[Pkg-nginx-maintainers] Bug#1111138: nginx: CVE-2025-53859
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 15 04:59:37 BST 2025
Source: nginx
Version: 1.26.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for nginx.
CVE-2025-53859[0]:
| NGINX Open Source and NGINX Plus have a vulnerability in the
| ngx_mail_smtp_module that might allow an unauthenticated attacker to
| over-read NGINX SMTP authentication process memory; as a result, the
| server side may leak arbitrary bytes sent in a request to the
| authentication server. This issue happens during the NGINX SMTP
| authentication process and requires the attacker to make
| preparations against the target system to extract the leaked data.
| The issue affects NGINX only if (1) it is built with the
| ngx_mail_smtp_module, (2) the smtp_auth directive is configured with
| method "none," and (3) the authentication server returns the "Auth-
| Wait" response header. Note: Software versions which have
| reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53859
https://www.cve.org/CVERecord?id=CVE-2025-53859
[1] https://www.openwall.com/lists/oss-security/2025/08/13/5
[2] https://nginx.org/download/patch.2025.smtp.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-nginx-maintainers
mailing list