Version in base suite: 1.22.1-9+deb12u6 Base version: nginx_1.22.1-9+deb12u6 Target version: nginx_1.22.1-9+deb12u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.22.1-9+deb12u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.22.1-9+deb12u7.dsc changelog | 14 ++++++ patches/CVE-2026-40701.patch | 70 ++++++++++++++++++++++++++++++++++ patches/CVE-2026-42934.patch | 73 +++++++++++++++++++++++++++++++++++ patches/CVE-2026-42945.patch | 43 +++++++++++++++++++++ patches/CVE-2026-42946.patch | 88 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 4 + 6 files changed, 292 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpd21152i_/nginx_1.22.1-9+deb12u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpd21152i_/nginx_1.22.1-9+deb12u7.dsc: no acceptable signature found diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog --- nginx-1.22.1/debian/changelog 2026-04-22 20:15:43.000000000 +0000 +++ nginx-1.22.1/debian/changelog 2026-05-15 14:05:41.000000000 +0000 @@ -1,3 +1,17 @@ +nginx (1.22.1-9+deb12u7) bookworm-security; urgency=medium + + * backport changes from upstream nginx,c buffer overflow in + the ngx_http_rewrite_module (CVE-2026-42945), buffer overread in + the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), + resolver use-after-free in OCSP (CVE-2026-40701), buffer overread in + the ngx_http_charset_module (CVE-2026-42934) + * d/p/CVE-2026-42945.patch add + * d/p/CVE-2026-42946.patch add + * d/p/CVE-2026-40701.patch add + * d/p/CVE-2026-42934.patch add + + -- Jan Mojžíš Fri, 15 May 2026 14:05:41 +0000 + nginx (1.22.1-9+deb12u6) bookworm; urgency=medium * d/conf/*_params: use "$host" instead of "$http_host" diff -Nru nginx-1.22.1/debian/patches/CVE-2026-40701.patch nginx-1.22.1/debian/patches/CVE-2026-40701.patch --- nginx-1.22.1/debian/patches/CVE-2026-40701.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2026-40701.patch 2026-05-15 14:05:41.000000000 +0000 @@ -0,0 +1,70 @@ +Origin: https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 +From d2b8d47741820c9fb134c6731ecb40b21f3085b1 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 21 Apr 2026 14:51:41 +0400 +Subject: [PATCH] OCSP: resolve cleanup on connection close + +Previously, when a client SSL connection was terminated (typically due to a +timeout) while resolving an OCSP responder, the OCSP context was freed, but +the resolve context was not. This resulted in use-after-free on resolve +completion. + +Reported by Leo Lin. +--- + src/event/ngx_event_openssl_stapling.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 0f560f17d..86d8b2c55 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -113,6 +113,7 @@ struct ngx_ssl_ocsp_ctx_s { + + ngx_resolver_t *resolver; + ngx_msec_t resolver_timeout; ++ ngx_resolver_ctx_t *resolve; + + ngx_msec_t timeout; + +@@ -1341,6 +1342,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, + "ssl ocsp done"); + ++ if (ctx->resolve) { ++ ngx_resolve_name_done(ctx->resolve); ++ } ++ + if (ctx->peer.connection) { + ngx_close_connection(ctx->peer.connection); + } +@@ -1433,7 +1438,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) + resolve->data = ctx; + resolve->timeout = ctx->resolver_timeout; + ++ ctx->resolve = resolve; ++ + if (ngx_resolve_name(resolve) != NGX_OK) { ++ ctx->resolve = NULL; + ngx_ssl_ocsp_error(ctx); + return; + } +@@ -1522,6 +1530,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + } + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; + + ngx_ssl_ocsp_connect(ctx); + return; +@@ -1529,6 +1538,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + failed: + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; ++ + ngx_ssl_ocsp_error(ctx); + } + +-- +2.53.0 + diff -Nru nginx-1.22.1/debian/patches/CVE-2026-42934.patch nginx-1.22.1/debian/patches/CVE-2026-42934.patch --- nginx-1.22.1/debian/patches/CVE-2026-42934.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2026-42934.patch 2026-05-15 14:05:41.000000000 +0000 @@ -0,0 +1,73 @@ +Origin: https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a +From 54b7945961b2eaafc480d6b85d9635d0db1c126a Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Sun, 12 Apr 2026 07:13:23 +0100 +Subject: [PATCH] Charset: fix buffer over-read in recode_from_utf8(). + +When a multi-byte UTF-8 character was split across 3+ single-byte +buffers, the saved bytes continuation path had two related bugs: + +ngx_utf8_decode() was called with the last saved-array index instead +of the byte count, causing it to report "incomplete" even when the +sequence was already complete. + +The subsequent ngx_memcpy() used that same index as the copy length, +reading past the input buffer boundary. +--- + .../modules/ngx_http_charset_filter_module.c | 20 ++++++------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +Index: nginx/src/http/modules/ngx_http_charset_filter_module.c +=================================================================== +--- nginx.orig/src/http/modules/ngx_http_charset_filter_module.c ++++ nginx/src/http/modules/ngx_http_charset_filter_module.c +@@ -689,7 +689,6 @@ ngx_http_charset_recode_from_utf8(ngx_po + u_char c, *p, *src, *dst, *saved, **table; + uint32_t n; + ngx_buf_t *b; +- ngx_uint_t i; + ngx_chain_t *out, *cl, **ll; + + src = buf->pos; +@@ -783,18 +782,12 @@ ngx_http_charset_recode_from_utf8(ngx_po + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset utf saved: %z", ctx->saved_len); + +- p = src; +- +- for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) { +- ctx->saved[i] = *p++; +- +- if (p == buf->last) { +- break; +- } +- } ++ len = ngx_min(NGX_UTF_LEN - ctx->saved_len, (size_t) (buf->last - src)); ++ ngx_memcpy(&ctx->saved[ctx->saved_len], src, len); ++ len += ctx->saved_len; + + saved = ctx->saved; +- n = ngx_utf8_decode(&saved, i); ++ n = ngx_utf8_decode(&saved, len); + + c = '\0'; + +@@ -810,7 +803,7 @@ ngx_http_charset_recode_from_utf8(ngx_po + + /* incomplete UTF-8 symbol */ + +- if (i < NGX_UTF_LEN) { ++ if (len < NGX_UTF_LEN) { + out = ngx_http_charset_get_buf(pool, ctx); + if (out == NULL) { + return NULL; +@@ -823,8 +816,7 @@ ngx_http_charset_recode_from_utf8(ngx_po + b->sync = 1; + b->shadow = buf; + +- ngx_memcpy(&ctx->saved[ctx->saved_len], src, i); +- ctx->saved_len += i; ++ ctx->saved_len = len; + + return out; + } diff -Nru nginx-1.22.1/debian/patches/CVE-2026-42945.patch nginx-1.22.1/debian/patches/CVE-2026-42945.patch --- nginx-1.22.1/debian/patches/CVE-2026-42945.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2026-42945.patch 2026-05-15 14:05:41.000000000 +0000 @@ -0,0 +1,43 @@ +Origin: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 +From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 22 Apr 2026 09:39:31 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +A similar issue was fixed in 74d939974d43. + +Reported by Leo Lin. +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index a2b9f1b7b..2ea611373 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, +-- +2.53.0 + diff -Nru nginx-1.22.1/debian/patches/CVE-2026-42946.patch nginx-1.22.1/debian/patches/CVE-2026-42946.patch --- nginx-1.22.1/debian/patches/CVE-2026-42946.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2026-42946.patch 2026-05-15 14:05:41.000000000 +0000 @@ -0,0 +1,88 @@ +Origin: https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd +From 39d7d0ba0799fcff6baee52b6525f45739593cfd Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 23:02:20 +0400 +Subject: [PATCH] Upstream: fixed parsing of split status lines + +If the first response line was split across reads and it didn't appear +a status line, the portion already processed was lost. To preserve ABI, +the change reuses r->header_name_start for proper backtracking on status +line fallback. +--- + src/http/modules/ngx_http_proxy_module.c | 5 +++++ + src/http/modules/ngx_http_scgi_module.c | 5 +++++ + src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index 0b388b30f..276cc0750 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -1752,6 +1752,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); + + if (rc == NGX_AGAIN) { +@@ -1759,6 +1763,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + } + + if (rc == NGX_ERROR) { ++ u->buffer.pos = r->header_name_start; + + #if (NGX_HTTP_CACHE) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index 290394a1f..b4a73a5a6 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -1028,6 +1028,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1036,6 +1040,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ u->buffer.pos = r->header_name_start; + return ngx_http_scgi_process_header(r); + } + +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index 4140b1b40..ecd6dd0d7 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1267,6 +1267,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1275,6 +1279,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ u->buffer.pos = r->header_name_start; + return ngx_http_uwsgi_process_header(r); + } + +-- +2.53.0 + diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series --- nginx-1.22.1/debian/patches/series 2026-04-22 20:15:43.000000000 +0000 +++ nginx-1.22.1/debian/patches/series 2026-05-15 14:05:41.000000000 +0000 @@ -14,3 +14,7 @@ CVE-2026-28753.patch CVE-2026-28755.patch CVE-2026-32647.patch +CVE-2026-42945.patch +CVE-2026-42946.patch +CVE-2026-40701.patch +CVE-2026-42934.patch