diff --git a/SOURCES/0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch b/SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch similarity index 100% rename from SOURCES/0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch rename to SOURCES/0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch diff --git a/SOURCES/0011-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch b/SOURCES/0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch similarity index 100% rename from SOURCES/0011-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch rename to SOURCES/0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch diff --git a/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch b/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch new file mode 100644 index 0000000..ba85cc4 --- /dev/null +++ b/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch @@ -0,0 +1,45 @@ +From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 2ce9f21..70c3b46 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 02b22b1..c8740e7 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 2 Version: 1.20.1 -Release: 22%{?dist}.3.alma.2 +Release: 24%{?dist}.1.alma.1 Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -104,15 +104,19 @@ Patch9: 0010-Optimized-chain-link-usage.patch # upstream patch - https://issues.redhat.com/browse/RHEL-78236 Patch10: nginx-1.20.1-CVE-2025-23419.patch -# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966 -Patch11: 0011-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch +# upstream patch - https://issues.redhat.com/browse/RHEL-6786 +Patch11: 0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch # upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2141496 # - https://bugzilla.redhat.com/show_bug.cgi?id=2141495 Patch12: 0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch -# upstream patch - https://issues.redhat.com/browse/RHEL-6786 -Patch13: 0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch +# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966 +Patch13: 0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch + +# https://issues.redhat.com/browse/RHEL-146516 +# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e +Patch14: 0014-Upstream-detect-premature-plain-text-response-from-S.patch BuildRequires: make BuildRequires: gcc @@ -623,25 +627,24 @@ fi %changelog -* Mon Oct 20 2025 Eduard Abdullin - 2:1.20.1-22.3.alma.2 -- Rebuilt to apply https://git.almalinux.org/autopatch/nginx/pulls/1 - -* Tue Jun 24 2025 Eduard Abdullin - 2:1.20.1-22.3.alma.1 +* Thu Mar 26 2026 Eduard Abdullin - 2:1.20.1-24.1.alma.1 - Debrand for AlmaLinux -* Wed May 14 2025 Luboš Uhliarik - 2:1.20.1-22.3 -- Resolves: RHEL-89991 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER at - nginx with reverse-proxy +* Thu Feb 19 2026 Luboš Uhliarik - 2:1.20.1-24.1 +- Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle + attack on TLS proxied connections (CVE-2026-1642) -* Mon Mar 31 2025 Luboš Uhliarik - 2:1.20.1-22.2 -- Resolves: RHEL-85550 - nginx: Memory disclosure in the +* Wed May 14 2025 Luboš Uhliarik - 2:1.20.1-24 +- Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause + denial of service (CVE-2024-7347) +- Resolves: RHEL-85556 - nginx: Memory disclosure in the ngx_http_mp4_module (CVE-2022-41742) -- Resolves: RHEL-85527 - nginx: Memory corruption in the +- Resolves: RHEL-91446 - nginx: Memory corruption in the ngx_http_mp4_module (CVE-2022-41741) -* Fri Mar 21 2025 Luboš Uhliarik - 2:1.20.1-22.1 -- Resolves: RHEL-84339 - nginx: Nginx: Specially crafted file may cause - Denial of Service (CVE-2024-7347) +* Thu Apr 24 2025 Luboš Uhliarik - 2:1.20.1-23 +- Resolves: RHEL-6786 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER + at nginx with reverse-proxy * Thu Feb 13 2025 Luboš Uhliarik - 2:1.20.1-22 - Resolves: RHEL-78236 - nginx: TLS Session Resumption