Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <e1tto4s-005kl4...@coccia.debian.org>
and subject line Close 1098353
has caused the Debian Bug report #1098353,
regarding bookworm-pu: package nginx/1.22.1-9+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098353: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098353
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ng...@packages.debian.org
Control: affects -1 + src:nginx
This is backport of CVE-2025-23419 fix
from the latest NGINX version 1.26.3 which is uploaded to the unstable.
CVE-2025-23419
Description origin:
https://www.openwall.com/lists/oss-security/2025/02/05/8
[ Reason ]
The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.
[ Impact ]
A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).
[ Tests ]
Nginx with the CVE-2025-23419 patch passed all automated tests that are in the
package.
And I tested that the patch does not break the NGINX functionality for the
sample config example
https://github.com/nginx/nginx/commit/b720f650bb72118481884657fb6a9bcb1b0f3b11:
~~~
server {
listen 433 ssl default;
return 404;
}
server {
listen 433 ssl;
server_name example.org;
ssl_client_certificate org.cert;
ssl_verify_client on;
}
server {
listen 433 ssl;
server_name example.com;
ssl_client_certificate com.cert;
ssl_verify_client on;
}
~~~
[ Risks ]
The CVE-2025-23419 is marked with score 'CVSS v4.0 Score: 5.3 / Medium'.
And can be easily mittigated by configuration.
Therefore fixing in proposed-updates is adequate.
[ Notes ]
The patch in unstable had 2 parts. One fixed problem in `http/ngx_http_request`
module
and the second fixed problem in `stream/ngx_stream_ssl_module` module.
And for (bookworm/bullseye) the fix for `stream/ngx_stream_ssl_module can't be
aplied because,
the 'stream virtual servers' funcionality was added later in this commit:
in this commit
https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
Therefore only `http/ngx_http_request` part was backported from the unstable.
The fix is identical for bullseye release,
which was independently prepared by Andrej Shadura here:
https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added d/p/CVE-2025-23419.backported from the unstable and listed below id
debdiff.
diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog 2023-03-14 16:19:32.000000000 +0100
+++ nginx-1.22.1/debian/changelog 2025-02-17 20:40:29.000000000 +0100
@@ -1,3 +1,9 @@
+nginx (1.22.1-9+deb12u1) bookworm; urgency=medium
+
+ * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
+
+ -- Jan Mojžíš <janmoj...@debian.org> Mon, 17 Feb 2025 20:40:29 +0100
+
nginx (1.22.1-9) unstable; urgency=medium
* d/control: nginx-common Breaks+Replaces: nginx (<< 1.22.1-8)
diff -Nru nginx-1.22.1/debian/patches/CVE-2025-23419.patch
nginx-1.22.1/debian/patches/CVE-2025-23419.patch
--- nginx-1.22.1/debian/patches/CVE-2025-23419.patch 1970-01-01
01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2025-23419.patch 2025-02-17
20:40:29.000000000 +0100
@@ -0,0 +1,70 @@
+From: =?utf-8?b?SmFuIE1vasW+w63FoQ==?= <jan.moj...@gmail.com>
+Date: Mon, 17 Feb 2025 20:39:22 +0100
+Subject: CVE-2025-23419
+Origin:
https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
+
+SNI: added restriction for TLSv1.3 cross-SNI session resumption.
+In OpenSSL, session resumption always happens in the default SSL context,
+prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
+protocols, SSL_get_servername() returns values received in the resumption
+handshake, which may be different from the value in the initial handshake.
+Notably, this makes the restriction added in b720f65 insufficient for
+sessions resumed with different SNI server name.
+
+Considering the example from b720f65, previously, a client was able to
+request example.org by presenting a certificate for example.org, then to
+resume and request example.com.
+
+The fix is to reject handshakes resumed with a different server name, if
+verification of client certificates is enabled in a corresponding server
+configuration.
+
+---
+ src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index a999ff5..4708719 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int
*ad, void *arg)
+ goto done;
+ }
+
++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION
\
++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++ /*
++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++ * but servername being negotiated in every TLSv1.3 handshake
++ * is only returned in OpenSSL 1.1.1+ as well
++ */
++
++ if (sscf->verify) {
++ const char *hostname;
++
++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++ c->ssl->handshake_rejected = 1;
++ *ad = SSL_AD_ACCESS_DENIED;
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++ }
++
++#endif
++
+ hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+ if (hc->ssl_servername == NULL) {
+ goto error;
+@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad,
void *arg)
+
+ ngx_set_connection_log(c, clcf->error_log);
+
+- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+ c->ssl->buffer_size = sscf->buffer_size;
+
+ if (sscf->ssl.ctx) {
diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series
--- nginx-1.22.1/debian/patches/series 2023-03-14 16:19:32.000000000 +0100
+++ nginx-1.22.1/debian/patches/series 2025-02-17 20:40:29.000000000 +0100
@@ -3,3 +3,4 @@
nginx-ssl_cert_cb_yield.patch
bug-1024605.patch
bug-973861.patch
+CVE-2025-23419.patch
--- End Message ---
--- Begin Message ---
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
