Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196274/?format=api
{ "id": 2196274, "url": "http://patchwork.ozlabs.org/api/patches/2196274/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260213100508.422846-1-thomas.perale@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260213100508.422846-1-thomas.perale@mind.be>", "list_archive_url": null, "date": "2026-02-13T10:05:08", "name": "[2025.02.x] package/nginx: patch CVE-2025-53859", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "6accab94c4230d08e7917bb206367e653c1c9c13", "submitter": { "id": 87308, "url": "http://patchwork.ozlabs.org/api/people/87308/?format=api", "name": "Thomas Perale", "email": "thomas.perale@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260213100508.422846-1-thomas.perale@mind.be/mbox/", "series": [ { "id": 492072, "url": "http://patchwork.ozlabs.org/api/series/492072/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=492072", "date": "2026-02-13T10:05:08", "name": "[2025.02.x] package/nginx: patch CVE-2025-53859", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492072/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196274/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196274/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=FC+tIEe+;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fC78m1mfdz1xpl\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Fri, 13 Feb 2026 21:05:44 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 41A5E607AD;\n\tFri, 13 Feb 2026 10:05:42 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id xH-S9hOKEXsD; Fri, 13 Feb 2026 10:05:41 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 2DDB2607C5;\n\tFri, 13 Feb 2026 10:05:41 +0000 (UTC)", "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id DC4AFEC\n for <buildroot@buildroot.org>; Fri, 13 Feb 2026 10:05:39 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id C9A8C411EC\n for <buildroot@buildroot.org>; Fri, 13 Feb 2026 10:05:39 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 4xH4FhhaHqVH for <buildroot@buildroot.org>;\n Fri, 13 Feb 2026 10:05:38 +0000 (UTC)", "from mail-ej1-x632.google.com (mail-ej1-x632.google.com\n [IPv6:2a00:1450:4864:20::632])\n by smtp4.osuosl.org (Postfix) with ESMTPS id 8BF17411D4\n for <buildroot@buildroot.org>; Fri, 13 Feb 2026 10:05:37 +0000 (UTC)", "by mail-ej1-x632.google.com with SMTP id\n a640c23a62f3a-b885a18f620so94101766b.3\n for <buildroot@buildroot.org>; Fri, 13 Feb 2026 02:05:37 -0800 (PST)", "from arch ([79.132.229.53]) by smtp.gmail.com with ESMTPSA id\n a640c23a62f3a-b8f6ec5740csm235981166b.56.2026.02.13.02.05.35\n for <buildroot@buildroot.org>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 13 Feb 2026 02:05:35 -0800 (PST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2DDB2607C5", "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8BF17411D4" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1770977141;\n\tbh=T5I1pkYfcGKVU19275sgVM9lDfN4mKj4ocA7Bzxvn9Q=;\n\th=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:\n\t List-Help:List-Subscribe:From:Reply-To:From;\n\tb=FC+tIEe+8S6HHqBzdB9YGuot09yGjKSlJSUwNsU7who9JOvLt0Tg4wQ7FyU1IDJlM\n\t HnO3toy2BDQ4jzsjg+q1appmFsAbl48zn11UZJ/x1vnn8TlvwDvSU/P9iPJFkU9zr4\n\t lCFXureW+VfTUYkc/Wajlq9Rg4Je3q6WYP1Ln4lHVJ9BqAJn/HjZRg398V85e9CiiW\n\t dhczmYAuOTO1z/62IisxIGX+VWKc7PmT68yGlYOJffu9r++iDR1jUs0PC5EXxcRRG1\n\t WqdYtBH1K3xSByUdbp/Vri2cx+rrtX5VzTJwvfUuVHyWmJDoiCfdvjQyy1MQLIktKg\n\t 1wavUzNzMtzig==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::632; helo=mail-ej1-x632.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp4.osuosl.org 8BF17411D4", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1770977136; x=1771581936;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=34pLM2V0JbtagAq0LhCSxfcyt8f0BqEfXACgj/am6Ig=;\n b=k5eavwttBJb+x+Wiz7jvSJwb/OvG4CiXjZ6FrSLtOeO1W1m2Skeq9kaZ+CPhcuQva2\n NShXsXp7vi+w59L6GFBOB9RAgskOMQEpDQwvvrSCT4jK0WYup7ZcxwwOprAo94XjtAst\n PKiLPLdWNpkCR1JMEqmjFfEZB7wgIlTw2VrZuADJ3z4iMcn3KpSOgiREkNwdYSV2KANk\n CH/cb7o0exUgnp1vkyTy9kdESbbSWohLRPfbXOEK3ETOcqCtTGCofNWjPzoW4MtbiDIb\n iNdC02UTUk3ufI6AyLb5gjtbotAYg0DzGgc07nLfv+0PeLvp9fv7praAzRQQz13ScfKT\n E1Cw==", "X-Gm-Message-State": "AOJu0Yx+S1rsRnyccpQSigMAfv1q+J2R87aboZy33p9eXdbWGztAkvN5\n mcvpbzhLAmJM5NV4uIWEFpve/ojC0rITvTNOIPu5op3Qj+u1qIkdyz8ElMI2vSNgZysqs7HEBwY\n Aqae/", "X-Gm-Gg": "AZuq6aLKNyNE428N5QhCwX9iUZVB8MpS5gAaJBm4ZOJvFlP0PM12oiIHszsyhQAMKRB\n sBEVOqnTyqDaTrZ2GEIma8I0ljXWd5uF+HdiDGidzt6w9LX9moqOtMhTwi7MFR+gaWn2BVMT+JA\n NTyM5m6wu7qqXBo1MWs+/zskWp8OiP3gUIsaqC+kEXeoD2Y3tsN+OoxcbsRPWF436hoTFvQfkfS\n HhfVXLZ91NVdZTWLsUBUZkz8vuHGwZ0vgA+k3duWNilxybucuwLUVrf2VlqTgGrj8VTTinzX6ta\n xpQC6X90v9Gyz/yo0jRBYZQSMyPIhDc5GiZIFJLodjTqGgGsbKwWaukjn94KLkAOZ8VvnQXMLJ9\n zK15zu+AH/sGvwyoztxshV3vNL7d3ONekz91wCW0HWuaDxkHGCpYJKa5WqwkKmkPJPduNsiSNlH\n WDw0/8QivQJrt8srg=", "X-Received": "by 2002:a17:907:6e8d:b0:b7c:e4e9:b13f with SMTP id\n a640c23a62f3a-b8face24c53mr106811966b.39.1770977135610;\n Fri, 13 Feb 2026 02:05:35 -0800 (PST)", "To": "buildroot@buildroot.org", "Date": "Fri, 13 Feb 2026 11:05:08 +0100", "Message-ID": "<20260213100508.422846-1-thomas.perale@mind.be>", "X-Mailer": "git-send-email 2.52.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1770977136; x=1771581936; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:from:to:cc:subject:date:message-id:reply-to;\n bh=34pLM2V0JbtagAq0LhCSxfcyt8f0BqEfXACgj/am6Ig=;\n b=b70RAii2AyCzW1fOrpGanc8M/AWGAdNLE6yrj6JPY2iFrTYdMNWjZHaAtB5yRMrMju\n WmYV70K5gw18HTFni9Jp5tNVDPFokcS5jeBH+xx7RZhJ+sIk7w3yUSblad1U9WDxTK3I\n RmBUz9kABMn+lEWcD3Cod6mriLgKBSeN16onjgITOOlMVpODFbrpNAYLN7gT5+Mi3Gjf\n en1n7rrUI+H3ouyE3GB77I234GuWZ4lpT/iSIT76uEV0xIQ++UZeKzSwEYT/rPNbQas9\n KdSpVaDnhgmD2YKJtQcoN5HhhdXYNFnk1xKPlVyKQTF6KBvBJwfuSw+GYARAcQHxRhge\n CdGQ==", "X-Mailman-Original-Authentication-Results": [ "smtp4.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=b70RAii2" ], "Subject": "[Buildroot] [2025.02.x, PATCH] package/nginx: patch CVE-2025-53859", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Thomas Perale via buildroot <buildroot@buildroot.org>", "Reply-To": "Thomas Perale <thomas.perale@mind.be>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Fix the following vulnerability:\n\n- CVE-2025-53859:\n NGINX Open Source and NGINX Plus have a vulnerability in the\n ngx_mail_smtp_module that might allow an unauthenticated attacker to\n over-read NGINX SMTP authentication process memory; as a result, the\n server side may leak arbitrary bytes sent in a request to the\n authentication server. This issue happens during the NGINX SMTP\n authentication process and requires the attacker to make preparations\n against the target system to extract the leaked data. The issue\n affects NGINX only if (1) it is built with the ngx_mail_smtp_module,\n (2) the smtp_auth directive is configured with method \"none,\" and (3)\n the authentication server returns the \"Auth-Wait\" response header.\n Note: Software versions which have reached End of Technical Support\n (EoTS) are not evaluated.\n\nFor more information, see:\n - https://nvd.nist.gov/vuln/detail/CVE-2025-53859\n - https://nginx.org/download/patch.2025.smtp.txt\n\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>\n---\n package/nginx/0010-CVE-2025-53859.patch | 130 ++++++++++++++++++++++++\n package/nginx/nginx.mk | 3 +\n 2 files changed, 133 insertions(+)\n create mode 100644 package/nginx/0010-CVE-2025-53859.patch", "diff": "diff --git a/package/nginx/0010-CVE-2025-53859.patch b/package/nginx/0010-CVE-2025-53859.patch\nnew file mode 100644\nindex 0000000000..34befebd8a\n--- /dev/null\n+++ b/package/nginx/0010-CVE-2025-53859.patch\n@@ -0,0 +1,130 @@\n+CVE: CVE-2025-53859\n+Upstream: https://nginx.org/download/patch.2025.smtp.txt\n+Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n+\n+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c\n+index 1167df3fb..d3be7f3b3 100644\n+--- a/src/mail/ngx_mail_handler.c\n++++ b/src/mail/ngx_mail_handler.c\n+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)\n+ ngx_int_t\n+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)\n+ {\n+- u_char *p, *last;\n++ u_char *p, *pos, *last;\n+ ngx_str_t *arg, plain;\n+ \n+ arg = s->args.elts;\n+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)\n+ return NGX_MAIL_PARSE_INVALID_COMMAND;\n+ }\n+ \n+- s->login.data = p;\n++ pos = p;\n+ \n+ while (p < last && *p) { p++; }\n+ \n+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)\n+ return NGX_MAIL_PARSE_INVALID_COMMAND;\n+ }\n+ \n+- s->login.len = p++ - s->login.data;\n++ s->login.len = p++ - pos;\n++ s->login.data = pos;\n+ \n+ s->passwd.len = last - p;\n+ s->passwd.data = p;\n+@@ -583,24 +584,26 @@ ngx_int_t\n+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,\n+ ngx_uint_t n)\n+ {\n+- ngx_str_t *arg;\n++ ngx_str_t *arg, login;\n+ \n+ arg = s->args.elts;\n+ \n+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,\n+ \"mail auth login username: \\\"%V\\\"\", &arg[n]);\n+ \n+- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));\n+- if (s->login.data == NULL) {\n++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));\n++ if (login.data == NULL) {\n+ return NGX_ERROR;\n+ }\n+ \n+- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {\n++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {\n+ ngx_log_error(NGX_LOG_INFO, c->log, 0,\n+ \"client sent invalid base64 encoding in AUTH LOGIN command\");\n+ return NGX_MAIL_PARSE_INVALID_COMMAND;\n+ }\n+ \n++ s->login = login;\n++\n+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,\n+ \"mail auth login username: \\\"%V\\\"\", &s->login);\n+ \n+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,\n+ ngx_int_t\n+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)\n+ {\n+- ngx_str_t *arg;\n++ ngx_str_t *arg, passwd;\n+ \n+ arg = s->args.elts;\n+ \n+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)\n+ \"mail auth login password: \\\"%V\\\"\", &arg[0]);\n+ #endif\n+ \n+- s->passwd.data = ngx_pnalloc(c->pool,\n+- ngx_base64_decoded_length(arg[0].len));\n+- if (s->passwd.data == NULL) {\n++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));\n++ if (passwd.data == NULL) {\n+ return NGX_ERROR;\n+ }\n+ \n+- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {\n++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {\n+ ngx_log_error(NGX_LOG_INFO, c->log, 0,\n+ \"client sent invalid base64 encoding in AUTH LOGIN command\");\n+ return NGX_MAIL_PARSE_INVALID_COMMAND;\n+ }\n+ \n++ s->passwd = passwd;\n++\n+ #if (NGX_DEBUG_MAIL_PASSWD)\n+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,\n+ \"mail auth login password: \\\"%V\\\"\", &s->passwd);\n+@@ -674,24 +678,26 @@ ngx_int_t\n+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)\n+ {\n+ u_char *p, *last;\n+- ngx_str_t *arg;\n++ ngx_str_t *arg, login;\n+ \n+ arg = s->args.elts;\n+ \n+ ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,\n+ \"mail auth cram-md5: \\\"%V\\\"\", &arg[0]);\n+ \n+- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));\n+- if (s->login.data == NULL) {\n++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));\n++ if (login.data == NULL) {\n+ return NGX_ERROR;\n+ }\n+ \n+- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {\n++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {\n+ ngx_log_error(NGX_LOG_INFO, c->log, 0,\n+ \"client sent invalid base64 encoding in AUTH CRAM-MD5 command\");\n+ return NGX_MAIL_PARSE_INVALID_COMMAND;\n+ }\n+ \n++ s->login = login;\n++\n+ p = s->login.data;\n+ last = p + s->login.len;\ndiff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk\nindex 6ca1ac2075..9ea432abdb 100644\n--- a/package/nginx/nginx.mk\n+++ b/package/nginx/nginx.mk\n@@ -19,6 +19,9 @@ NGINX_CONF_OPTS = \\\n \t--with-cpp=\"$(TARGET_CC)\" \\\n \t--with-ld-opt=\"$(TARGET_LDFLAGS)\"\n \n+# 0010-CVE-2025-53859.patch\n+NGINX_IGNORE_CVES += CVE-2025-53859\n+\n # www-data user and group are used for nginx. Because these user and group\n # are already set by buildroot, it is not necessary to redefine them.\n # See system/skeleton/etc/passwd\n", "prefixes": [ "2025.02.x" ] }