Version in base suite: 1.26.3-3+deb13u4 Base version: nginx_1.26.3-3+deb13u4 Target version: nginx_1.26.3-3+deb13u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.26.3-3+deb13u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.26.3-3+deb13u5.dsc changelog | 16 +++++++ patches/CVE-2026-40460.patch | 52 +++++++++++++++++++++++++ patches/CVE-2026-40701.patch | 70 ++++++++++++++++++++++++++++++++++ patches/CVE-2026-42934.patch | 73 +++++++++++++++++++++++++++++++++++ patches/CVE-2026-42945.patch | 40 +++++++++++++++++++ patches/CVE-2026-42946.patch | 88 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 5 ++ 7 files changed, 344 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbjhzd93y/nginx_1.26.3-3+deb13u4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbjhzd93y/nginx_1.26.3-3+deb13u5.dsc: no acceptable signature found diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2026-04-20 17:52:06.000000000 +0000 +++ nginx-1.26.3/debian/changelog 2026-05-15 14:13:33.000000000 +0000 @@ -1,3 +1,19 @@ +nginx (1.26.3-3+deb13u5) trixie-security; urgency=medium + + * backport changes from upstream nginx, HTTP/3 address spoofing + (CVE-2026-40460), buffer overflow in the ngx_http_rewrite_module + (CVE-2026-42945), buffer overread in the ngx_http_scgi_module and + ngx_http_uwsgi_module (CVE-2026-42946), resolver use-after-free in OCSP + (CVE-2026-40701), buffer overread in the ngx_http_charset_module + (CVE-2026-42934) + * d/p/CVE-2026-40460.patch add + * d/p/CVE-2026-42945.patch add + * d/p/CVE-2026-42946.patch add + * d/p/CVE-2026-40701.patch add + * d/p/CVE-2026-42934.patch add + + -- Jan Mojžíš Fri, 15 May 2026 14:13:33 +0000 + nginx (1.26.3-3+deb13u4) trixie; urgency=medium * d/conf/*_params: use "$host" instead of "$http_host" diff -Nru nginx-1.26.3/debian/patches/CVE-2026-40460.patch nginx-1.26.3/debian/patches/CVE-2026-40460.patch --- nginx-1.26.3/debian/patches/CVE-2026-40460.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-40460.patch 2026-05-15 14:13:33.000000000 +0000 @@ -0,0 +1,52 @@ +Origin: https://github.com/nginx/nginx/commit/5461e8bbc09230a4cf8e3d7737c176ae69b091f1 +From: Roman Arutyunyan +Date: Thu, 30 Apr 2026 17:15:53 +0400 +Subject: [PATCH] QUIC: avoid assigning unvalidated address to new streams + +Previously, when a client migrated to a new address, new QUIC streams +received this address before validation. This allowed an attacker to +create QUIC streams with a spoofed address. + +Reported by Rodrigo Laneth. +--- + src/event/quic/ngx_event_quic_migration.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c +index 42354ca66..bbb105142 100644 +--- a/src/event/quic/ngx_event_quic_migration.c ++++ b/src/event/quic/ngx_event_quic_migration.c +@@ -194,6 +194,8 @@ valid: + + path->validated = 1; + ++ ngx_quic_set_connection_path(c, path); ++ + if (path->mtu_unvalidated) { + path->mtu_unvalidated = 0; + return ngx_quic_validate_path(c, path); +@@ -511,9 +513,10 @@ ngx_quic_handle_migration(ngx_connection_t *c, ngx_quic_header_t *pkt) + qc->path = next; + qc->path->tag = NGX_QUIC_PATH_ACTIVE; + +- ngx_quic_set_connection_path(c, next); ++ if (next->validated) { ++ ngx_quic_set_connection_path(c, next); + +- if (!next->validated && next->state != NGX_QUIC_PATH_VALIDATING) { ++ } else if (next->state != NGX_QUIC_PATH_VALIDATING) { + if (ngx_quic_validate_path(c, next) != NGX_OK) { + return NGX_ERROR; + } +@@ -807,8 +810,6 @@ ngx_quic_expire_path_validation(ngx_connection_t *c, ngx_quic_path_t *path) + qc->path = bkp; + qc->path->tag = NGX_QUIC_PATH_ACTIVE; + +- ngx_quic_set_connection_path(c, qc->path); +- + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic path seq:%uL addr:%V is restored from backup", + qc->path->seqnum, &qc->path->addr_text); +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-40701.patch nginx-1.26.3/debian/patches/CVE-2026-40701.patch --- nginx-1.26.3/debian/patches/CVE-2026-40701.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-40701.patch 2026-05-15 14:13:33.000000000 +0000 @@ -0,0 +1,70 @@ +Origin: https://github.com/nginx/nginx/commit/d2b8d47741820c9fb134c6731ecb40b21f3085b1 +From d2b8d47741820c9fb134c6731ecb40b21f3085b1 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 21 Apr 2026 14:51:41 +0400 +Subject: [PATCH] OCSP: resolve cleanup on connection close + +Previously, when a client SSL connection was terminated (typically due to a +timeout) while resolving an OCSP responder, the OCSP context was freed, but +the resolve context was not. This resulted in use-after-free on resolve +completion. + +Reported by Leo Lin. +--- + src/event/ngx_event_openssl_stapling.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 0f560f17d..86d8b2c55 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -113,6 +113,7 @@ struct ngx_ssl_ocsp_ctx_s { + + ngx_resolver_t *resolver; + ngx_msec_t resolver_timeout; ++ ngx_resolver_ctx_t *resolve; + + ngx_msec_t timeout; + +@@ -1341,6 +1342,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, + "ssl ocsp done"); + ++ if (ctx->resolve) { ++ ngx_resolve_name_done(ctx->resolve); ++ } ++ + if (ctx->peer.connection) { + ngx_close_connection(ctx->peer.connection); + } +@@ -1433,7 +1438,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) + resolve->data = ctx; + resolve->timeout = ctx->resolver_timeout; + ++ ctx->resolve = resolve; ++ + if (ngx_resolve_name(resolve) != NGX_OK) { ++ ctx->resolve = NULL; + ngx_ssl_ocsp_error(ctx); + return; + } +@@ -1522,6 +1530,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + } + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; + + ngx_ssl_ocsp_connect(ctx); + return; +@@ -1529,6 +1538,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) + failed: + + ngx_resolve_name_done(resolve); ++ ctx->resolve = NULL; ++ + ngx_ssl_ocsp_error(ctx); + } + +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42934.patch nginx-1.26.3/debian/patches/CVE-2026-42934.patch --- nginx-1.26.3/debian/patches/CVE-2026-42934.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42934.patch 2026-05-15 14:13:33.000000000 +0000 @@ -0,0 +1,73 @@ +Origin: https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a +From 54b7945961b2eaafc480d6b85d9635d0db1c126a Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Sun, 12 Apr 2026 07:13:23 +0100 +Subject: [PATCH] Charset: fix buffer over-read in recode_from_utf8(). + +When a multi-byte UTF-8 character was split across 3+ single-byte +buffers, the saved bytes continuation path had two related bugs: + +ngx_utf8_decode() was called with the last saved-array index instead +of the byte count, causing it to report "incomplete" even when the +sequence was already complete. + +The subsequent ngx_memcpy() used that same index as the copy length, +reading past the input buffer boundary. +--- + .../modules/ngx_http_charset_filter_module.c | 20 ++++++------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +Index: nginx/src/http/modules/ngx_http_charset_filter_module.c +=================================================================== +--- nginx.orig/src/http/modules/ngx_http_charset_filter_module.c ++++ nginx/src/http/modules/ngx_http_charset_filter_module.c +@@ -689,7 +689,6 @@ ngx_http_charset_recode_from_utf8(ngx_po + u_char c, *p, *src, *dst, *saved, **table; + uint32_t n; + ngx_buf_t *b; +- ngx_uint_t i; + ngx_chain_t *out, *cl, **ll; + + src = buf->pos; +@@ -783,18 +782,12 @@ ngx_http_charset_recode_from_utf8(ngx_po + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset utf saved: %z", ctx->saved_len); + +- p = src; +- +- for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) { +- ctx->saved[i] = *p++; +- +- if (p == buf->last) { +- break; +- } +- } ++ len = ngx_min(NGX_UTF_LEN - ctx->saved_len, (size_t) (buf->last - src)); ++ ngx_memcpy(&ctx->saved[ctx->saved_len], src, len); ++ len += ctx->saved_len; + + saved = ctx->saved; +- n = ngx_utf8_decode(&saved, i); ++ n = ngx_utf8_decode(&saved, len); + + c = '\0'; + +@@ -810,7 +803,7 @@ ngx_http_charset_recode_from_utf8(ngx_po + + /* incomplete UTF-8 symbol */ + +- if (i < NGX_UTF_LEN) { ++ if (len < NGX_UTF_LEN) { + out = ngx_http_charset_get_buf(pool, ctx); + if (out == NULL) { + return NULL; +@@ -823,8 +816,7 @@ ngx_http_charset_recode_from_utf8(ngx_po + b->sync = 1; + b->shadow = buf; + +- ngx_memcpy(&ctx->saved[ctx->saved_len], src, i); +- ctx->saved_len += i; ++ ctx->saved_len = len; + + return out; + } diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42945.patch nginx-1.26.3/debian/patches/CVE-2026-42945.patch --- nginx-1.26.3/debian/patches/CVE-2026-42945.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42945.patch 2026-05-15 14:13:33.000000000 +0000 @@ -0,0 +1,40 @@ +Origin: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686 +From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 22 Apr 2026 09:39:31 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +A similar issue was fixed in 74d939974d43. + +Reported by Leo Lin. +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +Index: nginx/src/http/ngx_http_script.c +=================================================================== +--- nginx.orig/src/http/ngx_http_script.c ++++ nginx/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_ + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42946.patch nginx-1.26.3/debian/patches/CVE-2026-42946.patch --- nginx-1.26.3/debian/patches/CVE-2026-42946.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42946.patch 2026-05-15 14:13:33.000000000 +0000 @@ -0,0 +1,88 @@ +Origin: https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd +From 39d7d0ba0799fcff6baee52b6525f45739593cfd Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 23:02:20 +0400 +Subject: [PATCH] Upstream: fixed parsing of split status lines + +If the first response line was split across reads and it didn't appear +a status line, the portion already processed was lost. To preserve ABI, +the change reuses r->header_name_start for proper backtracking on status +line fallback. +--- + src/http/modules/ngx_http_proxy_module.c | 5 +++++ + src/http/modules/ngx_http_scgi_module.c | 5 +++++ + src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index 0b388b30f..276cc0750 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -1752,6 +1752,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); + + if (rc == NGX_AGAIN) { +@@ -1759,6 +1763,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + } + + if (rc == NGX_ERROR) { ++ u->buffer.pos = r->header_name_start; + + #if (NGX_HTTP_CACHE) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index 290394a1f..b4a73a5a6 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -1028,6 +1028,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1036,6 +1040,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ u->buffer.pos = r->header_name_start; + return ngx_http_scgi_process_header(r); + } + +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index 4140b1b40..ecd6dd0d7 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1267,6 +1267,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1275,6 +1279,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ u->buffer.pos = r->header_name_start; + return ngx_http_uwsgi_process_header(r); + } + +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2026-04-20 17:52:06.000000000 +0000 +++ nginx-1.26.3/debian/patches/series 2026-05-15 14:13:33.000000000 +0000 @@ -9,3 +9,8 @@ CVE-2026-28753.patch CVE-2026-28755.patch CVE-2026-32647.patch +CVE-2026-40460.patch +CVE-2026-42945.patch +CVE-2026-42946.patch +CVE-2026-40701.patch +CVE-2026-42934.patch