diff --git a/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch b/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch new file mode 100644 index 0000000..dee159f --- /dev/null +++ b/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch @@ -0,0 +1,37 @@ +From dc847f7aedf0b4f8bbf9d7f9ba983541c6ca88c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Tue, 20 Jan 2026 19:27:05 +0100 +Subject: [PATCH] Clarify binding behavior of -t option. + +Configuration testing includes binding to configured listen addresses +when opening referenced files. +--- + man/nginx.8 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/nginx.8 b/man/nginx.8 +index 10db3e6..64d9ae7 100644 +--- a/man/nginx.8 ++++ b/man/nginx.8 +@@ -25,7 +25,7 @@ + .\" SUCH DAMAGE. + .\" + .\" +-.Dd November 5, 2020 ++.Dd January 21, 2026 + .Dt NGINX 8 + .Os + .Sh NAME +@@ -98,7 +98,8 @@ but additionally dump configuration files to standard output. + Do not run, just test the configuration file. + .Nm + checks the configuration file syntax and then tries to open files +-referenced in the configuration file. ++referenced in the configuration file, including binding to configured ++listen addresses. + .It Fl V + Print the + .Nm +-- +2.44.0 + diff --git a/SOURCES/0009-Upstream-detect-premature-plain-text-response-from-S.patch b/SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch similarity index 100% rename from SOURCES/0009-Upstream-detect-premature-plain-text-response-from-S.patch rename to SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch diff --git a/SOURCES/0010-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch similarity index 100% rename from SOURCES/0010-Dav-destination-length-validation-for-COPY-and-MOVE.patch rename to SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch diff --git a/SOURCES/0011-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch b/SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch similarity index 100% rename from SOURCES/0011-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch rename to SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch diff --git a/SOURCES/0012-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch b/SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch similarity index 100% rename from SOURCES/0012-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch rename to SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch diff --git a/SOURCES/0013-Mp4-avoid-zero-size-buffers-in-output.patch b/SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch similarity index 100% rename from SOURCES/0013-Mp4-avoid-zero-size-buffers-in-output.patch rename to SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch diff --git a/SOURCES/0015-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch b/SOURCES/0015-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch new file mode 100644 index 0000000..405f180 --- /dev/null +++ b/SOURCES/0015-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch @@ -0,0 +1,42 @@ +From c322092dbcbdc061a1dea461f4c2eecabb850d79 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 22 Apr 2026 09:39:31 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +A similar issue was fixed in 74d939974d43. + +Reported by Leo Lin. +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index a2b9f1b..2ea6113 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, +-- +2.44.0 + diff --git a/SOURCES/nginx.tmpfiles b/SOURCES/nginx.tmpfiles new file mode 100644 index 0000000..1f84d81 --- /dev/null +++ b/SOURCES/nginx.tmpfiles @@ -0,0 +1,3 @@ +d /var/lib/nginx 770 nginx root - +d /var/lib/nginx/tmp 770 nginx root - +d /var/log/nginx 711 root root - diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 2663fc8..a178054 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -1,6 +1,11 @@ ## START: Set by rpmautospec ## (rpmautospec version 0.6.5) -## RPMAUTOSPEC: autochangelog +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 9; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} ## END: Set by rpmautospec %global _hardened_build 1 @@ -67,7 +72,7 @@ Name: nginx Epoch: 2 Version: 1.26.3 -Release: 2%{?dist}.1 +Release: %autorelease Summary: A high performance web server and reverse proxy server License: BSD-2-Clause @@ -91,6 +96,7 @@ Source16: nginxmods.attr Source17: nginx-ssl-pass-dialog Source18: nginx@.service Source19: nginx.sysusers +Source20: nginx.tmpfiles Source102: nginx-logo.png Source200: README.dynamic Source210: UPGRADE-NOTES-1.6-to-1.10 @@ -123,27 +129,34 @@ Patch6: 0007-Support-loading-cert-hardware-token-PKC.patch # downstream patch - https://issues.redhat.com/browse/RHEL-40621 Patch7: 0008-defer-ENGINE_finish-calls-to-a-cleanup.patch +# https://issues.redhat.com/browse/RHEL-113229 +# upstream patch - https://github.com/nginx/nginx/pull/1089 +Patch8: 0009-Clarify-binding-behavior-of-t-option.patch + # https://issues.redhat.com/browse/RHEL-146516 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e -Patch8: 0009-Upstream-detect-premature-plain-text-response-from-S.patch +Patch9: 0010-Upstream-detect-premature-plain-text-response-from-S.patch -# https://redhat.atlassian.net/browse/RHEL-159559 +# https://redhat.atlassian.net/browse/RHEL-159562 # upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17 # whitespace were removed from the patch -Patch9: 0010-Dav-destination-length-validation-for-COPY-and-MOVE.patch +Patch10: 0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch -# https://redhat.atlassian.net/browse/RHEL-159538 +# https://redhat.atlassian.net/browse/RHEL-159541 # upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df -Patch10: 0011-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch +Patch11: 0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch -# https://redhat.atlassian.net/browse/RHEL-159446 +# https://redhat.atlassian.net/browse/RHEL-159449 # upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45 -Patch11: 0012-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch +Patch12: 0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch -# https://redhat.atlassian.net/browse/RHEL-157887 +# https://redhat.atlassian.net/browse/RHEL-157890 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f -Patch12: 0013-Mp4-avoid-zero-size-buffers-in-output.patch +Patch13: 0014-Mp4-avoid-zero-size-buffers-in-output.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945 +# upstream patch - https://github.com/nginx/nginx/commit/524977e7 +Patch14: 0015-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch BuildRequires: make BuildRequires: gcc @@ -523,6 +536,10 @@ install -m755 $RPM_SOURCE_DIR/nginx-ssl-pass-dialog \ # install sysusers file install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/nginx.conf +# tmpfiles.d configuration +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 -p %{SOURCE20} %{buildroot}%{_tmpfilesdir}/nginx.conf + %pre filesystem %sysusers_create_compat %{SOURCE19} @@ -612,6 +629,7 @@ fi %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %attr(711,root,root) %dir %{_localstatedir}/log/nginx +%{_tmpfilesdir}/nginx.conf %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log %dir %{nginx_moduledir} @@ -666,26 +684,35 @@ fi %changelog ## START: Generated by rpmautospec -* Wed Apr 01 2026 Zdenek Dohnal - 2:1.26.3-6 -- Resolves: RHEL-157887 - CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of - Service or Code Execution via specially crafted MP4 files +* Thu May 14 2026 Luboš Uhliarik - 2:1.26.3-9 +- Resolves: RHEL-176218 - nginx:1.26/nginx: NGINX: Arbitrary Code Execution + Vulnerability (CVE-2026-42945) -* Wed Apr 01 2026 Zdenek Dohnal - 2:1.26.3-5 -- Resolves: RHEL-159446 - CVE-2026-27651 nginx:1.26/nginx: NGINX: Denial of - Service via undisclosed requests when ngx_mail_auth_http_module is - enabled +* Fri Mar 27 2026 Zdenek Dohnal - 2:1.26.3-8 +- CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of Service or Code + Execution via specially crafted MP4 files -* Wed Apr 01 2026 Zdenek Dohnal - 2:1.26.3-4 -- Resolves: RHEL-159538 - CVE-2026-27784 nginx:1.26/nginx: NGINX: Denial of - Service due to memory corruption via crafted MP4 file +* Fri Mar 27 2026 Zdenek Dohnal - 2:1.26.3-7 +- CVE-2026-27651 nginx:1.26/nginx: NGINX: Denial of Service via undisclosed + requests when ngx_mail_auth_http_module is enabled -* Wed Apr 01 2026 Zdenek Dohnal - 2:1.26.3-3 -- Resolves: RHEL-159559 - CVE-2026-27654 nginx:1.26/nginx: NGINX: Denial of - Service or file modification via buffer overflow in ngx_http_dav_module +* Fri Mar 27 2026 Zdenek Dohnal - 2:1.26.3-6 +- CVE-2026-27784 nginx:1.26/nginx: NGINX: Denial of Service due to memory + corruption via crafted MP4 file -* Thu Feb 19 2026 Luboš Uhliarik - 2:1.26.3-2 -- nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied - connections (CVE-2026-1642) +* Fri Mar 27 2026 Zdenek Dohnal - 2:1.26.3-5 +- CVE-2026-27654 nginx:1.26/nginx: NGINX: Denial of Service or file + modification via buffer overflow in ngx_http_dav_module + +* Tue Feb 17 2026 Luboš Uhliarik - 2:1.26.3-4 +- CVE-2026-1642 nginx: NGINX: Data injection via man-in-the-middle attack + on TLS proxied connections + +* Mon Feb 16 2026 Luboš Uhliarik - 2:1.26.3-3 +- Resolves: RHEL-144454 - Clarify binding behavior of -t option + +* Wed Dec 03 2025 Luboš Uhliarik - 2:1.26.3-2 +- Add tmpfiles.d rules for /var directories (bootc compatibility) * Fri Feb 07 2025 Luboš Uhliarik - 2:1.26.3-1 - New version 1.26.3