[Pkg-nginx-maintainers] Bug#1095403: ngix: CVE-2025-23419
Andrej Shadura
andrewsh at debian.org
Tue Feb 18 08:25:28 GMT 2025
Hello,
On Tue, 18 Feb 2025, at 09:14, Jan Mojzis wrote:
> I have independently tested a patch for bookworm nginx (1.22.1-9 version),
> and I got the same result.
Thank you!
Are you planning to upload a fix for bookworm? Or should I file the p-u request?
> And if I understand correctly, support for 'stream virtual servers' was
> added in this commit
> https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
> So I assume that the 'ngx_stream_ssl_module' code is not vulnerable
> before this change.
Or it was *more* vulnerable before that code was added as there was no verification at all, and the patch doesn’t change that? That’s what I’m struggling to understand. At least I see we’re not making things worse, right? :)
--
Cheers,
Andrej
More information about the Pkg-nginx-maintainers
mailing list