Version in base suite: 1.26.3-3+deb13u4 Version in overlay suite: 1.26.3-3+deb13u6 Base version: nginx_1.26.3-3+deb13u6 Target version: nginx_1.26.3-3+deb13u7 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.26.3-3+deb13u6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.26.3-3+deb13u7.dsc changelog | 10 patches/Charset-fixed-another-rare-buffer-overread-in-recode.patch | 38 +++ patches/Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch | 104 ++++++++++ patches/series | 2 4 files changed, 154 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9zsnr1hv/nginx_1.26.3-3+deb13u6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9zsnr1hv/nginx_1.26.3-3+deb13u7.dsc: no acceptable signature found diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2026-06-05 12:22:02.000000000 +0000 +++ nginx-1.26.3/debian/changelog 2026-06-27 20:33:06.000000000 +0000 @@ -1,3 +1,13 @@ +nginx (1.26.3-3+deb13u7) trixie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Upstream: limit header length for HTTP/2 and gRPC (CVE-2026-42055) + (Closes: #1140359) + * Charset: fixed another rare buffer overread in recode_from_utf8() + (CVE-2026-48142) (Closes: #1140361) + + -- Salvatore Bonaccorso Sat, 27 Jun 2026 22:33:06 +0200 + nginx (1.26.3-3+deb13u6) trixie-security; urgency=medium * Apply both patches to fix CVE-2026-42946. In the previous version, diff -Nru nginx-1.26.3/debian/patches/Charset-fixed-another-rare-buffer-overread-in-recode.patch nginx-1.26.3/debian/patches/Charset-fixed-another-rare-buffer-overread-in-recode.patch --- nginx-1.26.3/debian/patches/Charset-fixed-another-rare-buffer-overread-in-recode.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/Charset-fixed-another-rare-buffer-overread-in-recode.patch 2026-06-27 20:31:47.000000000 +0000 @@ -0,0 +1,38 @@ +From: Sergey Kandaurov +Date: Mon, 1 Jun 2026 21:46:48 +0400 +Subject: Charset: fixed another rare buffer overread in recode_from_utf8() +Origin: https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7 +Bug-Debian: https://bugs.debian.org/1140361 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-48142 + +With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte +overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() +stops advancing the pointer position on the first encountered invalid +byte. The fix is to adjust the advanced pointer up to the whole saved +sequence in this case. Note that this may result in different output +compared to complete invalid UTF-8 sequences, which we can disregard +at this point. + +Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. +--- + src/http/modules/ngx_http_charset_filter_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c +index edb2db568307..e0115e1e4435 100644 +--- a/src/http/modules/ngx_http_charset_filter_module.c ++++ b/src/http/modules/ngx_http_charset_filter_module.c +@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset invalid utf 1"); + ++ if (saved < &ctx->saved[ctx->saved_len]) { ++ saved = &ctx->saved[ctx->saved_len]; ++ } ++ + } else { + dst = ngx_sprintf(dst, "&#%uD;", n); + } +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch nginx-1.26.3/debian/patches/Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch --- nginx-1.26.3/debian/patches/Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch 2026-06-27 20:30:54.000000000 +0000 @@ -0,0 +1,104 @@ +From: Roman Arutyunyan +Date: Tue, 2 Jun 2026 19:37:17 +0400 +Subject: Upstream: limit header length for HTTP/2 and gRPC +Origin: https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3 +Bug-Debian: https://bugs.debian.org/1140359 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-42055 + +The change applies the HTTP/2 header length limits to avoid buffer +overflow. See 58a7bc3406ac for details. + +Reported by Mufeed VH of Winfunc Research. +[Salvatore Bonaccorso: Drop changes for HTTP/2 proxy module which only got +added in release-1.29.4] +--- + src/http/modules/ngx_http_grpc_module.c | 44 +++++++++++++++++++++ + src/http/modules/ngx_http_proxy_v2_module.c | 44 +++++++++++++++++++++ + 2 files changed, 88 insertions(+) + +diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c +index cc3aebe59496..1895ef31b763 100644 +--- a/src/http/modules/ngx_http_grpc_module.c ++++ b/src/http/modules/ngx_http_grpc_module.c +@@ -749,6 +749,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + tmp_len = 0; + + } else { ++ if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 method: \"%V\"", &r->method_name); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len; + tmp_len = r->method_name.len; + } +@@ -769,6 +775,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len; + } + ++ if (uri_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 URI"); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len; + + if (tmp_len < uri_len) { +@@ -778,6 +790,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + /* :authority header */ + + if (!glcf->host_set) { ++ if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 host: \"%V\"", &ctx->host); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len; + + if (tmp_len < ctx->host.len) { +@@ -808,6 +826,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + continue; + } + ++ if (key_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header name"); ++ return NGX_ERROR; ++ } ++ ++ if (val_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header value"); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len + + NGX_HTTP_V2_INT_OCTETS + val_len; + +@@ -842,6 +872,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + continue; + } + ++ if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header name: \"%V\"", ++ &header[i].key); ++ return NGX_ERROR; ++ } ++ ++ if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header value: \"%V: %V\"", ++ &header[i].key, &header[i].value); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; + +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2026-06-05 12:22:02.000000000 +0000 +++ nginx-1.26.3/debian/patches/series 2026-06-27 20:32:00.000000000 +0000 @@ -17,3 +17,5 @@ CVE-2026-42934.patch CVE-2026-9256.patch FIX-HTTP2bomb.patch +Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch +Charset-fixed-another-rare-buffer-overread-in-recode.patch