJTHJPc4oJOTDbBvXZuRKGMJ36R4AR8MwuNyd+d0ynXPlTERHMANoVHHVkcOlIge+YsZqqkNVN2ZVG9HuDaZIvTwZpiPCLxxTDI47KsgYN4HCsQlN05+Kjqs/Z3L5Dq2l/fHc1hDv2ned28IQga361dIHKDtUelv2gRhYcsIeznvP3r3MftkMQWPTLY7lwUc2qxHgFl9F5nO2rqo5xaLdf+o5fkHJjfDCUKuq+5x7Kv5pUUT7x8c9JDaA0oY+W5wxrk+Ni1NPz86rrI7G+OHGvCepQ0HnM78h0uoabqqbg90DhKZc0hOTRthDz75RL1lXQNjI2zg4RrNfKiS9zhPrSIFrktzzmpXhuvTyrqRB6g68yA3+94i425ybT1J83IDY9hv/Z3jfLGYG0AHTwmnhaAEGaR+mYWaLCVJgue3qyrsgaqrDkC9YWI+dmBS6JJvOgYOdVbjKesgAyWj4NuC4lEJHdeQCOxcI9T22u/F1pQOvCp3qc4ja0dFgQUGKK0MhnSd2ECr/DZ5uujNn6/c49IKZyrNfbT4bkhNXVjtoKgQqtby7Bd2ZYqu5/ziP8VrppK5eGy3T1zGMm2s3Cjs3bfkh5heRBTZyfOpUDGJSGZ3M3KR75EOvAs2CZFYISoUeAH+8aSvK0h1AS33WNAzsMVYt8aXWoKaAnAo4dsAbbO1tYdIaVj4lA2OCZ0HOmbgV7AhEomk4cd9xB4u9VlHPiKZqC0RCFqCZEiCohAcVffqmrmnPjNVdZL6iv+9UsGJAVSPJdgw1izXxjJ6fgypv99ioEF+exJI0IY6qHV4XL3ptfEXJRFNwfRJ9iaAwSGTZlZMqRUAeTCxn4+ch6cnxohm+2qCto3E3iGzvH+s8RvTgKfhcqsJr6da+tDdUNeSLU/uSbJTWlNiZm18ZfQIhMEbcBvXF2PwbKM63rHII4YiSiCt3BDOC5LHeeRDqeX2mJQZ8NgOepmyg9ElyL6zq5bmosdp3xhuAlIgPWfA27gq/oDpVjRw3HplTWo2mOOnwzXQyKncvHfxbAUII3eQqaMJFOc1ahyQy/3Z4M76wn9xL5lH6Jn/nL5rQvsO60dxq89Y1IqSSQCIgehdJoGA3Gi8Z9WHMav+YkafHcG97RKrtaPim+95Vi83o4acQvVoXr/hTu+na63dgifMH5jyn38HZCJXF4UoirQc6dfeVg2JxblLY3VaiYZAPPNuoOvlwNzU+ZNxJJg== X-Exchange-RoutingPolicyChecked: a106zVML3aUP3zXEeYQ71wagr+3riLepI74NmGKohoIZ8R03QJHBrg0+NekIQbFQKwSYUzEiJR3MbFNN4AR/UrrZcCCIsFLZd9i9eg0OuOSIrtP0lZBU/MfNc1atdsZKrQprcqv6Rr63YIVz2RZxmrI5QGbfZ8prFzyDNq453YvGP7C/gdiigUrSRG/8Rpsiw9akEfOx4vc+2JTjddRnetdcPnpm91STeTnoJGZMDsRzDeO2shsUg5AplinUgSGY2/c27fTpIoM8W+5EDmIBCzcPdIVU7wDQON6gIHnl0BE7y9xhSg3zhIqUwnhaPdEEyLtPbztAwM5iil6ydQBlBg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: BpeDAy5+zGrRHW/BeRfRq7Dyc+tFAA3v0ieArdpUAwXV65hjovemEb7iuZ+jUgLx0QUfwAOddXzGf1ZPKcN41QzKWIuGjcHV2Jqcg0VmBMsy2kRnMCOwG8kX+YNVNU4RmoGxe0Z8gH62KIXaQkwmX2MBY2gzeWPzAbqhZvqgnOTydTiDnQ7SBW4zeGvtyYCvP1bmqSrE8vlUOEZy1mxdnAYKonTEBSmo6wwvLcTOJdI/gQMCEOymEyuslaUdh4tQ6RXEZXLKowgJOn+9ZFz1swng62aivGjEZz0OKR/h+rQHNVI/W2irLxTcLlBdFLx0Y12jqj3SxDKzYHuGKHB57CgLstho5SbFE7cFmudvDRpoygRbjIf6HqXqWylJV8GnSh+jXdtJ31nC7eqVt00B93DJGOiXffjPxBN58U32+3Uu0tUqMHFBihkkqg3kj4BMFtYJhvkfsWuJswZ0Fkrg0kl3cnqdaw/M7e3DEgWUm9pdNSgW8HTTk/krEyTc/hI2pINEwY7EEet/2WewHdx0jF/hKGsYHnwpOi8dR+OV3m/bpdx0ergKfpuQT83p3KMSFbiflPZSTPWG6M30z+Wl48YGy5VrAYKSxNvgvkK3i234zDLTaO2WrpP9dzIhPqri X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ab55540-883b-45a6-2692-08deb67b8db1 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 14:24:50.8589 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: w7UGv+MtZueV7se9WxaJTJ9bFPPuEf6V9iWqBTZRJJOcq1Y4VS6jQYjjYI/7tGl4qqJslGx04RDG0dE3jzyAZQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP192MB2388 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-devel@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate26-hz12 with 4gLDMZ2CG7z1g42p X-cloud-security-connect: mail-northeuropeazon11021127.outbound.protection.outlook.com[52.101.65.127], TLS=1, IP=52.101.65.127 X-cloud-security-Digest: 356b3dbf2eae3145f61dd2e4f94a3877 X-cloud-security: scantime:1.338 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 14:25:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127119 From: "Theo Gaige (Schneider Electric)" Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 [2] https://security-tracker.debian.org/tracker/CVE-2026-42945 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../nginx/nginx-1.24.0/CVE-2026-42945.patch | 46 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch new file mode 100644 index 0000000000..15abc875fb --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch @@ -0,0 +1,46 @@ +From 3d990abc5cb4adc2368da603a419c9944aaa5f65 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 22 Apr 2026 09:39:31 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +A similar issue was fixed in 74d939974d43. + +Reported by Leo Lin. + +CVE: CVE-2026-42945 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index a2b9f1b..2ea6113 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index 7a94cb6172..f9e40fa27f 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -11,6 +11,7 @@ SRC_URI:append = " \ file://CVE-2026-32647.patch \ file://CVE-2026-40701.patch \ file://CVE-2026-42934.patch \ + file://CVE-2026-42945.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" From patchwork Wed May 20 14:24:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88543 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27EB6CD5BA4 for ; Wed, 20 May 2026 14:25:11 +0000 (UTC) Received: from mx-relay26-hz12-if1.hornetsecurity.com (mx-relay26-hz12-if1.hornetsecurity.com [94.100.139.226]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.13462.1779287109648633708 for ; Wed, 20 May 2026 07:25:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=cZ5Giits; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.226, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate26-hz12.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.65.127, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=du2pr03cu002.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=0Z21MkXhEqGodET+Oxu9u3s3LnymHcBvKYICjJku9as=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779287107; b=K6yvEXJd09RRlK/gF3Xn2ti7aCdMbZeoS1jG1Jh30YN2iqv/sIAcecBfQLJB2WEPUuFgNI/y u98RA932jMKJWV6J7pNDrW6Q1P7Fxpbcpnsz3t/u4qI1VHCeSUdnkFaQzdEh9rOwSBxNe9LZE1w U7oWHmNMp+sU1sRPx1e6TmC46BPiPf3ACeiwcPp2zpVpYZT6vWQ3fbOPcdkZuYHElDgU6wsfxb4 lTeV1YCEoT8V5LqKUlbCrUgENX8QF4R3iirADQfHGT72/lEYGaiNxeBOlXv9Dvap9SBkw115azu +N5pOWbH8bFgJlIMvSGw+WLOxftTvVIdp+1LDqV14yjqA== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779287107; b=E6wOJbIaKWu/+h+/VkAFfh7xDgYMhWtqGfJaXmAi/kqdQQWnFF4PiorJNB1WZ1Tpb3bx/dts ig36zfF7VxP4W5GM6AcC6z4PGVCObng0K2U7CmszXgdLUI9+aOrO0MtzUtP2tuFaEcvYbScUHH8 s1MzXRtLWxb0acQB1XfPm0+6T2AjlisM27ivk28FnVAIEYIT0wqb0SFaJFnFAfGwWou0VwF3Gap BXfn8VgIQaGJCLuQkpfgel9RbnfHaS52E+UmQvjWKZOVCKLIZwtKy++OIx+eeSZDClNdWjyllTJ i7Ar2pQbnjVFqAq40dALtIUeppL6rdkdLSjk49T8JIjRA== Received: from mail-northeuropeazon11021127.outbound.protection.outlook.com ([52.101.65.127]) by mx-gate26-hz12; Wed, 20 May 2026 16:25:07 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Mzyex63qa/Q/5H3wIEoJyE+eM5oVLGw3PokviHTofbVX6T4zaacvbyojl4iblNZ/E1pDVeF+at5IsaIKv0cdUI3T7f++cLVZzEe7x2VZwC/wAmr8afGFNEjPXh7LualXDml8O1W24gyfXjYTfI9fW3StHDbc8AFryTbW6b0rs4Ifrjj1KU50EaeODizuRFiCL0j1RJ9WLBB787PNVZQlCobwY06STm7upZ7H6cnR4VXCS8iXcEFLgBYQfUu0FQrD3EY7pFlleKmOI9PaDZpgYUy8jMx1KP2auGFRxUqmgCfbmKoLCJbMci9nQb0+KvgxmAAbwrS8SO+DQLFEQJUNTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0Z21MkXhEqGodET+Oxu9u3s3LnymHcBvKYICjJku9as=; b=Fe8Z/vccpzR95fULNFSmeEpAwi7MOkuWX3sUYBneWEAf+O/2uPhYGsEYh9/HfwUjv7ISbQkU3D+GoolPyv7L4hKgfKzgIA6K0FwHoWmDGeGR4uUqaJdDhIbrAJ35IiYsrzMNAdVvbnUAhgndLLD7rDA/QJQJs0b42oNU4P0SRo1xXmNGqSsej9JzO7V1pUhN/xtPCswgzNYrvhMz0AeLvls/XoIXPLW8iEU8ijd1epEmjXnxmwPE2DnVvJc9eqnqjTDnMB4w3ocN9UNWGkWJLw1fotX54xxxA6BNJRBXyQxZbERKMRlirmYnu1mK4mRYuri7x8Z0ZGSkdBbJ6Whcmg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0Z21MkXhEqGodET+Oxu9u3s3LnymHcBvKYICjJku9as=; b=cZ5GiitsRNOkXCoS5u5zSGLUIgTxJJidB7AAj+AJ4NTzME3qWTUyhLYE6sflqq95p6RK9Bj8DYUkcAoY8xVAze6s8jTWq92Fm9Wdc+F03J+z36AJuljV0h/FOi6bDa42BqTGJRAA3WeDF7nvTW3Gy26HFhJ2GpOA2OY1pjuP5Z7RpqkR9xB/vDK/OyTmIIM405004Y17+K4wFmTj9XYvOz3PhyMvgjEwKZTsrv2i50k+vq9ZjWjGkMbnw0t/PlLN7S8jt5UejgvOJmXNBitaHSQvm/ANMER7GCa8rtpwdm6bqlo3+nWIVj/cbTM5AguILWa+rjQc0v9Jox9sa++crQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PAWP192MB2388.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:46f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 14:24:53 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 14:24:53 +0000 From: tgaige.opensource@witekio.com To: openembedded-devel@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [meta-webserver][scarthgap][PATCH 4/4] nginx: patch CVE-2026-42946 Date: Wed, 20 May 2026 16:24:38 +0200 Message-ID: <20260520142438.2126939-4-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520142438.2126939-1-tgaige.opensource@witekio.com> References: <20260520142438.2126939-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR0P278CA0021.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:1c::8) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PAWP192MB2388:EE_ X-MS-Office365-Filtering-Correlation-Id: 7b87eec1-9a7c-4dc9-0feb-08deb67b8f18 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|13003099007|38350700014|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: 2yRVRvWPsw/c/jA57y8YPML50wlgJUJLhvV5Mo608CBiOjPXANNVbmWuDz/BdqbWOIuTB6VBHgM4YHWiCqKyOJ8zGjMKOIOI/xJDQgM9pbbopECbERIoY19udHV4TXW3cLW3f0+XskfvPHPMKwXyku8J6YQBd6n6q30zP8L0+XX5aUIW3Do5qLe7QYsKRSeZO88QUtWH5m+bbZB288/3L+IC0ZlE5nX6axi2Kw9+X6W/HceUVpaUr+YwlI4lCkTu8FBisWIIxUAoRMBvxP/4nE+ACSsjDYdd486hAVwScz9vyS+kUTR9UjY7HXCpVu2aSFOPyZ95rRpBfeoHw/eVHbu+RyRauki/TtLNbR8Rp85yeXpkddfLv1Dn18aY0cF9BuYkDw5pDc1hXjq+ODY34baWn1csjGw4EG7sV5VSmymx18K1zWhQZU0/594PUbKoxYxQAzCkGPUf7m9y4Ymz0C2UYmv7BDXHSrsGT8KzG7oEnPGUnlgU3jGenyv1u3Jl/MaUXLhvJ0U6ckgt/XWHpBNUjsOKUMiidLpc7rAqWXckm4nc8Uq8baBAlBp40pxA8D6mSszpIm94UZ0hZsajCNBJAaIP7L3q2DVH+Q0QGi2MCcpL90n5GkwhPWjWdNdOV5t4+hz4FkjFXNiq/ozNqx8t2RTPXker2Yl/KAMZGBbxt13maxHdWM6CQWRs/2yskBdNbLeB2De6XPpzbNgDQylqCrQs4Xy261zPuZe2MQvlMNq4bZGJD9E1XwHix4Nl X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(13003099007)(38350700014)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GWX/bBMV71I4YZAmcO6nSlGHX3GAJOt2uE63Si3fOQIgMeExrM/xUcwYXmkcZFSCFDvTKKc24T9WuR9PKQMQzHfjnGkiv93fvkK9GygJIy1zVdbWf0JeIjMTIYFpaiHdpPiEE/uHUk4oY7hMuGCUcpBIyM7j0UZuWlK7KiYAgV8mGlSwGhDdOdsI6TDgNGG5EXTsp9v0dY3wTierQG0W0t3jUJuTIlqp2jrZZNHxJS3yi/F03e8OBF0Qf9YZxZBWcEIRxTpmPqd/fb+z3hlSPsQnV2lGzgvH2FcmOc+4PyaPH/1eJhmEz+uBDr9ifrSgV9X3tNcevqnv/1THF7oEsryMR1lNnxr0yMrqEDRDEuTv9QGOAtjbxLtz8LwJ+5nw/v7HvhvCrq65x9Tt60MzgHCTC7TdjTzCvFll4WHBo3kJgKgC0elPAMw5uE2JsuvywQwJKsQN322C0DRyIXv5evzBRkl1ssSzGJKW5HT9BcjLL+rniXxaJ8mHNQ3Hy0p/33nL33Qh0ZEfnyUpYQPLwo/Oox43GgD2e3OtpbI40zWQbR3xQCsNB1N50wx2GJXkzjXbutW8HJJyhiRq6D1fUEGfORk2Vz7Fp2iKhNxGKMhkhBuypS4VcrLw05u3O8661TdoE7BcPck7p67Axg7CuQAxbOw3xNqSMVORCz+FcZ6gvm5CtgfwcbsRC8+9kvne+ybHEWCF2qt56piBqzNibSM9BG7TkwZZmqK9V7hoGaHx63yK8VtgnHimmhEHwUkSEjAiZSOfYIU2b54U9So7JMHxWLlGy19fsT2J4sqv5u9fFlzP3UGzq/mIbjH3wpebZqRVEpQqmw8Vor4Yn6kzlIv+3fGQq242gx7N3ZXBaNK+ggfyq99+5YsRisBpQcVOaZ5MloF0M9CpjlNakJUGeimR8kJvhv5/jvxliE7gBHkkxmafMu2IPOj2Rr+9lA6w/h9pON15W3G8pPWpFqmd4m/azSTmNL6bQDmVRr728r93QwwQ5O3rUrMHpyRtZBaBlNm19O3zgZn+2Eq88VBU/hlBfbHyAm2rgjZ75ZEMOp3JJhFnsA2vKN8j7cX3YnQ3VfnvmJBWPVE4/RteDM/uyffI+VPve50iRfkZJeuUEGv2kdlKW8Z1eY5P8BjniX9wPGB8ed3nJjtjdGhwKfUBmdGjdGLyFBEJ+G8h2PWhmoORxpUVM0Im4+3gN0nuH1NNC/s9TMj9Sft4zzYK4QcYtKScckczDlXwO2cgDpoiFlD/PBTNnqwTipL2ir1VFZ/+AVIAPHc407qTc/tFgbiPd2DqAhDUD9+TDErDTIpuOfvWNhFVwazZDX9Mxd3uCFjkR1Jvq8Ctc+IX7fAETOrrUtLkb3gCCevABgHLmfTXV9RFRkLTxq7E8i0SRqXcpOTexmuDKr6P9fHoGLsWRnojKNB0EmhSOI5LRIviMAyyDWGXIj9NhOcB1qEhlqppKPaQMC0RKnWmxJbCeOpYuMPUAdXk2Qkf6Y6YyzBXHJKj8p711SH9qMfLWFDgCO2Uh/2Pde2ZOAXFJN54xE0TWdF/Yj7iiKsxQjquPOr+RaFaUljyqImoTDLk4gbiVex0CbG+Wqk3FduPUAQcYjfTMJdNHqvqeC7mNxELiVi7vQh026zmIk2dHqzlpTnZoyrscuNsh0pW7t/2mneZFAhJ2gPCbIxgFw9QWHwbvgyov+5WbFi5Wn3fEp9BZETnC9iWOFkb9a4mO1+jWjTpNSNmyCvo8g== X-Exchange-RoutingPolicyChecked: aGNGXr8OXwjtm/NRbfr3XIHiH2danYA980dnnn3lIne4AsrmewUcVkDtNQNuLLIbcaX5O6g8ECh5nYOi95DiBxyzL0nTcLb+ZeUozB+DXHw3mqTOb33z1cE7z07rkNuXuexxpfYOlQoc8EeqUMt3JaL0ffQk/lUoyDdCSUYzmfSSRvgk3vgWwJ10fVerCDfLQb2qBmxfdtf6IC9/RhUIle76hgLbCdQNi4RwcY558516y8F5l1Kd0OvJlSsQ6thLlurjpz8mprgfYiNpve5tQ2O2c1Ela1zc/GTcWzGMqTkWP6xGJ08aUIZ8pP70cdxlbxvZ4VYGAcmNcbZPrT3z5Q== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: PyzYULSM6Zy+oQ7phepsWnsJd6XELhYnSfET2zLUcXOyGdu+4EfNJl4DtK61ot4X59ZqypbR9As4FJRM6i2BRSvD3RCA8D20Dy/vnKxUz1MR6K3qs1wnxOqWaJkycrxVFvpNLy0kdijfGhxv59Ks5gkdtNQWRMKhacrXZS0PSYd3kI8gbBxrBqAczmF+RVEzjvuYp4DGEhoEclU4IWbMBzUp+N9FVHGDG+zeVkDFQDfheeiPuhrShfJjm3xbJq7bmENOPwRlAKIsfXVB0kfFYM0YVt9gmidVbPFEtbp/kNbwZYYa2F8feEw79CEuzNa8bG0PhdcQu1ymzHsO1+oXk9pwpYQhSir914f8MxXgVuufCxgpflwcJImwsMQjcOWoE7TOaY4tcxbTzxwVUuVoibfXl7MmIVo3+QjQWNG+VBSQyIrUmydnTb10Z29JvRtK2MWChcZfwxSBLDfP6r5eJL+W0Z8e/XKhcpHRzUruEK1ZP0FJBG6KA7ui+MdW/mbU6LXg8wz8GIXnDlU52cYTDAmcR/u6zN8UfjlhN2qDOlLGa+PRG32S/l4QcJiP9RbfqmRWayhllBphXaQynjuNt50Z0wut8/QDarEO+Gg8IAtJNI341gx5hkSJmrIhXn7R X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7b87eec1-9a7c-4dc9-0feb-08deb67b8f18 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 14:24:53.2323 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: d6HHnMXCXx8Vh1laz2Fr8oqCGt0op19NnqjGL67xf3klsxi+iM8lg2k/MIfepfjszlHzDw+oyrskcjn6Mb0LBQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP192MB2388 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-devel@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate26-hz12 with 4gLDMg3Swmz1fxXg X-cloud-security-connect: mail-northeuropeazon11021127.outbound.protection.outlook.com[52.101.65.127], TLS=1, IP=52.101.65.127 X-cloud-security-Digest: 9af9ce4998a463d39e1ebdc8a190d1cf X-cloud-security: scantime:1.349 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 14:25:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127120 From: "Theo Gaige (Schneider Electric)" Backport patches [1] and [2] mentioned in [3]. [1] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e [2] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd [3] https://security-tracker.debian.org/tracker/CVE-2026-42946 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../nginx-1.24.0/CVE-2026-42946-01.patch | 46 ++++++++++ .../nginx-1.24.0/CVE-2026-42946-02.patch | 91 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 2 + 3 files changed, 139 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch new file mode 100644 index 0000000000..2418f69afc --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch @@ -0,0 +1,46 @@ +From 7b45e652cc7e91fbc60cbb5f41eb4608e706bc03 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 21:56:51 +0400 +Subject: [PATCH 1/2] Upstream: reset parsing state after invalid status line + +Previously, it was possible to start parsing headers with a wrong +parsing state after status line was not recognized, as a fallback +used in the scgi and uwsgi modules. + +Reported by Leo Lin. + +CVE: CVE-2026-42946 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/http/modules/ngx_http_scgi_module.c | 1 + + src/http/modules/ngx_http_uwsgi_module.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index 9fc18dc..3259820 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -1029,6 +1029,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ r->state = 0; + return ngx_http_scgi_process_header(r); + } + +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index e4f721b..93bcad7 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1257,6 +1257,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ r->state = 0; + return ngx_http_uwsgi_process_header(r); + } + +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch new file mode 100644 index 0000000000..089bd46a26 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch @@ -0,0 +1,91 @@ +From 7b5bea14a2a7a784751a8f86559bd3c3f109ed5b Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 23:02:20 +0400 +Subject: [PATCH 2/2] Upstream: fixed parsing of split status lines + +If the first response line was split across reads and it didn't appear +a status line, the portion already processed was lost. To preserve ABI, +the change reuses r->header_name_start for proper backtracking on status +line fallback. + +CVE: CVE-2026-42946 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/http/modules/ngx_http_proxy_module.c | 5 +++++ + src/http/modules/ngx_http_scgi_module.c | 5 +++++ + src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index 9cc202c..19cbfa3 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -1814,6 +1814,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); + + if (rc == NGX_AGAIN) { +@@ -1821,6 +1825,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + } + + if (rc == NGX_ERROR) { ++ u->buffer.pos = r->header_name_start; + + #if (NGX_HTTP_CACHE) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index 3259820..a04fd47 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -1021,6 +1021,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1029,6 +1033,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ u->buffer.pos = r->header_name_start; + r->state = 0; + return ngx_http_scgi_process_header(r); + } +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index 93bcad7..749254f 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1249,6 +1249,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1257,6 +1261,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ u->buffer.pos = r->header_name_start; + r->state = 0; + return ngx_http_uwsgi_process_header(r); + } +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index f9e40fa27f..26352a8814 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -12,6 +12,8 @@ SRC_URI:append = " \ file://CVE-2026-40701.patch \ file://CVE-2026-42934.patch \ file://CVE-2026-42945.patch \ + file://CVE-2026-42946-01.patch \ + file://CVE-2026-42946-02.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"