Version in base suite: 1.26.3-3+deb13u1 Base version: nginx_1.26.3-3+deb13u1 Target version: nginx_1.26.3-3+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.26.3-3+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.26.3-3+deb13u2.dsc changelog | 10 +++++++++ patches/CVE-2026-1642.patch | 45 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 56 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpp_z7snj0/nginx_1.26.3-3+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpp_z7snj0/nginx_1.26.3-3+deb13u2.dsc: no acceptable signature found diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2025-08-29 14:10:13.000000000 +0000 +++ nginx-1.26.3/debian/changelog 2026-02-10 06:47:34.000000000 +0000 @@ -1,3 +1,13 @@ +nginx (1.26.3-3+deb13u2) trixie-security; urgency=medium + + * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642. + Fixes problem when an attacker with a man-in-the-middle position on the + upstream server side—along with conditions beyond the attacker's + control—may be able to inject plain text data into the response + from an upstream proxied server. + + -- Jan Mojžíš Tue, 10 Feb 2026 07:47:34 +0100 + nginx (1.26.3-3+deb13u1) trixie; urgency=medium * d/p/CVE-2025-53859.patch add, fix potential information leak diff -Nru nginx-1.26.3/debian/patches/CVE-2026-1642.patch nginx-1.26.3/debian/patches/CVE-2026-1642.patch --- nginx-1.26.3/debian/patches/CVE-2026-1642.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-1642.patch 2026-02-10 06:47:34.000000000 +0000 @@ -0,0 +1,45 @@ +Origin: https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: Upstream: detect premature plain text response from SSL backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index df577ad67..cadc74479 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2508,6 +2508,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; +-- +2.47.2 + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2025-08-29 14:10:13.000000000 +0000 +++ nginx-1.26.3/debian/patches/series 2026-02-10 06:47:34.000000000 +0000 @@ -2,3 +2,4 @@ nginx-fix-pidfile.patch nginx-ssl_cert_cb_yield.patch CVE-2025-53859.patch +CVE-2026-1642.patch