openSUSE NGINX Important Patch Buffer Overflow Advisory 2026-20784-1

This update for nginx fixes the following issues:

- CVE-2026-1642: plain text data injection into the response from an upstream proxied server (bsc#1257675).

- CVE-2026-27654: buffer overflow in the NGINX worker process via the `ngx_http_dav_module module` (bsc#1260416).

- CVE-2026-27784: NGINX worker memory over-read or over-write via a specially crafted MP4 file (bsc#1260417).

- CVE-2026-28753: improper handling onf CRLF sequences in CRLF responses allows for arbitrary header injection into SMTP

upstream requests (bsc#1260418).

- CVE-2026-28755: TLS handshakes can succeed with revoked certificates due to improper handling of such certificates by

the `ngx_stream_ssl_module` module (bsc#1260419).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch...