Debrand for AlmaLinux

2026-05-18 12:25:29 +00:00 · 2026-05-18 12:25:29 +00:00 · 10690360c9
commit 10690360c9
parent b2df6872f7 c094af1fd2
2 changed files with 15 additions and 15 deletions
--- a/SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+++ b/SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
@ -1,4 +1,4 @@
-From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
+From df738cca1e5b2bc0d3e0845648273d752c5cd8ff Mon Sep 17 00:00:00 2001
 From: Roman Arutyunyan <arut@nginx.com>
 Date: Wed, 22 Apr 2026 09:39:31 +0400
 Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
@ -26,17 +26,17 @@ Reported by Leo Lin.
 1 file changed, 1 insertion(+)

 diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
-index a2b9f1b7bf..2ea6113735 100644
+index a2b9f1b..2ea6113 100644
 --- a/src/http/ngx_http_script.c
 +++ b/src/http/ngx_http_script.c
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
-
+ 
     r = e->request;
-
+ 
 +    e->is_args = 0;
     e->quote = 0;
-
+ 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
--
-2.53.0
+-- 
+2.44.0

--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -30,7 +30,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.24.0
-Release:           3%{?dist}.alma.2
+Release:           3%{?dist}.1.alma.1

 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@ -98,8 +98,8 @@ Patch10:           0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
 Patch11:           0011-Mp4-avoid-zero-size-buffers-in-output.patch

-# CVE-2026-42945
-# upstream patch - https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945
+# upstream patch - https://github.com/nginx/nginx/commit/524977e7
 Patch12:           0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch

 %if 0%{?with_gperftools}
@ -577,13 +577,13 @@ fi
 %{nginx_srcdir}/

 %changelog
-* Thu May 14 2026 Jonathan Wright <jonathan@almalinux.org> - 1:1.24.0-3.alma.2
- Fix CVE-2026-42945 nginx: NGINX: Buffer overrun in rewrite module via
-  arguments in replacement strings
-
-* Tue Apr 07 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.24.0-3.alma.1
+* Mon May 18 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.24.0-3.1.alma.1
 - Debrand for AlmaLinux

+* Thu May 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-3.1
+- Resolves: RHEL-176224 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution
+  Vulnerability (CVE-2026-42945)
+
 * Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 1:1.24.0-3
 - Resolves: RHEL-157877 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
  Service or Code Execution via specially crafted MP4 files