Source: nginx Version: 1.26.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.22.1-9
Hi, The following vulnerability was published for nginx. CVE-2025-23419[0]: | When multiple server blocks are configured to share the same IP | address and port, an attacker can use session resumption to bypass | client certificate authentication requirements on these servers. | This vulnerability arises when TLS Session Tickets https://nginx.or | g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are | used and/or the SSL session cache https://nginx.org/en/docs/http/ng | x_http_ssl_module.html#ssl_session_cache are used in the default | server and the default server is performing client certificate | authentication. Note: Software versions which have reached End of | Technical Support (EoTS) are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23419 https://www.cve.org/CVERecord?id=CVE-2025-23419 [1] https://www.openwall.com/lists/oss-security/2025/02/05/8 [2] https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e Regards, Salvatore
