Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via

man-in-the-middle attack on TLS proxied connections (CVE-2026-1642)
2026-02-23 00:19:57 +01:00 · 2026-02-23 00:19:57 +01:00 · c74223fa5f
commit c74223fa5f
parent 54ad9b19be
2 changed files with 55 additions and 1 deletions
--- a/0007-Upstream-detect-premature-plain-text-response-from-S.patch
+++ b/0007-Upstream-detect-premature-plain-text-response-from-S.patch
@ -0,0 +1,45 @@
+From bad28aaf4bc2e882b2d006387d79c354579a2a9a Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 29 Jan 2026 13:27:32 +0400
+Subject: [PATCH] Upstream: detect premature plain text response from SSL
+ backend.
+
+When connecting to a backend, the connection write event is triggered
+first in most cases.  However if a response arrives quickly enough, both
+read and write events can be triggered together within the same event loop
+iteration.  In this case the read event handler is called first and the
+write event handler is called after it.
+
+SSL initialization for backend connections happens only in the write event
+handler since SSL handshake starts with sending Client Hello.  Previously,
+if a backend sent a quick plain text response, it could be parsed by the
+read event handler prior to starting SSL handshake on the connection.
+The change adds protection against parsing such responses on SSL-enabled
+connections.
+---
+ src/http/ngx_http_upstream.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index 3ae822b..6c310d8 100644
+--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
+@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+             return;
+         }
+ 
+#if (NGX_HTTP_SSL)
+        if (u->ssl && c->ssl == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "upstream prematurely sent response");
+            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+            return;
+        }
+#endif
+
+         u->state->bytes_received += n;
+ 
+         u->buffer.last += n;
+-- 
+2.44.0
+
--- a/nginx.spec
+++ b/nginx.spec
@ -30,7 +30,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.24.0
-Release:           1%{?dist}
+Release:           2%{?dist}

 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@ -77,6 +77,10 @@ Patch5:            nginx-1.18.0-pkcs11-cert.patch
 # https://issues.redhat.com/browse/RHEL-12728
 Patch6:            nginx-1.22-CVE-2023-44487.patch

+# https://issues.redhat.com/browse/RHEL-146516
+# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
+Patch7:            0007-Upstream-detect-premature-plain-text-response-from-S.patch
+
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
@ -234,6 +238,7 @@ Requires:          zlib-devel
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1

 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .

@ -546,6 +551,10 @@ fi
 %{nginx_srcdir}/

 %changelog
+* Sun Feb 22 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-2
+- Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via
+  man-in-the-middle attack on TLS proxied connections (CVE-2026-1642)
+
 * Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-1
 - Resolves: RHEL-14714 - add nginx:1.24 to RHEL 8.10