Version in base suite: 1.26.3-3+deb13u2 Base version: nginx_1.26.3-3+deb13u2 Target version: nginx_1.26.3-3+deb13u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.26.3-3+deb13u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.26.3-3+deb13u3.dsc changelog | 16 +++++++ patches/CVE-2026-27651.patch | 31 ++++++++++++++ patches/CVE-2026-27654.patch | 78 +++++++++++++++++++++++++++++++++++++ patches/CVE-2026-27784.patch | 84 ++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-28753.patch | 90 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-28755.patch | 44 +++++++++++++++++++++ patches/CVE-2026-32647.patch | 74 +++++++++++++++++++++++++++++++++++ patches/series | 6 ++ 8 files changed, 423 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp51uxwly9/nginx_1.26.3-3+deb13u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp51uxwly9/nginx_1.26.3-3+deb13u3.dsc: no acceptable signature found diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2026-02-10 06:47:34.000000000 +0000 +++ nginx-1.26.3/debian/changelog 2026-03-30 17:41:51.000000000 +0000 @@ -1,3 +1,19 @@ +nginx (1.26.3-3+deb13u3) trixie; urgency=medium + + * backport changes from upstream nginx, fixes for buffer overflow + vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow + vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), + mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753) + and OCSP result bypass vulnerability in stream (CVE-2026-28755) + * d/p/CVE-2026-27651.patch add + * d/p/CVE-2026-27654.patch add + * d/p/CVE-2026-27784.patch add + * d/p/CVE-2026-28753.patch add + * d/p/CVE-2026-28755.patch add + * d/p/CVE-2026-32647.patch add + + -- Jan Mojžíš Mon, 30 Mar 2026 17:41:51 +0000 + nginx (1.26.3-3+deb13u2) trixie-security; urgency=medium * d/p/CVE-2026-1642: backport upstream patch for CVE-2026-1642. diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27651.patch nginx-1.26.3/debian/patches/CVE-2026-27651.patch --- nginx-1.26.3/debian/patches/CVE-2026-27651.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-27651.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,31 @@ +Origin: https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c +From: Sergey Kandaurov +Date: Wed, 18 Mar 2026 16:39:37 +0400 +Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests. + +Previously, it was not properly cleared retaining length as part of +authenticating with CRAM-MD5 and APOP methods that expect to receive +password in auth response. This resulted in null pointer dereference +and worker process crash in subsequent auth attempts with CRAM-MD5. + +Reported by Arkadi Vainbrand. +--- + src/mail/ngx_mail_auth_http_module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 4ca6d6e24..3e5095a2d 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +- s->passwd.data = NULL; ++ ngx_str_null(&s->passwd); + } + + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27654.patch nginx-1.26.3/debian/patches/CVE-2026-27654.patch --- nginx-1.26.3/debian/patches/CVE-2026-27654.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-27654.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,78 @@ +Origin: https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 +From: Roman Arutyunyan +Date: Mon, 16 Mar 2026 20:13:03 +0400 +Subject: [PATCH] Dav: destination length validation for COPY and MOVE. + +Previously, when alias was used in a location with Dav COPY or MOVE +enabled, and the destination URI was shorter than the alias, integer +underflow could happen in ngx_http_map_uri_to_path(), which could +result in heap buffer overwrite, followed by a possible segfault. +With some implementations of memcpy(), the segfault could be avoided +and the overwrite could result in a change of the source or destination +file names to be outside of the location root. + +Reported by Calif.io in collaboration with Claude and Anthropic Research. +--- + src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++--------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c +index cfb98929e..4619b139a 100644 +--- a/src/http/modules/ngx_http_dav_module.c ++++ b/src/http/modules/ngx_http_dav_module.c +@@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r, ngx_http_dav_loc_conf_t *dlcf) + static ngx_int_t + ngx_http_dav_copy_move_handler(ngx_http_request_t *r) + { +- u_char *p, *host, *last, ch; +- size_t len, root; +- ngx_err_t err; +- ngx_int_t rc, depth; +- ngx_uint_t overwrite, slash, dir, flags; +- ngx_str_t path, uri, duri, args; +- ngx_tree_ctx_t tree; +- ngx_copy_file_t cf; +- ngx_file_info_t fi; +- ngx_table_elt_t *dest, *over; +- ngx_ext_rename_file_t ext; +- ngx_http_dav_copy_ctx_t copy; +- ngx_http_dav_loc_conf_t *dlcf; ++ u_char *p, *host, *last, ch; ++ size_t len, root; ++ ngx_err_t err; ++ ngx_int_t rc, depth; ++ ngx_uint_t overwrite, slash, dir, flags; ++ ngx_str_t path, uri, duri, args; ++ ngx_tree_ctx_t tree; ++ ngx_copy_file_t cf; ++ ngx_file_info_t fi; ++ ngx_table_elt_t *dest, *over; ++ ngx_ext_rename_file_t ext; ++ ngx_http_dav_copy_ctx_t copy; ++ ngx_http_dav_loc_conf_t *dlcf; ++ ngx_http_core_loc_conf_t *clcf; + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, +@@ -644,6 +645,18 @@ destination_done: + return NGX_HTTP_CONFLICT; + } + ++ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ++ ++ if (clcf->alias ++ && clcf->alias != NGX_MAX_SIZE_T_VALUE ++ && duri.len < clcf->alias) ++ { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "client sent invalid \"Destination\" header: \"%V\"", ++ &dest->value); ++ return NGX_HTTP_BAD_REQUEST; ++ } ++ + depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH); + + if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) { +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-27784.patch nginx-1.26.3/debian/patches/CVE-2026-27784.patch --- nginx-1.26.3/debian/patches/CVE-2026-27784.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-27784.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,84 @@ +Origin: https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 +From: Roman Arutyunyan +Date: Mon, 2 Mar 2026 21:12:34 +0400 +Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms. + +Previously, a 32-bit overflow could happen while validating atom entries +count. This allowed processing of an invalid atom with entrires beyond +its boundaries with reads and writes outside of the allocated mp4 buffer. + +Reported by Prabhav Srinath (sprabhav7). +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 173d8ad54..678d6296c 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "mp4 time-to-sample entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t) +- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stts atom too small", mp4->file.name.data); +@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stss atom too small", mp4->file.name.data); +@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t) +- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 ctts atom too small", mp4->file.name.data); +@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample-to-chunk entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t) +- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsc atom too small", mp4->file.name.data); +@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + if (size == 0) { + if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsz atom too small", +@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stco atom too small", mp4->file.name.data); +@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t) +- + entries * sizeof(uint64_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 co64 atom too small", mp4->file.name.data); +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-28753.patch nginx-1.26.3/debian/patches/CVE-2026-28753.patch --- nginx-1.26.3/debian/patches/CVE-2026-28753.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-28753.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,90 @@ +Origin: https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f +From: Roman Arutyunyan +Date: Thu, 26 Feb 2026 11:52:53 +0400 +Subject: [PATCH] Mail: host validation. + +Now host name resolved from client address is validated to only contain +the characters specified in RFC 1034, Section 3.5. The validation allows +to avoid injections when using the resolved host name in auth_http and +smtp proxy. + +Reported by Asim Viladi Oglu Manizada, Colin Warren, +Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and +Bird Liu (Lanzhou University). +--- + src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c +index 1e26c2c8d..97bbd7063 100644 +--- a/src/mail/ngx_mail_smtp_handler.c ++++ b/src/mail/ngx_mail_smtp_handler.c +@@ -13,6 +13,7 @@ + + + static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx); ++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name); + static void ngx_mail_smtp_resolve_name(ngx_event_t *rev); + static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx); + static void ngx_mail_smtp_block_reading(ngx_event_t *rev); +@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + return; + } + ++ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "%V resolved to invalid host name \"%V\"", ++ &c->addr_text, &ctx->name); ++ ++ s->host = smtp_tempunavail; ++ ++ ngx_resolve_addr_done(ctx); ++ ++ ngx_mail_smtp_greeting(s, s->connection); ++ ++ return; ++ } ++ + c->log->action = "in resolving client hostname"; + + s->host.data = ngx_pstrdup(c->pool, &ctx->name); +@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + } + + ++static ngx_int_t ++ngx_mail_smtp_validate_host(ngx_str_t *name) ++{ ++ u_char ch; ++ ngx_uint_t i; ++ ++ if (name->len == 0) { ++ return NGX_DECLINED; ++ } ++ ++ for (i = 0; i < name->len; i++) { ++ ch = name->data[i]; ++ ++ /* allow only characters from RFC 1034, Section 3.5 */ ++ ++ if ((ch >= 'a' && ch <= 'z') ++ || (ch >= 'A' && ch <= 'Z') ++ || (ch >= '0' && ch <= '9') ++ || ch == '-' || ch == '.') ++ { ++ continue; ++ } ++ ++ return NGX_DECLINED; ++ } ++ ++ return NGX_OK; ++} ++ ++ + static void + ngx_mail_smtp_resolve_name(ngx_event_t *rev) + { +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-28755.patch nginx-1.26.3/debian/patches/CVE-2026-28755.patch --- nginx-1.26.3/debian/patches/CVE-2026-28755.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-28755.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,44 @@ +Origin: https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 +From: Sergey Kandaurov +Date: Tue, 17 Mar 2026 19:20:03 +0400 +Subject: [PATCH] Stream: fixed client certificate validation with OCSP. + +Check for OCSP status was missed in 581cf2267, resulting +in a broken validation. + +Reported by Mufeed VH of Winfunc Research. +--- + src/stream/ngx_stream_ssl_module.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index ea0b112b8..85a74ce1d 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -410,6 +410,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) + long rc; + X509 *cert; + ngx_int_t rv; ++ const char *str; + ngx_connection_t *c; + ngx_stream_ssl_srv_conf_t *sscf; + +@@ -460,6 +461,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) + + X509_free(cert); + } ++ ++ if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client SSL certificate verify error: %s", str); ++ ++ ngx_ssl_remove_cached_session(c->ssl->session_ctx, ++ (SSL_get0_session(c->ssl->connection))); ++ return NGX_ERROR; ++ } + } + + return NGX_OK; +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-32647.patch nginx-1.26.3/debian/patches/CVE-2026-32647.patch --- nginx-1.26.3/debian/patches/CVE-2026-32647.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-32647.patch 2026-03-30 17:41:51.000000000 +0000 @@ -0,0 +1,74 @@ +Origin: https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc +From: Roman Arutyunyan +Date: Sat, 21 Feb 2026 12:04:36 +0400 +Subject: [PATCH] Mp4: avoid zero size buffers in output. + +Previously, data validation checks did not cover the cases when the output +contained empty buffers. Such buffers are considered illegal and produce +"zero size buf in output" alerts. The change rejects the mp4 files which +produce such alerts. + +Also, the change fixes possible buffer overread and overwrite that could +happen while processing empty stco and co64 atoms, as reported by +Pavel Kohout (Aisle Research) and Tim Becker. +--- + src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 445fab1cd..173d8ad54 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + } + } + +- if (end_offset < start_offset) { +- end_offset = start_offset; ++ if (end_offset <= start_offset) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "no data between start time and end time in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; + } + + mp4->moov_size += 8; +@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + + *prev = &mp4->mdat_atom; + +- if (start_offset > mp4->mdat_data.buf->file_last) { ++ if (start_offset >= mp4->mdat_data.buf->file_last) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 mdat atom in \"%s\"", + mp4->file.name.data); +@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, + if (data) { + entries = trak->sample_sizes_entries; + +- if (trak->start_sample > entries) { ++ if (trak->start_sample >= entries) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stsz samples in \"%s\"", + mp4->file.name.data); +@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stco chunks in \"%s\"", + mp4->file.name.data); +@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 co64 chunks in \"%s\"", + mp4->file.name.data); +-- +2.51.0 + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2026-02-10 06:47:34.000000000 +0000 +++ nginx-1.26.3/debian/patches/series 2026-03-30 17:41:51.000000000 +0000 @@ -3,3 +3,9 @@ nginx-ssl_cert_cb_yield.patch CVE-2025-53859.patch CVE-2026-1642.patch +CVE-2026-27651.patch +CVE-2026-27654.patch +CVE-2026-27784.patch +CVE-2026-28753.patch +CVE-2026-28755.patch +CVE-2026-32647.patch