[Pkg-nginx-maintainers] Bug#1095403: ngix: CVE-2025-23419
Andrej Shadura
andrewsh at debian.org
Mon Feb 17 11:07:19 GMT 2025
Hi Jan,
On Fri, 07 Feb 2025 13:28:18 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> CVE-2025-23419[0]:
> | When multiple server blocks are configured to share the same IP
> | address and port, an attacker can use session resumption to bypass
> | client certificate authentication requirements on these servers.
> | This vulnerability arises when TLS Session Tickets https://nginx.or
> | g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are
> | used and/or the SSL session cache https://nginx.org/en/docs/http/ng
> | x_http_ssl_module.html#ssl_session_cache are used in the default
> | server and the default server is performing client certificate
> | authentication. Note: Software versions which have reached End of
> | Technical Support (EoTS) are not evaluated.
> [2] https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
I tried backport this patch to bullseye. It changes the logic in the
same way in two places, but one of them does not exist in the version
bullseye ships. I ended up dropping that part of the patch:
https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650
Could you please have a look if this change still makes sense? I have no
way to test it properly.
Thanks!
--
Cheers,
Andrej
More information about the Pkg-nginx-maintainers
mailing list