From c59f11a339b0553898f67587fbad79d7a8f67c26 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 20:48:56 -0400 Subject: [PATCH] import UBI nginx-1.20.1-28.el9_8.2 --- ...Clarify-binding-behavior-of-t-option.patch | 37 +++++++++++ ...remature-plain-text-response-from-S.patch} | 0 ...length-validation-for-COPY-and-MOVE.patch} | 0 ...e-integer-overflow-on-32-bit-platfo.patch} | 0 ...ring-s-passwd-in-auth-http-requests.patch} | 0 ...4-avoid-zero-size-buffers-in-output.patch} | 0 ...scaping-and-possible-buffer-overrun.patch} | 2 +- SOURCES/nginx.tmpfiles | 4 ++ SPECS/nginx.spec | 64 +++++++++++++------ 9 files changed, 85 insertions(+), 22 deletions(-) create mode 100644 SOURCES/0014-Clarify-binding-behavior-of-t-option.patch rename SOURCES/{0014-Upstream-detect-premature-plain-text-response-from-S.patch => 0015-Upstream-detect-premature-plain-text-response-from-S.patch} (100%) rename SOURCES/{0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch => 0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch} (100%) rename SOURCES/{0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch => 0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch} (100%) rename SOURCES/{0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch => 0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch} (100%) rename SOURCES/{0018-Mp4-avoid-zero-size-buffers-in-output.patch => 0019-Mp4-avoid-zero-size-buffers-in-output.patch} (100%) rename SOURCES/{0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch => 0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch} (95%) create mode 100644 SOURCES/nginx.tmpfiles diff --git a/SOURCES/0014-Clarify-binding-behavior-of-t-option.patch b/SOURCES/0014-Clarify-binding-behavior-of-t-option.patch new file mode 100644 index 0000000..dee159f --- /dev/null +++ b/SOURCES/0014-Clarify-binding-behavior-of-t-option.patch @@ -0,0 +1,37 @@ +From dc847f7aedf0b4f8bbf9d7f9ba983541c6ca88c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Tue, 20 Jan 2026 19:27:05 +0100 +Subject: [PATCH] Clarify binding behavior of -t option. + +Configuration testing includes binding to configured listen addresses +when opening referenced files. +--- + man/nginx.8 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/nginx.8 b/man/nginx.8 +index 10db3e6..64d9ae7 100644 +--- a/man/nginx.8 ++++ b/man/nginx.8 +@@ -25,7 +25,7 @@ + .\" SUCH DAMAGE. + .\" + .\" +-.Dd November 5, 2020 ++.Dd January 21, 2026 + .Dt NGINX 8 + .Os + .Sh NAME +@@ -98,7 +98,8 @@ but additionally dump configuration files to standard output. + Do not run, just test the configuration file. + .Nm + checks the configuration file syntax and then tries to open files +-referenced in the configuration file. ++referenced in the configuration file, including binding to configured ++listen addresses. + .It Fl V + Print the + .Nm +-- +2.44.0 + diff --git a/SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch b/SOURCES/0015-Upstream-detect-premature-plain-text-response-from-S.patch similarity index 100% rename from SOURCES/0014-Upstream-detect-premature-plain-text-response-from-S.patch rename to SOURCES/0015-Upstream-detect-premature-plain-text-response-from-S.patch diff --git a/SOURCES/0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/SOURCES/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch similarity index 100% rename from SOURCES/0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch rename to SOURCES/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch diff --git a/SOURCES/0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch b/SOURCES/0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch similarity index 100% rename from SOURCES/0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch rename to SOURCES/0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch diff --git a/SOURCES/0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch b/SOURCES/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch similarity index 100% rename from SOURCES/0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch rename to SOURCES/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch diff --git a/SOURCES/0018-Mp4-avoid-zero-size-buffers-in-output.patch b/SOURCES/0019-Mp4-avoid-zero-size-buffers-in-output.patch similarity index 100% rename from SOURCES/0018-Mp4-avoid-zero-size-buffers-in-output.patch rename to SOURCES/0019-Mp4-avoid-zero-size-buffers-in-output.patch diff --git a/SOURCES/0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch b/SOURCES/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch similarity index 95% rename from SOURCES/0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch rename to SOURCES/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch index e1d4e67..fa40306 100644 --- a/SOURCES/0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch +++ b/SOURCES/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch @@ -1,4 +1,4 @@ -From 63301166f15b8e696e25a63e3b8fc1984f5e630e Mon Sep 17 00:00:00 2001 +From 3a743478999c0e2a021855f1685caedfa8b7ace6 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Wed, 22 Apr 2026 09:39:31 +0400 Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun diff --git a/SOURCES/nginx.tmpfiles b/SOURCES/nginx.tmpfiles new file mode 100644 index 0000000..74cc467 --- /dev/null +++ b/SOURCES/nginx.tmpfiles @@ -0,0 +1,4 @@ +d /var/lib/nginx 770 nginx root - +d /var/lib/nginx/tmp 770 nginx root - +d /var/log/nginx 711 root root - + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 4e52a17..9668cc8 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 2 Version: 1.20.1 -Release: 24%{?dist}.3 +Release: 28%{?dist}.2 Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -63,6 +63,7 @@ Source14: nginx-upgrade.8 Source15: macros.nginxmods.in Source16: nginxmods.attr Source17: nginx.sysusers +Source18: nginx.tmpfiles Source102: nginx-logo.png Source103: 404.html Source104: 50x.html @@ -114,30 +115,34 @@ Patch12: 0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch # upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966 Patch13: 0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch +# https://issues.redhat.com/browse/RHEL-113229 +# upstream patch - https://github.com/nginx/nginx/pull/1089 +Patch14: 0014-Clarify-binding-behavior-of-t-option.patch + # https://issues.redhat.com/browse/RHEL-146516 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e -Patch14: 0014-Upstream-detect-premature-plain-text-response-from-S.patch +Patch15: 0015-Upstream-detect-premature-plain-text-response-from-S.patch -# https://redhat.atlassian.net/browse/RHEL-159557 +# https://redhat.atlassian.net/browse/RHEL-159560 # upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17 # whitespace were removed from the patch -Patch15: 0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch +Patch16: 0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch -# https://redhat.atlassian.net/browse/RHEL-159536 +# https://redhat.atlassian.net/browse/RHEL-159539 # upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df -Patch16: 0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch +Patch17: 0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch -# https://redhat.atlassian.net/browse/RHEL-159444 +# https://redhat.atlassian.net/browse/RHEL-159447 # upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45 -Patch17: 0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch +Patch18: 0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch -# https://redhat.atlassian.net/browse/RHEL-157885 +# https://redhat.atlassian.net/browse/RHEL-157888 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f -Patch18: 0018-Mp4-avoid-zero-size-buffers-in-output.patch +Patch19: 0019-Mp4-avoid-zero-size-buffers-in-output.patch # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945 # upstream patch - https://github.com/nginx/nginx/commit/524977e7 -Patch19: 0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch +Patch20: 0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch BuildRequires: make BuildRequires: gcc @@ -433,6 +438,8 @@ install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx rm -f %{buildroot}%{_datadir}/nginx/html/index.html +rm -f %{buildroot}%{_datadir}/nginx/html/50x.html + %if 0%{?el7} ln -s ../../doc/HTML/index.html \ %{buildroot}%{_datadir}/nginx/html/index.html @@ -508,6 +515,10 @@ install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} # install sysusers file install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf +# tmpfiles.d configuration +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 -p %{SOURCE18} %{buildroot}%{_tmpfilesdir}/nginx.conf + %pre filesystem %sysusers_create_compat %{SOURCE17} @@ -595,6 +606,7 @@ fi %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %attr(711,root,root) %dir %{_localstatedir}/log/nginx +%{_tmpfilesdir}/nginx.conf %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log %dir %{nginx_moduledir} @@ -648,19 +660,29 @@ fi %changelog -* Thu May 14 2026 Luboš Uhliarik - 2:1.20.1-24.3 -- Resolves: RHEL-176230 - nginx: NGINX: Arbitrary Code Execution +* Thu May 14 2026 Luboš Uhliarik - 2:1.20.1-28.2 +- Resolves: RHEL-176232 - nginx: NGINX: Arbitrary Code Execution Vulnerability (CVE-2026-42945) -* Tue Mar 31 2026 Zdenek Dohnal - 2:1.20.1-24.2 -- Resolves: RHEL-159557 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module -- Resolves: RHEL-159536 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file -- Resolves: RHEL-159444 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled -- Resolves: RHEL-157885 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files +* Fri Mar 27 2026 Zdenek Dohnal - 2:1.20.1-28.1 +- RHEL-159560 CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module +- RHEL-159539 CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file +- RHEL-159447 CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled +- RHEL-157888 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files -* Thu Feb 19 2026 Luboš Uhliarik - 2:1.20.1-24.1 -- Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle - attack on TLS proxied connections (CVE-2026-1642) +* Tue Feb 17 2026 Luboš Uhliarik - 2:1.20.1-28 +- Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via + man-in-the-middle attack on TLS proxied connection + +* Thu Jan 29 2026 Luboš Uhliarik - 2:1.20.1-27 +- Resolves: RHEL-145177 - Clarify binding behavior of -t option + +* Thu Nov 20 2025 Luboš Uhliarik - 2:1.20.1-26 +- Resolves: RHEL-102548 - Remove 50x.html for nginx 1.26 + +* Wed Nov 19 2025 Luboš Uhliarik - 2:1.20.1-25 +- Resolves: RHEL-114935 - Image mode: The dir /var/lib and /var/log + is not created when updating system in image mode * Wed May 14 2025 Luboš Uhliarik - 2:1.20.1-24 - Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause