Your message dated Sat, 13 Jun 2026 19:51:58 -0400
with message-id <[email protected]>
and subject line
has caused the Debian Bug report #1138593,
regarding trixie-pu: package nginx-snippets/1.3~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138593
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:nginx-snippets
User: [email protected]
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
Courtesy of a report to [email protected], a report was filed about
nginx-snippets in Trixie not including the post-quantum resilient
ECDH curve of X25519MLKEM768 in the enabled/supported curves by the
snippets.
This isn't really a 'security' issue as post-quantum is not yet required
by any standard, though can introduce a security 'regression' of a non-
security bug nature if your company's policies require post-quantum.
This issue was filed as https://bugs.debian.org/1138590 by me as there
was no tracking bug to track this for a change log entry.
This is a direct backport from Testing/Unstable to Trixie with no other
changes.
[ Impact ]
Users who wish to enable post-quantum resilient curves run into the
snippets provided by nginx-snippets removing PQ curves.
While not directly a 'security' issue as currently define by the
industry, it poses a concern if someone needs PQ resilience.
[ Tests ]
Manual tests running the newer snippets from version 1.3 in Unstable
confirm that the curve is supported in Trixie but not default-enabled
when using nginx-snippets
[ Risks ]
If someone using Trixie wants to use DHE ciphers for TLS 1.2 and such,
those are no longer available.
Version 1.3 of nginx-snippets uses an April 2026-era updated set of
TLS Guidance from Mozilla. DHE ciphers (but not ECDHE and PQ ciphers)
were removed from the 'Intermediate' cipher sets.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in stable
[X] the issue is verified as fixed in unstable
[ Changes ]
No change 'backport' of the 1.3 package to trixie proposed updates.
[ Other info ]
The Security Team is aware that this request came through, however it is
really not a 'security' grade bug in package maintainer's current
assessment of the issue.
Maintainer of this package is a CISSP-certified cyber security expert.
Note that PQ resilience, while recommended by TLS guidelines from
Mozilla and others, is not yet mandatory in any known standards as of
May 31, 2026 (except requirements in CNSA 2.0 that take effect by 2029).
Debdiff will be uploaded independently of this submission due to the
reportbug tool in Unstable being run in a VM separate from where the
packaging of nginx-snippets is held.
--- End Message ---
--- Begin Message ---
We'll go the backports route for this.
Thomas
--- End Message ---
