Describe the bug
Hi,
The Photon OS nginx server is likely within the affected version range for CVE-2026-42945 (nginx Rift).
Version check
- Affected range: NGINX Open Source 0.6.27 → 1.30.0
- vmwarecna/nginx ships: nginx 1.7.11
- 1.7.11 falls squarely inside that range. The bug was introduced in 2008 (~0.6.27) and only fixed in 1.30.1 / 1.31.0. So the code-level flaw is present in this image.
The vulnerable code is in ngx_http_rewrite_module, which is compiled into nginx by default, so the module is definitely present in the 1.7.11 build.
Reproduction steps
Please review the following prepared PRs and let me know whether they provide any benefit.
Expected behavior
patches for CVE-2026-42945 done.
Additional context
#1654 From a risk perspective, crafting co-disclosed CVEs into custom backports is usually a safe option. A version bump is "easier" if the risks are well-known.
Summary by risk
┌──────────────────────────────────┬────────────┬─────────┬───────────────────┬─────┐
│ Change │ 4.0 │ 5.0 ≤91 │ 5.0 ≥92 │ 6.0 │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ TLSv1/1.1 disabled │ ● │ ● │ already in 1.28.x │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ proxy_http_version 1.1 default │ ● │ ● │ ● │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ upstream keepalive on by default │ ● │ ● │ ● │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ Chunked LF-only rejected │ ● │ ● │ ● │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ RFC 3986 host validation │ ● │ ● │ ● │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ njs 0.9.0 String API removal │ ● (static) │ ● │ — │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ njs 0.8.5 binary/UTF-8 split │ ● │ ● │ — │ ● │
├──────────────────────────────────┼────────────┼─────────┼───────────────────┼─────┤
│ TLSv1.3 cert compression off │ ● │ ● │ ● │ ● │
└──────────────────────────────────┴────────────┴─────────┴───────────────────┴─────┘
The 4.0 spec uses --add-module=njs-... (static) rather than --add-dynamic-module. With njs compiled into the nginx binary, any njs config script using the removed String methods or the old binary encoding API will cause nginx to fail to load the configuration on startup - there is no way to unload a static module at runtime. This is a harder failure mode than on 5.0/6.0 where the njs .so can simply not be loaded.
The two changes most likely to cause silent regressions in production are the proxy keepalive default and the proxy_http_version 1.1 default - both in 1.29.7 - since they alter outbound connection behaviour without any warning in nginx error logs.
Describe the bug
Hi,
The Photon OS nginx server is likely within the affected version range for CVE-2026-42945 (nginx Rift).
Version check
The vulnerable code is in ngx_http_rewrite_module, which is compiled into nginx by default, so the module is definitely present in the 1.7.11 build.
Reproduction steps
Please review the following prepared PRs and let me know whether they provide any benefit.
Expected behavior
patches for CVE-2026-42945 done.
Additional context
#1654 From a risk perspective, crafting co-disclosed CVEs into custom backports is usually a safe option. A version bump is "easier" if the risks are well-known.
The 4.0 spec uses --add-module=njs-... (static) rather than --add-dynamic-module. With njs compiled into the nginx binary, any njs config script using the removed String methods or the old binary encoding API will cause nginx to fail to load the configuration on startup - there is no way to unload a static module at runtime. This is a harder failure mode than on 5.0/6.0 where the njs .so can simply not be loaded.
The two changes most likely to cause silent regressions in production are the
proxy keepalive defaultand theproxy_http_version 1.1 default- both in 1.29.7 - since they alter outbound connection behaviour without any warning in nginx error logs.