Version in base suite: 1.22.1-9+deb12u3 Base version: nginx_1.22.1-9+deb12u3 Target version: nginx_1.22.1-9+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.22.1-9+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.22.1-9+deb12u4.dsc changelog | 10 +++++++++ patches/CVE-2026-1642.patch | 45 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 56 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl37l299v/nginx_1.22.1-9+deb12u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpl37l299v/nginx_1.22.1-9+deb12u4.dsc: no acceptable signature found diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog --- nginx-1.22.1/debian/changelog 2025-08-29 14:26:01.000000000 +0000 +++ nginx-1.22.1/debian/changelog 2026-02-10 07:11:19.000000000 +0000 @@ -1,3 +1,13 @@ +nginx (1.22.1-9+deb12u4) bookworm-security; urgency=medium + + * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642. + Fixes problem when an attacker with a man-in-the-middle position on the + upstream server side—along with conditions beyond the attacker's + control—may be able to inject plain text data into the response + from an upstream proxied server. + + -- Jan Mojžíš Tue, 10 Feb 2026 08:11:19 +0100 + nginx (1.22.1-9+deb12u3) bookworm; urgency=medium * d/p/CVE-2025-53859.patch add, fix potential information leak diff -Nru nginx-1.22.1/debian/patches/CVE-2026-1642.patch nginx-1.22.1/debian/patches/CVE-2026-1642.patch --- nginx-1.22.1/debian/patches/CVE-2026-1642.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2026-1642.patch 2026-02-10 07:11:19.000000000 +0000 @@ -0,0 +1,45 @@ +Origin: https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: Upstream: detect premature plain text response from SSL backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index df577ad67..cadc74479 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2508,6 +2508,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; +-- +2.47.2 + diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series --- nginx-1.22.1/debian/patches/series 2025-08-29 14:26:01.000000000 +0000 +++ nginx-1.22.1/debian/patches/series 2026-02-10 07:11:19.000000000 +0000 @@ -7,3 +7,4 @@ CVE-2024-7347-1.patch CVE-2024-7347-2.patch CVE-2025-53859.patch +CVE-2026-1642.patch