[Pkg-nginx-maintainers] Bug#1095403: ngix: CVE-2025-23419
Jan Mojzis
jan.mojzis at gmail.com
Wed Feb 19 11:07:07 GMT 2025
Hi,
> On 18. 2. 2025, at 9:25, Andrej Shadura <andrewsh at debian.org> wrote:
>
> Hello,
>
> On Tue, 18 Feb 2025, at 09:14, Jan Mojzis wrote:
>> I have independently tested a patch for bookworm nginx (1.22.1-9 version),
>> and I got the same result.
>
> Thank you!
> Are you planning to upload a fix for bookworm? Or should I file the p-u request?
Yes,
I will upload it to bookworm.
>
>> And if I understand correctly, support for 'stream virtual servers' was
>> added in this commit
>> https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
>> So I assume that the 'ngx_stream_ssl_module' code is not vulnerable
>> before this change.
>
> Or it was *more* vulnerable before that code was added as there was no verification at all, and the patch doesn’t change that? That’s what I’m struggling to understand. At least I see we’re not making things worse, right? :)
Exactly.
>
>
Jan
More information about the Pkg-nginx-maintainers
mailing list