[Pkg-nginx-maintainers] Bug#1095403: ngix: CVE-2025-23419

Jan Mojzis jan.mojzis at gmail.com
Tue Feb 18 08:14:24 GMT 2025 

Hi,
I have independently tested a patch for bookworm nginx (1.22.1-9 version),
and I got the same result.

The part of the upstream patch that cannot be applied is related to the module
`ngx_stream_ssl_module` and `ngx_stream_ssl_servername` function,
which is in older version (bullseye/bookworm) dummy function.

And if I understand correctly, support for 'stream virtual servers' was added
in this commit https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
So I assume that the 'ngx_stream_ssl_module' code is not vulnerable before this change.

But I haven't been able to do a practical test yet.

Jan

> On 17. 2. 2025, at 12:07, Andrej Shadura <andrewsh at debian.org> wrote:
> 
> Hi Jan,
> 
> On Fri, 07 Feb 2025 13:28:18 +0100 Salvatore Bonaccorso <carnil at debian.org> wrote:
>> CVE-2025-23419[0]:
>> | When multiple server blocks are configured to share the same IP
>> | address and port, an attacker can use session resumption to bypass
>> | client certificate authentication requirements on these servers.
>> | This vulnerability arises when  TLS Session Tickets https://nginx.or
>> | g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key  are
>> | used and/or the  SSL session cache https://nginx.org/en/docs/http/ng
>> | x_http_ssl_module.html#ssl_session_cache  are used in the default
>> | server and the default server is performing client certificate
>> | authentication.    Note: Software versions which have reached End of
>> | Technical Support (EoTS) are not evaluated.
> 
>> [2] https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
> 
> I tried backport this patch to bullseye. It changes the logic in the same way in two places, but one of them does not exist in the version bullseye ships. I ended up dropping that part of the patch:
> 
> https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650
> 
> Could you please have a look if this change still makes sense? I have no way to test it properly.
> 
> Thanks!
> 
> -- 
> Cheers,
>  Andrej

More information about the Pkg-nginx-maintainers mailing list