SUSE-SU-2026:1953-1

Details

Description of the patch:

This update for nginx fixes the following issues

Security issues:

CVE-2026-1642: plain text data injection into the response from an upstream proxied server (bsc#1257675).
CVE-2026-27654: buffer overflow in the NGINX worker process via the ngx_http_dav_module module (bsc#1260416).
CVE-2026-27784: NGINX worker memory over-read or over-write via a specially crafted MP4 file (bsc#1260417).
CVE-2026-28753: improper handling onf CRLF sequences in DNS responses allows for arbitrary header injection into SMTP upstream requests (bsc#1260418).

Non security issue:

nginx always runs into 'timed out. Killing' on shutdown when there are long-running processes (bsc#1243502).

Affected Packages

nginx

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Server 15 SP4-LTSS

Fixed in:

1.21.5-150400.3.15.1

nginx-source

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Server 15 SP4-LTSS

Fixed in:

1.21.5-150400.3.15.1

References

ADVISORY

https://bugzilla.suse.com/1243502

ADVISORY

https://bugzilla.suse.com/1257675

ADVISORY

https://bugzilla.suse.com/1260416

ADVISORY

https://bugzilla.suse.com/1260417

ADVISORY