Summary
The nginx package in Photon 5 is pinned to 1.28.3 (SPECS/nginx/nginx.spec) and is affected by CVE-2026-42945 ("NGINX Rift"), a heap buffer overflow in ngx_http_rewrite_module that can lead to remote code execution from an unauthenticated HTTP request.
Reference: https://depthfirst.com/nginx-rift
Why Photon needs a bump (not a backport)
nginx CHANGES shows the upstream patch was published only in nginx 1.30.1 (2026-05-13) and 1.31.0. There is no 1.28.x backport — the 1.28.x stable line has had no further releases after the CVE disclosure. To pick up the fix, Photon 5 needs to move its stable branch from 1.28 to 1.30 (the project already did a similar bump from 1.26 → 1.28 in commit 3c9442255344 on 2026-03-31).
Impact
Photon 5's nginx package is consumed at least by:
- Harbor's
goharbor/nginx-photon image (tdnf install -y nginx in make/photon/nginx/Dockerfile.base) — every Harbor v2.13.x / v2.14.x / v2.15.x release tested ships nginx 1.26.3 or 1.28.3, all vulnerable
- Any direct user of
tdnf install nginx on Photon 5
Suggested fix
Bump SPECS/nginx/nginx.spec to nginx 1.30.1, update the source hash, and re-apply the existing convert-to-dynamic.patch (or rebase if it no longer applies cleanly). This also picks up the other CVEs published alongside Rift:
Happy to provide a draft nginx.spec patch if useful, though I'm aware the project uses an internal Gerrit for code review.
Reproduction
$ curl -s https://raw.githubusercontent.com/vmware/photon/5.0/SPECS/nginx/nginx.spec | grep '^Version:'
Version: 1.28.3
$ docker run --rm --entrypoint nginx goharbor/nginx-photon:v2.14.4 -v
nginx version: nginx/1.26.3 # (built against an older Photon snapshot)
cc: @Anish-Jain @ankit-aj-jain — looks like you handled the 1.26.3 → 1.28.3 bump previously.
Summary
The
nginxpackage in Photon 5 is pinned to 1.28.3 (SPECS/nginx/nginx.spec) and is affected by CVE-2026-42945 ("NGINX Rift"), a heap buffer overflow inngx_http_rewrite_modulethat can lead to remote code execution from an unauthenticated HTTP request.Reference: https://depthfirst.com/nginx-rift
Why Photon needs a bump (not a backport)
nginx CHANGES shows the upstream patch was published only in nginx 1.30.1 (2026-05-13) and 1.31.0. There is no 1.28.x backport — the 1.28.x stable line has had no further releases after the CVE disclosure. To pick up the fix, Photon 5 needs to move its stable branch from 1.28 to 1.30 (the project already did a similar bump from 1.26 → 1.28 in commit
3c9442255344on 2026-03-31).Impact
Photon 5's nginx package is consumed at least by:
goharbor/nginx-photonimage (tdnf install -y nginxinmake/photon/nginx/Dockerfile.base) — every Harbor v2.13.x / v2.14.x / v2.15.x release tested ships nginx 1.26.3 or 1.28.3, all vulnerabletdnf install nginxon Photon 5Suggested fix
Bump
SPECS/nginx/nginx.specto nginx 1.30.1, update the source hash, and re-apply the existingconvert-to-dynamic.patch(or rebase if it no longer applies cleanly). This also picks up the other CVEs published alongside Rift:Happy to provide a draft
nginx.specpatch if useful, though I'm aware the project uses an internal Gerrit for code review.Reproduction
cc: @Anish-Jain @ankit-aj-jain — looks like you handled the 1.26.3 → 1.28.3 bump previously.