Debrand for AlmaLinux

2026-03-26 07:53:30 +00:00 · 2026-03-26 07:53:30 +00:00 · 128715bdf1
commit 128715bdf1
parent 4f988f61f3 a4d2ff00e7
4 changed files with 66 additions and 18 deletions
--- a/SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+++ b/SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
--- a/SOURCES/0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
+++ b/SOURCES/0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
--- a/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch
+++ b/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch
@ -0,0 +1,45 @@
+From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 29 Jan 2026 13:27:32 +0400
+Subject: [PATCH] Upstream: detect premature plain text response from SSL
+ backend.
+
+When connecting to a backend, the connection write event is triggered
+first in most cases.  However if a response arrives quickly enough, both
+read and write events can be triggered together within the same event loop
+iteration.  In this case the read event handler is called first and the
+write event handler is called after it.
+
+SSL initialization for backend connections happens only in the write event
+handler since SSL handshake starts with sending Client Hello.  Previously,
+if a backend sent a quick plain text response, it could be parsed by the
+read event handler prior to starting SSL handshake on the connection.
+The change adds protection against parsing such responses on SSL-enabled
+connections.
+---
+ src/http/ngx_http_upstream.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index 2ce9f21..70c3b46 100644
+--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
+@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+             return;
+         }
+ 
+#if (NGX_HTTP_SSL)
+        if (u->ssl && c->ssl == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "upstream prematurely sent response");
+            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+            return;
+        }
+#endif
+
+         u->state->bytes_received += n;
+ 
+         u->buffer.last += n;
+-- 
+2.44.0
+
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           22%{?dist}.3.alma.2
+Release:           24%{?dist}.1.alma.1

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -104,15 +104,19 @@ Patch9:            0010-Optimized-chain-link-usage.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-78236
 Patch10:           nginx-1.20.1-CVE-2025-23419.patch

-# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966
-Patch11:           0011-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
+# upstream patch - https://issues.redhat.com/browse/RHEL-6786
+Patch11:           0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch

 # upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2141496
 #                - https://bugzilla.redhat.com/show_bug.cgi?id=2141495
 Patch12:           0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch

-# upstream patch - https://issues.redhat.com/browse/RHEL-6786
-Patch13:           0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966
+Patch13:           0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
+
+# https://issues.redhat.com/browse/RHEL-146516
+# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
+Patch14:           0014-Upstream-detect-premature-plain-text-response-from-S.patch

 BuildRequires:     make
 BuildRequires:     gcc
@ -623,25 +627,24 @@ fi


 %changelog
-* Mon Oct 20 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.3.alma.2
- Rebuilt to apply https://git.almalinux.org/autopatch/nginx/pulls/1
-
-* Tue Jun 24 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.3.alma.1
+* Thu Mar 26 2026 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-24.1.alma.1
 - Debrand for AlmaLinux

-* Wed May 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22.3
- Resolves: RHEL-89991 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER at
-  nginx with reverse-proxy
+* Thu Feb 19 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24.1
+- Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle
+  attack on TLS proxied connections (CVE-2026-1642)

-* Mon Mar 31 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22.2
- Resolves: RHEL-85550 - nginx: Memory disclosure in the
+* Wed May 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24
+- Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause
+  denial of service (CVE-2024-7347)
+- Resolves: RHEL-85556 - nginx: Memory disclosure in the
  ngx_http_mp4_module (CVE-2022-41742)
- Resolves: RHEL-85527 - nginx: Memory corruption in the
+- Resolves: RHEL-91446 - nginx: Memory corruption in the
  ngx_http_mp4_module (CVE-2022-41741)

-* Fri Mar 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22.1
- Resolves: RHEL-84339 - nginx: Nginx: Specially crafted file may cause
-  Denial of Service (CVE-2024-7347)
+* Thu Apr 24 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-23
+- Resolves: RHEL-6786 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER
+  at nginx with reverse-proxy

 * Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
 - Resolves: RHEL-78236 - nginx: TLS Session Resumption