* [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642
@ 2026-02-22 22:52 Peter Marko
2026-02-23 8:08 ` [oe] " Gyorgy Sarvari
0 siblings, 1 reply; 4+ messages in thread
From: Peter Marko @ 2026-02-22 22:52 UTC (permalink / raw)
To: openembedded-devel; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Pick patch accorting to [1].
[1] https://security-tracker.debian.org/tracker/CVE-2026-1642
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
v2: added patch annotations
.../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++
.../recipes-httpd/nginx/nginx_1.24.0.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
new file mode 100644
index 0000000000..d6c636e54d
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
@@ -0,0 +1,46 @@
+From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 29 Jan 2026 13:27:32 +0400
+Subject: [PATCH] Upstream: detect premature plain text response from SSL
+ backend.
+
+When connecting to a backend, the connection write event is triggered
+first in most cases. However if a response arrives quickly enough, both
+read and write events can be triggered together within the same event loop
+iteration. In this case the read event handler is called first and the
+write event handler is called after it.
+
+SSL initialization for backend connections happens only in the write event
+handler since SSL handshake starts with sending Client Hello. Previously,
+if a backend sent a quick plain text response, it could be parsed by the
+read event handler prior to starting SSL handshake on the connection.
+The change adds protection against parsing such responses on SSL-enabled
+connections.
+
+CVE: CVE-2026-1642
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/http/ngx_http_upstream.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index df577ad67..cadc74479 100644
+--- a/src/http/ngx_http_upstream.c
++++ b/src/http/ngx_http_upstream.c
+@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+ return;
+ }
+
++#if (NGX_HTTP_SSL)
++ if (u->ssl && c->ssl == NULL) {
++ ngx_log_error(NGX_LOG_ERR, c->log, 0,
++ "upstream prematurely sent response");
++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
++ return;
++ }
++#endif
++
+ u->state->bytes_received += n;
+
+ u->buffer.last += n;
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index e288b19da3..93a27ebd56 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -3,6 +3,7 @@ require nginx.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
SRC_URI:append = " file://CVE-2025-23419.patch"
+SRC_URI:append = " file://CVE-2026-1642.patch"
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642
2026-02-22 22:52 [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642 Peter Marko
@ 2026-02-23 8:08 ` Gyorgy Sarvari
2026-02-23 16:50 ` Marko, Peter
0 siblings, 1 reply; 4+ messages in thread
From: Gyorgy Sarvari @ 2026-02-23 8:08 UTC (permalink / raw)
To: peter.marko, openembedded-devel
I wonder, does this patch apply only to 1.24, or does it apply to the
other two recipes also (and it could be just shoved into the .inc file)?
On 2/22/26 23:52, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick patch accorting to [1].
>
> [1] https://security-tracker.debian.org/tracker/CVE-2026-1642
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> v2: added patch annotations
>
> .../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++
> .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 +
> 2 files changed, 47 insertions(+)
> create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
>
> diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
> new file mode 100644
> index 0000000000..d6c636e54d
> --- /dev/null
> +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
> @@ -0,0 +1,46 @@
> +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001
> +From: Roman Arutyunyan <arut@nginx.com>
> +Date: Thu, 29 Jan 2026 13:27:32 +0400
> +Subject: [PATCH] Upstream: detect premature plain text response from SSL
> + backend.
> +
> +When connecting to a backend, the connection write event is triggered
> +first in most cases. However if a response arrives quickly enough, both
> +read and write events can be triggered together within the same event loop
> +iteration. In this case the read event handler is called first and the
> +write event handler is called after it.
> +
> +SSL initialization for backend connections happens only in the write event
> +handler since SSL handshake starts with sending Client Hello. Previously,
> +if a backend sent a quick plain text response, it could be parsed by the
> +read event handler prior to starting SSL handshake on the connection.
> +The change adds protection against parsing such responses on SSL-enabled
> +connections.
> +
> +CVE: CVE-2026-1642
> +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/http/ngx_http_upstream.c | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
> +index df577ad67..cadc74479 100644
> +--- a/src/http/ngx_http_upstream.c
> ++++ b/src/http/ngx_http_upstream.c
> +@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
> + return;
> + }
> +
> ++#if (NGX_HTTP_SSL)
> ++ if (u->ssl && c->ssl == NULL) {
> ++ ngx_log_error(NGX_LOG_ERR, c->log, 0,
> ++ "upstream prematurely sent response");
> ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
> ++ return;
> ++ }
> ++#endif
> ++
> + u->state->bytes_received += n;
> +
> + u->buffer.last += n;
> diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> index e288b19da3..93a27ebd56 100644
> --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> @@ -3,6 +3,7 @@ require nginx.inc
> LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
>
> SRC_URI:append = " file://CVE-2025-23419.patch"
> +SRC_URI:append = " file://CVE-2026-1642.patch"
>
> SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#124537): https://lists.openembedded.org/g/openembedded-devel/message/124537
> Mute This Topic: https://lists.openembedded.org/mt/117948481/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642
2026-02-23 8:08 ` [oe] " Gyorgy Sarvari
@ 2026-02-23 16:50 ` Marko, Peter
2026-02-23 19:16 ` Gyorgy Sarvari
0 siblings, 1 reply; 4+ messages in thread
From: Marko, Peter @ 2026-02-23 16:50 UTC (permalink / raw)
To: Gyorgy Sarvari, openembedded-devel@lists.openembedded.org
> -----Original Message-----
> From: Gyorgy Sarvari <skandigraun@gmail.com>
> Sent: Monday, February 23, 2026 9:08
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-
> 1642
>
> I wonder, does this patch apply only to 1.24, or does it apply to the
> other two recipes also (and it could be just shoved into the .inc file)?
I have sent additional patch to move both CVE patches to the inc file.
Peter
>
> On 2/22/26 23:52, Peter Marko via lists.openembedded.org wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Pick patch accorting to [1].
> >
> > [1] https://security-tracker.debian.org/tracker/CVE-2026-1642
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> > v2: added patch annotations
> >
> > .../nginx/files/CVE-2026-1642.patch | 46 +++++++++++++++++++
> > .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 +
> > 2 files changed, 47 insertions(+)
> > create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2026-
> 1642.patch
> >
> > diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
> b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
> > new file mode 100644
> > index 0000000000..d6c636e54d
> > --- /dev/null
> > +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-1642.patch
> > @@ -0,0 +1,46 @@
> > +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00
> 2001
> > +From: Roman Arutyunyan <arut@nginx.com>
> > +Date: Thu, 29 Jan 2026 13:27:32 +0400
> > +Subject: [PATCH] Upstream: detect premature plain text response from SSL
> > + backend.
> > +
> > +When connecting to a backend, the connection write event is triggered
> > +first in most cases. However if a response arrives quickly enough, both
> > +read and write events can be triggered together within the same event loop
> > +iteration. In this case the read event handler is called first and the
> > +write event handler is called after it.
> > +
> > +SSL initialization for backend connections happens only in the write event
> > +handler since SSL handshake starts with sending Client Hello. Previously,
> > +if a backend sent a quick plain text response, it could be parsed by the
> > +read event handler prior to starting SSL handshake on the connection.
> > +The change adds protection against parsing such responses on SSL-enabled
> > +connections.
> > +
> > +CVE: CVE-2026-1642
> > +Upstream-Status: Backport
> [https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f8
> 5b6e]
> > +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > +---
> > + src/http/ngx_http_upstream.c | 9 +++++++++
> > + 1 file changed, 9 insertions(+)
> > +
> > +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
> > +index df577ad67..cadc74479 100644
> > +--- a/src/http/ngx_http_upstream.c
> > ++++ b/src/http/ngx_http_upstream.c
> > +@@ -2441,6 +2441,15 @@
> ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t
> *u)
> > + return;
> > + }
> > +
> > ++#if (NGX_HTTP_SSL)
> > ++ if (u->ssl && c->ssl == NULL) {
> > ++ ngx_log_error(NGX_LOG_ERR, c->log, 0,
> > ++ "upstream prematurely sent response");
> > ++ ngx_http_upstream_next(r, u,
> NGX_HTTP_UPSTREAM_FT_ERROR);
> > ++ return;
> > ++ }
> > ++#endif
> > ++
> > + u->state->bytes_received += n;
> > +
> > + u->buffer.last += n;
> > diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-
> webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> > index e288b19da3..93a27ebd56 100644
> > --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> > +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> > @@ -3,6 +3,7 @@ require nginx.inc
> > LIC_FILES_CHKSUM =
> "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
> >
> > SRC_URI:append = " file://CVE-2025-23419.patch"
> > +SRC_URI:append = " file://CVE-2026-1642.patch"
> >
> > SRC_URI[sha256sum] =
> "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#124537): https://lists.openembedded.org/g/openembedded-
> devel/message/124537
> > Mute This Topic: https://lists.openembedded.org/mt/117948481/6084445
> > Group Owner: openembedded-devel+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
> [skandigraun@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642
2026-02-23 16:50 ` Marko, Peter
@ 2026-02-23 19:16 ` Gyorgy Sarvari
0 siblings, 0 replies; 4+ messages in thread
From: Gyorgy Sarvari @ 2026-02-23 19:16 UTC (permalink / raw)
To: Marko, Peter, openembedded-devel@lists.openembedded.org
On 2/23/26 17:50, Marko, Peter wrote:
>> -----Original Message-----
>> From: Gyorgy Sarvari <skandigraun@gmail.com>
>> Sent: Monday, February 23, 2026 9:08
>> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
>> openembedded-devel@lists.openembedded.org
>> Subject: Re: [oe] [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-
>> 1642
>>
>> I wonder, does this patch apply only to 1.24, or does it apply to the
>> other two recipes also (and it could be just shoved into the .inc file)?
> I have sent additional patch to move both CVE patches to the inc file.
> Peter
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-23 19:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-22 22:52 [meta-webserver][kirkstone][PATCH v2] nginx: patch CVE-2026-1642 Peter Marko
2026-02-23 8:08 ` [oe] " Gyorgy Sarvari
2026-02-23 16:50 ` Marko, Peter
2026-02-23 19:16 ` Gyorgy Sarvari
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.