[Pkg-nginx-maintainers] Bug#1098353: bookworm-pu: package nginx/1.22.1-9+deb12u1

Jan Mojzis jan.mojzis at gmail.com
Wed Feb 19 07:54:12 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: nginx at packages.debian.org
Control: affects -1 + src:nginx


This is backport of CVE-2025-23419 fix
from the latest NGINX version 1.26.3 which is uploaded to the unstable.

CVE-2025-23419
Description origin:
https://www.openwall.com/lists/oss-security/2025/02/05/8

[ Reason ]
The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

[ Impact ]
A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).

[ Tests ]
Nginx with the CVE-2025-23419 patch passed all automated tests that are in the package.
And I tested that the patch does not break the NGINX functionality for the sample config example
https://github.com/nginx/nginx/commit/b720f650bb72118481884657fb6a9bcb1b0f3b11:
~~~
  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }
~~~

[ Risks ]
The CVE-2025-23419 is marked with score 'CVSS v4.0 Score: 5.3 / Medium'.
And can be easily mittigated by configuration.
Therefore fixing in proposed-updates is adequate.

[ Notes ]
The patch in unstable had 2 parts. One fixed problem in `http/ngx_http_request` module
and the second fixed problem in `stream/ngx_stream_ssl_module` module.
And for (bookworm/bullseye) the fix for `stream/ngx_stream_ssl_module can't be aplied because,
the 'stream virtual servers' funcionality was added later in this commit:
in this commit https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
Therefore only `http/ngx_http_request` part was backported from the unstable.

The fix is identical for bullseye release,
which was independently prepared by Andrej Shadura here:
https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Added d/p/CVE-2025-23419.backported from the unstable and listed below id debdiff.

diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog	2023-03-14 16:19:32.000000000 +0100
+++ nginx-1.22.1/debian/changelog	2025-02-17 20:40:29.000000000 +0100
@@ -1,3 +1,9 @@
+nginx (1.22.1-9+deb12u1) bookworm; urgency=medium
+
+  * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
+
+ -- Jan Mojžíš <janmojzis at debian.org>  Mon, 17 Feb 2025 20:40:29 +0100
+
 nginx (1.22.1-9) unstable; urgency=medium

   * d/control: nginx-common Breaks+Replaces: nginx (<< 1.22.1-8)
diff -Nru nginx-1.22.1/debian/patches/CVE-2025-23419.patch nginx-1.22.1/debian/patches/CVE-2025-23419.patch
--- nginx-1.22.1/debian/patches/CVE-2025-23419.patch	1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2025-23419.patch	2025-02-17 20:40:29.000000000 +0100
@@ -0,0 +1,70 @@
+From: =?utf-8?b?SmFuIE1vasW+w63FoQ==?= <jan.mojzis at gmail.com>
+Date: Mon, 17 Feb 2025 20:39:22 +0100
+Subject: CVE-2025-23419
+Origin: https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
+
+SNI: added restriction for TLSv1.3 cross-SNI session resumption.
+In OpenSSL, session resumption always happens in the default SSL context,
+prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
+protocols, SSL_get_servername() returns values received in the resumption
+handshake, which may be different from the value in the initial handshake.
+Notably, this makes the restriction added in b720f65 insufficient for
+sessions resumed with different SNI server name.
+
+Considering the example from b720f65, previously, a client was able to
+request example.org by presenting a certificate for example.org, then to
+resume and request example.com.
+
+The fix is to reject handshakes resumed with a different server name, if
+verification of client certificates is enabled in a corresponding server
+configuration.
+
+---
+ src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index a999ff5..4708719 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+
+     ngx_set_connection_log(c, clcf->error_log);
+
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+
+     if (sscf->ssl.ctx) {
diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series
--- nginx-1.22.1/debian/patches/series	2023-03-14 16:19:32.000000000 +0100
+++ nginx-1.22.1/debian/patches/series	2025-02-17 20:40:29.000000000 +0100
@@ -3,3 +3,4 @@
 nginx-ssl_cert_cb_yield.patch
 bug-1024605.patch
 bug-973861.patch
+CVE-2025-23419.patch

More information about the Pkg-nginx-maintainers mailing list