Bug 35280 - nginx new security issues CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651, CVE-2026-28753, CVE-2026-28755
Summary: nginx new security issues CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-26 09:45 CET by Nicolas Salguero
Modified: 2026-05-07 07:08 CEST (History)
4 users (show)

See Also:
Source RPM: nginx-1.26.3-1.2.mga9.src.rpm
CVE: CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651, CVE-2026-28753, CVE-2026-28755
Status comment: Fixed upstream in 1.29.7
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-26 09:45:42 CET 
Reference: https://www.openwall.com/lists/oss-security/2026/03/26/3
Nicolas Salguero 2026-03-26 09:46:42 CET

Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2026-27654, CVE-2026-27784, CVE-2026-32647, CVE-2026-27651, CVE-2026-28753, CVE-2026-28755
Source RPM: (none) => nginx-1.29.5-1.mga10.src.rpm, nginx-1.26.3-1.2.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.29.7

Comment 1 Nicolas Salguero 2026-03-26 11:11:15 CET 
For Cauldron, I asked for a freeze move.

Version: Cauldron => 9
Source RPM: nginx-1.29.5-1.mga10.src.rpm, nginx-1.26.3-1.2.mga9.src.rpm => nginx-1.26.3-1.2.mga9.src.rpm
Flags: affects_mga9+ => (none)
Whiteboard: MGA9TOO => (none)

Comment 2 Lewis Smith 2026-03-29 10:28:02 CEST 
Meaning Cauldron is done! Thanks. Remains M9.

Assigning globally, CC'ing mrambo3501 who put up version 1.29.1 not so long ago.

CC: (none) => mhrambo3501
Assignee: bugsquad => pkg-bugs

Comment 3 Mike Rambo 2026-05-03 21:05:55 CEST 
Updated package built for Mageia 9.

Advisory:
========================

Updated nginx package fixes security vulnerabilities:

Buffer overflow in ngx_http_dav_module (CVE-2026-27654)
Buffer overflow in the ngx_http_mp4_module (CVE-2026-27784)
Buffer overflow in the ngx_http_mp4_module (CVE-2026-32647)
NULL pointer dereference while using CRAM-MD5 or APOP (CVE-2026-27651)
Injection in auth_http and XCLIENT (CVE-2026-28753)
OCSP result bypass in stream (CVE-2026-28755)


References:
https://www.openwall.com/lists/oss-security/2026/03/26/3
https://nvd.nist.gov/vuln/detail/CVE-2026-27654
https://nvd.nist.gov/vuln/detail/CVE-2026-27784
https://nvd.nist.gov/vuln/detail/CVE-2026-32647
https://nvd.nist.gov/vuln/detail/CVE-2026-27651
https://nvd.nist.gov/vuln/detail/CVE-2026-28753
https://nvd.nist.gov/vuln/detail/CVE-2026-28755
========================

Updated packages in core/updates_testing:
========================
nginx-1.29.7-1.mga9.x86_64.rpm

from nginx-1.29.7-1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2026-05-04 11:43:07 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34585.
# systemctl start nginx
# systemctl -l status nginx
● nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)
     Active: active (running) since Mon 2026-05-04 11:39:37 CEST; 15s ago
    Process: 92492 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
    Process: 92502 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
   Main PID: 92506 (nginx)
      Tasks: 2 (limit: 8728)
     Memory: 5.0M
        CPU: 362ms
     CGroup: /system.slice/nginx.service
             ├─92506 "nginx: master process /usr/sbin/nginx"
             └─92507 "nginx: worker process"

May 04 11:39:36 mach3.hviaene.thuis systemd[1]: Starting nginx.service...
May 04 11:39:37 mach3.hviaene.thuis nginx[92492]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 04 11:39:37 mach3.hviaene.thuis nginx[92492]: nginx: configuration file /etc/nginx/nginx.conf test is successful
May 04 11:39:37 mach3.hviaene.thuis systemd[1]: Started nginx.service.

Point to http://localhost/ and get test page "Welcome to nginx 1.29.7 on Mageia!"
OK for me

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2026-05-05 16:56:49 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-05-07 04:54:11 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2026-05-07 07:08:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0111.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.