jonathan/nginx
1
0
Fork 0
forked from rpms/nginx
Code Pull Requests Activity

import CS nginx-1.26.3-8.module_el9+1337+df4f836a

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-04-16 06:41:31 -04:00
parent 9217e25d9e
commit f860976871
8 changed files with 363 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SOURCES/0009-Clarify-binding-behavior-of-t-option.patch Normal file
View File

@ -0,0 +1,37 @@
From dc847f7aedf0b4f8bbf9d7f9ba983541c6ca88c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Tue, 20 Jan 2026 19:27:05 +0100
Subject: [PATCH] Clarify binding behavior of -t option.
Configuration testing includes binding to configured listen addresses
when opening referenced files.
---
man/nginx.8 | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/man/nginx.8 b/man/nginx.8
index 10db3e6..64d9ae7 100644
--- a/man/nginx.8
+++ b/man/nginx.8
@@ -25,7 +25,7 @@
.\" SUCH DAMAGE.
.\"
.\"
-.Dd November 5, 2020
+.Dd January 21, 2026
.Dt NGINX 8
.Os
.Sh NAME
@@ -98,7 +98,8 @@ but additionally dump configuration files to standard output.
Do not run, just test the configuration file.
.Nm
checks the configuration file syntax and then tries to open files
-referenced in the configuration file.
+referenced in the configuration file, including binding to configured
+listen addresses.
.It Fl V
Print the
.Nm
--
2.44.0

45
SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch Normal file
View File

@ -0,0 +1,45 @@
From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Thu, 29 Jan 2026 13:27:32 +0400
Subject: [PATCH] Upstream: detect premature plain text response from SSL
backend.
When connecting to a backend, the connection write event is triggered
first in most cases. However if a response arrives quickly enough, both
read and write events can be triggered together within the same event loop
iteration. In this case the read event handler is called first and the
write event handler is called after it.
SSL initialization for backend connections happens only in the write event
handler since SSL handshake starts with sending Client Hello. Previously,
if a backend sent a quick plain text response, it could be parsed by the
read event handler prior to starting SSL handshake on the connection.
The change adds protection against parsing such responses on SSL-enabled
connections.
---
src/http/ngx_http_upstream.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 2ce9f21..70c3b46 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
return;
}
+#if (NGX_HTTP_SSL)
+ if (u->ssl && c->ssl == NULL) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "upstream prematurely sent response");
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+ return;
+ }
+#endif
+
u->state->bytes_received += n;
u->buffer.last += n;
--
2.44.0

31
SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
index cfb9892..6bf438a 100644
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
ngx_ext_rename_file_t ext;
ngx_http_dav_copy_ctx_t copy;
ngx_http_dav_loc_conf_t *dlcf;
+ ngx_http_core_loc_conf_t *clcf;
if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
@@ -644,6 +645,18 @@ destination_done:
return NGX_HTTP_CONFLICT;
}
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (clcf->alias
+ && clcf->alias != NGX_MAX_SIZE_T_VALUE
+ && duri.len < clcf->alias)
+ {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "client sent invalid \"Destination\" header: \"%V\"",
+ &dest->value);
+ return NGX_HTTP_BAD_REQUEST;
+ }
+
depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {

84
SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch Normal file
View File

@ -0,0 +1,84 @@
From 3568812cf98dfd7661cd7516ecf9b398c134ab3c Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Mon, 2 Mar 2026 21:12:34 +0400
Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
Previously, a 32-bit overflow could happen while validating atom entries
count. This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.
Reported by Prabhav Srinath (sprabhav7).
---
src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 173d8ad54..678d6296c 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"mp4 time-to-sample entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stts atom too small", mp4->file.name.data);
@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stss atom too small", mp4->file.name.data);
@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 ctts atom too small", mp4->file.name.data);
@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sample-to-chunk entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsc atom too small", mp4->file.name.data);
@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
if (size == 0) {
if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsz atom too small",
@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stco atom too small", mp4->file.name.data);
@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
- + entries * sizeof(uint64_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 co64 atom too small", mp4->file.name.data);
--
2.53.0

31
SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch Normal file
View File

@ -0,0 +1,31 @@
From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed, 18 Mar 2026 16:39:37 +0400
Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response. This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.
Reported by Arkadi Vainbrand.
---
src/mail/ngx_mail_auth_http_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
index 4ca6d6e24..3e5095a2d 100644
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
- s->passwd.data = NULL;
+ ngx_str_null(&s->passwd);
}
b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
--
2.53.0

74
SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch Normal file
View File

@ -0,0 +1,74 @@
From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Sat, 21 Feb 2026 12:04:36 +0400
Subject: [PATCH] Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers. Such buffers are considered illegal and produce
"zero size buf in output" alerts. The change rejects the mp4 files which
produce such alerts.
Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
---
src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 445fab1cd..173d8ad54 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
}
}
- if (end_offset < start_offset) {
- end_offset = start_offset;
+ if (end_offset <= start_offset) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "no data between start time and end time in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
}
mp4->moov_size += 8;
@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
*prev = &mp4->mdat_atom;
- if (start_offset > mp4->mdat_data.buf->file_last) {
+ if (start_offset >= mp4->mdat_data.buf->file_last) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 mdat atom in \"%s\"",
mp4->file.name.data);
@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
if (data) {
entries = trak->sample_sizes_entries;
- if (trak->start_sample > entries) {
+ if (trak->start_sample >= entries) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stsz samples in \"%s\"",
mp4->file.name.data);
@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
--
2.53.0

3
SOURCES/nginx.tmpfiles Normal file
View File

@ -0,0 +1,3 @@
d /var/lib/nginx 770 nginx root -
d /var/lib/nginx/tmp 770 nginx root -
d /var/log/nginx 711 root root -

59
SPECS/nginx.spec
View File

@ -2,7 +2,7 @@
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 1;
release_number = 8;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -96,6 +96,7 @@ Source16: nginxmods.attr
Source17: nginx-ssl-pass-dialog
Source18: nginx@.service
Source19: nginx.sysusers
Source20: nginx.tmpfiles
Source102: nginx-logo.png
Source200: README.dynamic
Source210: UPGRADE-NOTES-1.6-to-1.10
@ -128,6 +129,31 @@ Patch6: 0007-Support-loading-cert-hardware-token-PKC.patch
# downstream patch - https://issues.redhat.com/browse/RHEL-40621
Patch7: 0008-defer-ENGINE_finish-calls-to-a-cleanup.patch
# https://issues.redhat.com/browse/RHEL-113229
# upstream patch - https://github.com/nginx/nginx/pull/1089
Patch8: 0009-Clarify-binding-behavior-of-t-option.patch
# https://issues.redhat.com/browse/RHEL-146516
# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
Patch9: 0010-Upstream-detect-premature-plain-text-response-from-S.patch
# https://redhat.atlassian.net/browse/RHEL-159565
# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
# whitespace was removed from the patch
Patch10: 0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch
# https://redhat.atlassian.net/browse/RHEL-159544
# upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
Patch11: 0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
# https://redhat.atlassian.net/browse/RHEL-159452
# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
Patch12: 0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
# https://redhat.atlassian.net/browse/RHEL-157893
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
Patch13: 0014-Mp4-avoid-zero-size-buffers-in-output.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -506,6 +532,10 @@ install -m755 $RPM_SOURCE_DIR/nginx-ssl-pass-dialog \
# install sysusers file
install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/nginx.conf
# tmpfiles.d configuration
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 644 -p %{SOURCE20} %{buildroot}%{_tmpfilesdir}/nginx.conf
%pre filesystem
%sysusers_create_compat %{SOURCE19}
@ -595,6 +625,7 @@ fi
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp
%attr(711,root,root) %dir %{_localstatedir}/log/nginx
%{_tmpfilesdir}/nginx.conf
%ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log
%ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log
%dir %{nginx_moduledir}
@ -649,6 +680,32 @@ fi
%changelog
## START: Generated by rpmautospec
* Tue Apr 14 2026 pdancak <pdancak@redhat.com> - 2:1.26.3-8
- RHEL-157893 CVE-2026-32647 nginx: NGINX: Denial of Service or Code
Execution via specially crafted MP4 files
* Tue Apr 14 2026 pdancak <pdancak@redhat.com> - 2:1.26.3-7
- RHEL-159452 CVE-2026-27651 nginx: NGINX: Denial of Service via
undisclosed requests when ngx_mail_auth_http_module is enabled
* Tue Apr 14 2026 pdancak <pdancak@redhat.com> - 2:1.26.3-6
- RHEL-159544 - CVE-2026-27784 nginx: NGINX: Denial of Service due to
memory corruption via crafted MP4 file
* Tue Apr 14 2026 pdancak <pdancak@redhat.com> - 2:1.26.3-5
- RHEL-159565 CVE-2026-27654 nginx: NGINX: Denial of Service or file
modification via buffer overflow in ngx_http_dav_module
* Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-4
- CVE-2026-1642 nginx: NGINX: Data injection via man-in-the-middle attack
on TLS proxied connections
* Mon Feb 16 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-3
- Resolves: RHEL-144454 - Clarify binding behavior of -t option
* Wed Dec 03 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-2
- Add tmpfiles.d rules for /var directories (bootc compatibility)
* Fri Feb 07 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-1
- New version 1.26.3