feature: add patches for CVE-2026-1642.

2026-03-13 09:20:35 +08:00 · 2026-03-13 08:35:50 +08:00
parent 2518f8ef63
commit e18088b900
3 changed files with 49 additions and 1 deletions
--- a/patches/nginx/1.29.2/nginx-1.29.2-CVE-2026-1642.patch
+++ b/patches/nginx/1.29.2/nginx-1.29.2-CVE-2026-1642.patch
@@ -0,0 +1,39 @@
+commit a59f5f099a89dc8eaebd48077292313f9f7e33e3
+Author: Roman Arutyunyan <arut@nginx.com>
+Date:   Thu Jan 29 13:27:32 2026 +0400
+
+    Upstream: detect premature plain text response from SSL backend.
+    
+    When connecting to a backend, the connection write event is triggered
+    first in most cases.  However if a response arrives quickly enough, both
+    read and write events can be triggered together within the same event loop
+    iteration.  In this case the read event handler is called first and the
+    write event handler is called after it.
+    
+    SSL initialization for backend connections happens only in the write event
+    handler since SSL handshake starts with sending Client Hello.  Previously,
+    if a backend sent a quick plain text response, it could be parsed by the
+    read event handler prior to starting SSL handshake on the connection.
+    The change adds protection against parsing such responses on SSL-enabled
+    connections.
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index 2e4b2b48f..1a443993f 100644
+--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
+@@ -2528,6 +2528,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+             return;
+         }
+ 
+#if (NGX_HTTP_SSL)
+        if (u->ssl && c->ssl == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "upstream prematurely sent response");
+            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+            return;
+        }
+#endif
+
+         u->state->bytes_received += n;
+ 
+         u->buffer.last += n;
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -541,6 +541,15 @@ if [ "$answer" = "Y" ]; then
 fi


+answer=`$root/util/ver-ge "$main_ver" 1.21.4`
+if [ "$answer" = "Y" ]; then
+    answer=`$root/util/ver-ge "$main_ver" 1.29.6`
+    if [ "$answer" = "N" ]; then
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2026-1642)"
+        patch -p1 < $root/patches/nginx/$main_ver/nginx-$main_ver-CVE-2026-1642.patch || exit 1
+    fi
+fi
+
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx/$main_ver/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo
--- a/util/ver
+++ b/util/ver
@@ -1,7 +1,7 @@
 #!/bin/bash

 main_ver=1.29.2
-minor_ver=1
+minor_ver=2
 version=$main_ver.$minor_ver
 echo $version