[AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH]#17871
[AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH]#17871azurelinux-security wants to merge 2 commits into
Conversation
🔒 CVE Patch Review: CVE-2026-42055PR #17871 — [AutoPR- Security] Patch nginx for CVE-2026-42055 [HIGH] Spec File Validation
Build Verification
🤖 AI Build Log Analysis
🧪 Test Log Analysis
🤖 AI Test Log Analysis
Patch Analysis
Detailed analysisThe grpc portion of the PR is a straightforward backport of the upstream changes: it adds the same five classes of bounds checks in ngx_http_grpc_create_request() for method, URI, authority/host, computed key/value lengths, and explicit header key/value lengths, with the same control flow and error handling. The context/index lines differ, but that is normal for a backport and does not indicate a semantic issue in the grpc file. However, upstream modifies two source files and the PR carries only one of them. The entire ngx_http_proxy_v2_module.c half of the fix is absent. Because upstream explicitly applies the same HTTP/2 field size protections in both grpc and proxy_v2 request creation paths, omitting proxy_v2 means the packaged fix does not fully match the authoritative CVE remediation. There is no indication in the provided materials that ngx_http_proxy_v2_module.c is absent from the Azure tree or otherwise intentionally non-applicable, so the missing hunks are not justified based on the evidence shown. As a result, the patch should be considered an incomplete backport with potentially remaining exposure in the proxy_v2 path. Regression risk from the included grpc changes is low by themselves, since they only reject oversize fields before buffer sizing/encoding, but overall security risk remains high due to the missing module coverage. Verdict❌ CHANGES REQUESTED — Please address the issues flagged above. |
Auto Patch nginx for CVE-2026-42055.
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1150065&view=results
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology