Skip to content

Photon 5 nginx (1.28.3) vulnerable to CVE-2026-42945 — upstream patch only in 1.30.1+ #1654

Description

@Yaminyam

Summary

The nginx package in Photon 5 is pinned to 1.28.3 (SPECS/nginx/nginx.spec) and is affected by CVE-2026-42945 ("NGINX Rift"), a heap buffer overflow in ngx_http_rewrite_module that can lead to remote code execution from an unauthenticated HTTP request.

Reference: https://depthfirst.com/nginx-rift

Why Photon needs a bump (not a backport)

nginx CHANGES shows the upstream patch was published only in nginx 1.30.1 (2026-05-13) and 1.31.0. There is no 1.28.x backport — the 1.28.x stable line has had no further releases after the CVE disclosure. To pick up the fix, Photon 5 needs to move its stable branch from 1.28 to 1.30 (the project already did a similar bump from 1.26 → 1.28 in commit 3c9442255344 on 2026-03-31).

Impact

Photon 5's nginx package is consumed at least by:

  • Harbor's goharbor/nginx-photon image (tdnf install -y nginx in make/photon/nginx/Dockerfile.base) — every Harbor v2.13.x / v2.14.x / v2.15.x release tested ships nginx 1.26.3 or 1.28.3, all vulnerable
  • Any direct user of tdnf install nginx on Photon 5

Suggested fix

Bump SPECS/nginx/nginx.spec to nginx 1.30.1, update the source hash, and re-apply the existing convert-to-dynamic.patch (or rebase if it no longer applies cleanly). This also picks up the other CVEs published alongside Rift:

Happy to provide a draft nginx.spec patch if useful, though I'm aware the project uses an internal Gerrit for code review.

Reproduction

$ curl -s https://raw.githubusercontent.com/vmware/photon/5.0/SPECS/nginx/nginx.spec | grep '^Version:'
Version:        1.28.3
$ docker run --rm --entrypoint nginx goharbor/nginx-photon:v2.14.4 -v
nginx version: nginx/1.26.3   # (built against an older Photon snapshot)

cc: @Anish-Jain @ankit-aj-jain — looks like you handled the 1.26.3 → 1.28.3 bump previously.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions