Your message dated Fri, 7 Feb 2025 13:43:54 +0100
with message-id <[email protected]>
and subject line Re: Bug#1095403: [Pkg-nginx-maintainers] Bug#1095403: ngix:
CVE-2025-23419
has caused the Debian Bug report #1095403,
regarding ngix: CVE-2025-23419
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1095403: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095403
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.26.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.22.1-9
Hi,
The following vulnerability was published for nginx.
CVE-2025-23419[0]:
| When multiple server blocks are configured to share the same IP
| address and port, an attacker can use session resumption to bypass
| client certificate authentication requirements on these servers.
| This vulnerability arises when TLS Session Tickets https://nginx.or
| g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are
| used and/or the SSL session cache https://nginx.org/en/docs/http/ng
| x_http_ssl_module.html#ssl_session_cache are used in the default
| server and the default server is performing client certificate
| authentication. Note: Software versions which have reached End of
| Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23419
https://www.cve.org/CVERecord?id=CVE-2025-23419
[1] https://www.openwall.com/lists/oss-security/2025/02/05/8
[2]
https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.26.3-1
Hi Jérémy
On Fri, Feb 07, 2025 at 01:35:22PM +0100, Jérémy Lal wrote:
> Le ven. 7 févr. 2025 à 13:30, Salvatore Bonaccorso <[email protected]> a
> écrit :
>
> > Source: nginx
> > Version: 1.26.0-3
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: [email protected], Debian Security Team <
> > [email protected]>
> > Control: found -1 1.22.1-9
> >
> > Hi,
> >
> > The following vulnerability was published for nginx.
> >
> > CVE-2025-23419[0]:
> > [2]
> > https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
>
>
> Fixed in 1.26.3-2 which I uploaded to unstable minutes ago :(
> I don't know what to do in this case.
Ah nice race :). Let's close it with the correct metadata.
Regards,
Salvatore
--- End Message ---
