----- Forwarded message from F5SIRT via nginx-announce <nginx-annou...@nginx.org> -----
To: "nginx-annou...@nginx.org" <nginx-annou...@nginx.org> Date: Wed, 5 Feb 2025 17:23:12 +0000 Subject: [nginx-announce] nginx security advisory (CVE-2025-23419) From: F5SIRT via nginx-announce <nginx-annou...@nginx.org> Reply-To: F5SIRT <f5s...@f5.com> A problem with SSL session resumption in nginx was identified. It was possible to reuse SSL sessions in named-based virtual hosts in unrelated contexts, allowing to bypass client certificate authentication in some configurations (CVE-2025-23419). The problem affects nginx 1.11.4 and newer built with OpenSSL if the TLSv1.3 protocol and session resumption are enabled either with ssl_session_cache or ssl_session_tickets. The problem is fixed in 1.26.3 and 1.27.4. _______________________________________________ nginx-announce mailing list nginx-annou...@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-announce ----- End forwarded message -----
