Bug 35104 - nginx new security issue CVE-2026-1642
Summary: nginx new security issue CVE-2026-1642
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-02-05 11:52 CET by Nicolas Salguero
Modified: 2026-02-09 20:57 CET (History)
3 users (show)

See Also:
Source RPM: nginx-1.26.3-1.1.mga9.src.rpm
CVE: CVE-2026-1642
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-02-05 11:53:26 CET

CVE: (none) => CVE-2026-1642
Status comment: (none) => Fixed upstream in 1.29.5 and patch available from upstream
Source RPM: (none) => nginx-1.29.1-1.mga10.src.rpm, nginx-1.26.3-1.1.mga9.src.rpm
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2026-02-05 19:43:38 CET 
Different packagers deal with nginx, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-02-06 14:02:32 CET 
For Cauldron, I asked for a freeze move.

Suggested advisory:
========================

The updated package fixes a security vulnerability:

MitM injection. (CVE-2026-1642)

References:
https://www.openwall.com/lists/oss-security/2026/02/05/1
========================

Updated package in core/updates_testing:
========================
nginx-1.26.3-1.2.mga9

from SRPM:
nginx-1.26.3-1.2.mga9.src.rpm

Status: NEW => ASSIGNED
Source RPM: nginx-1.29.1-1.mga10.src.rpm, nginx-1.26.3-1.1.mga9.src.rpm => nginx-1.26.3-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 1.29.5 and patch available from upstream => (none)
Flags: affects_mga9+ => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9

Comment 3 Herman Viaene 2026-02-07 15:24:45 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34585.
# systemctl start nginx
# systemctl -l status nginx
● nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
     Active: active (running) since Sat 2026-02-07 15:17:38 CET; 27s ago
    Process: 57397 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
    Process: 57415 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
   Main PID: 57424 (nginx)
      Tasks: 2 (limit: 8805)
     Memory: 4.8M
        CPU: 302ms
     CGroup: /system.slice/nginx.service
             ├─57424 "nginx: master process /usr/sbin/nginx"
             └─57425 "nginx: worker process"

Feb 07 15:17:37 mach3.hviaene.thuis systemd[1]: Starting nginx.service...
Feb 07 15:17:38 mach3.hviaene.thuis nginx[57397]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Feb 07 15:17:38 mach3.hviaene.thuis nginx[57397]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Feb 07 15:17:38 mach3.hviaene.thuis systemd[1]: Started nginx.service.

Point to http://localhost/ and get test page Welcome to nginx 1.26.3 on Mageia!
Looks good.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

katnatek 2026-02-08 23:50:12 CET

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2026-02-09 00:48:10 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2026-02-09 20:57:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0033.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.