Skip to content

[AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH]#17871

Open
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/nginx/3.0/1150065
Open

[AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH]#17871
azurelinux-security wants to merge 2 commits into
microsoft:fasttrack/3.0from
azurelinux-security:azure-autosec/nginx/3.0/1150065

Conversation

@azurelinux-security

@azurelinux-security azurelinux-security commented Jun 30, 2026

Copy link
Copy Markdown

Auto Patch nginx for CVE-2026-42055.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1150065&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Change Log
Does this affect the toolchain?

YES/NO

Associated issues
  • N/A
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jun 30, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review June 30, 2026 14:14
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner June 30, 2026 14:14
@azurelinux-security

Copy link
Copy Markdown
Author

🔒 CVE Patch Review: CVE-2026-42055

PR #17871 — [AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH]
Package: nginx | Branch: fasttrack/3.0


Spec File Validation

Check Status Detail
Release bump Release bumped 5 → 6
Patch entry Patch entries added: ['CVE-2026-42055.patch'] (covers ['CVE-2026-42055'])
Patch application %autosetup/%autopatch found in full spec — patches applied automatically
Changelog Changelog entry looks good
Signatures No source tarball changes — signatures N/A
Manifests Not a toolchain PR — manifests N/A

Build Verification

  • Build status: ✅ PASSED
  • Artifact downloaded:
  • CVE applied during build:
  • Warnings (1):
    • L331: time="2026-06-30T11:39:21Z" level=debug msg="configure: warning: the \"--with-ipv6\" option is deprecated"

🤖 AI Build Log Analysis

  • Risk: low
  • Summary: The nginx RPM build completed successfully and produced the expected binary, filesystem, and debuginfo RPMs. The requested CVE-2026-42055 patch appears to have been applied during %prep without any reported failures, rejected hunks, fuzz, or offset messages, and the package then configured, compiled, installed, and packaged cleanly.
  • AI-detected warnings:
    • RPM emitted a warning about an absolute symlink: /var/log/nginx/log -> /var/opt/nginx/log.
    • RPM emitted a warning that it could not canonicalize the hostname inside the build environment; this appears environmental and did not affect the build.

🧪 Test Log Analysis

  • Test status: ❌ FAILED
  • Test warnings (1):
    • L326: time="2026-06-30T11:39:43Z" level=debug msg="configure: warning: the \"--with-ipv6\" option is deprecated"
🤖 AI Test Log Analysis
  • Risk: high
  • Summary: The nginx package build completed successfully and the %check phase reported an exit status of 0, but the test suite did not actually run as intended. During %check, the harness attempted to execute the nginx upstream Perl tests via su nginx -s /bin/sh -c 'TEST_NGINX_BINARY=/usr/sbin/nginx prove ./*.t', but failed immediately because the nginx user did not exist in the test environment. As a result, no meaningful test validation of the CVE-2026-42055 patch appears to have occurred despite the nominally successful build.
  • AI-detected test issues:
    • The %check test invocation failed to start: su nginx -s /bin/sh -c 'TEST_NGINX_BINARY=/usr/sbin/nginx prove ./*.t' returned su: user nginx does not exist or the user entry does not contain all the required fields.
    • The test harness still reported ====== CHECK DONE nginx. EXIT STATUS 0, indicating the failure to execute tests was not propagated as a test failure.
    • Security-relevant upstream nginx tests were present but effectively skipped/not executed because the required runtime user was missing.

Patch Analysis

  • Match type: significant_differences
  • Risk assessment: high
  • Summary: The PR patch only backports the gRPC-side changes from the upstream fix and omits the entire set of corresponding protections for src/http/modules/ngx_http_proxy_v2_module.c. While the grpc hunks appear functionally equivalent to upstream, the upstream CVE fix covers both HTTP/2/gRPC and proxy_v2 request construction paths, so the Azure patch is incomplete relative to the authoritative patch.
  • Missing hunks:
    • All upstream hunks for src/http/modules/ngx_http_proxy_v2_module.c are missing: method length check against NGX_HTTP_V2_MAX_FIELD before encoding
    • All upstream hunks for src/http/modules/ngx_http_proxy_v2_module.c are missing: URI length check against NGX_HTTP_V2_MAX_FIELD
    • All upstream hunks for src/http/modules/ngx_http_proxy_v2_module.c are missing: :authority/host length check against NGX_HTTP_V2_MAX_FIELD
    • All upstream hunks for src/http/modules/ngx_http_proxy_v2_module.c are missing: generic header key/value length checks before length accumulation
    • All upstream hunks for src/http/modules/ngx_http_proxy_v2_module.c are missing: per-header key/value length checks in the later header loop with detailed logging
Detailed analysis

The grpc portion of the PR is a straightforward backport of the upstream changes: it adds the same five classes of bounds checks in ngx_http_grpc_create_request() for method, URI, authority/host, computed key/value lengths, and explicit header key/value lengths, with the same control flow and error handling. The context/index lines differ, but that is normal for a backport and does not indicate a semantic issue in the grpc file. However, upstream modifies two source files and the PR carries only one of them. The entire ngx_http_proxy_v2_module.c half of the fix is absent. Because upstream explicitly applies the same HTTP/2 field size protections in both grpc and proxy_v2 request creation paths, omitting proxy_v2 means the packaged fix does not fully match the authoritative CVE remediation. There is no indication in the provided materials that ngx_http_proxy_v2_module.c is absent from the Azure tree or otherwise intentionally non-applicable, so the missing hunks are not justified based on the evidence shown. As a result, the patch should be considered an incomplete backport with potentially remaining exposure in the proxy_v2 path. Regression risk from the included grpc changes is low by themselves, since they only reject oversize fields before buffer sizing/encoding, but overall security risk remains high due to the missing module coverage.


Verdict

CHANGES REQUESTED — Please address the issues flagged above.

@xordux xordux left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

  • Patch's code is same as upstream fix.
  • Original patch has fix for two files but our version doesn't have ngx_http_proxy_v2_module.c (so it's skipped)
  • Github checks failed due to P-Test failure of libguestfs and nbdkit (existing failures)

@xordux xordux self-requested a review July 2, 2026 05:24

@xordux xordux left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release version in 3.0-dev branch is updated. We need to update release version from 6 to 7

Patch is fine.

@xordux xordux self-requested a review July 2, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants