From c74223fa5f0f1755f007f9e1e499f660d0f28e5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 23 Feb 2026 00:19:57 +0100 Subject: [PATCH] Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections (CVE-2026-1642) --- ...premature-plain-text-response-from-S.patch | 45 +++++++++++++++++++ nginx.spec | 11 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 0007-Upstream-detect-premature-plain-text-response-from-S.patch diff --git a/0007-Upstream-detect-premature-plain-text-response-from-S.patch b/0007-Upstream-detect-premature-plain-text-response-from-S.patch new file mode 100644 index 0000000..af845cf --- /dev/null +++ b/0007-Upstream-detect-premature-plain-text-response-from-S.patch @@ -0,0 +1,45 @@ +From bad28aaf4bc2e882b2d006387d79c354579a2a9a Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 3ae822b..6c310d8 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2441,6 +2441,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; +-- +2.44.0 + diff --git a/nginx.spec b/nginx.spec index fb80d65..c392b35 100644 --- a/nginx.spec +++ b/nginx.spec @@ -30,7 +30,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -77,6 +77,10 @@ Patch5: nginx-1.18.0-pkcs11-cert.patch # https://issues.redhat.com/browse/RHEL-12728 Patch6: nginx-1.22-CVE-2023-44487.patch +# https://issues.redhat.com/browse/RHEL-146516 +# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e +Patch7: 0007-Upstream-detect-premature-plain-text-response-from-S.patch + %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif @@ -234,6 +238,7 @@ Requires: zlib-devel %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . @@ -546,6 +551,10 @@ fi %{nginx_srcdir}/ %changelog +* Sun Feb 22 2026 Luboš Uhliarik - 1:1.24.0-2 +- Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via + man-in-the-middle attack on TLS proxied connections (CVE-2026-1642) + * Thu Jan 18 2024 Luboš Uhliarik - 1:1.24.0-1 - Resolves: RHEL-14714 - add nginx:1.24 to RHEL 8.10