[Pkg-nginx-maintainers] Bug#1095403: ngix: CVE-2025-23419
Salvatore Bonaccorso
carnil at debian.org
Fri Feb 7 12:28:18 GMT 2025
Source: nginx
Version: 1.26.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.22.1-9
Hi,
The following vulnerability was published for nginx.
CVE-2025-23419[0]:
| When multiple server blocks are configured to share the same IP
| address and port, an attacker can use session resumption to bypass
| client certificate authentication requirements on these servers.
| This vulnerability arises when TLS Session Tickets https://nginx.or
| g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are
| used and/or the SSL session cache https://nginx.org/en/docs/http/ng
| x_http_ssl_module.html#ssl_session_cache are used in the default
| server and the default server is performing client certificate
| authentication. Note: Software versions which have reached End of
| Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23419
https://www.cve.org/CVERecord?id=CVE-2025-23419
[1] https://www.openwall.com/lists/oss-security/2025/02/05/8
[2] https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
Regards,
Salvatore
More information about the Pkg-nginx-maintainers
mailing list