Hi Jan,
On Fri, 07 Feb 2025 13:28:18 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
CVE-2025-23419[0]:
| When multiple server blocks are configured to share the same IP
| address and port, an attacker can use session resumption to bypass
| client certificate authentication requirements on these servers.
| This vulnerability arises when TLS Session Tickets https://nginx.or
| g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are
| used and/or the SSL session cache https://nginx.org/en/docs/http/ng
| x_http_ssl_module.html#ssl_session_cache are used in the default
| server and the default server is performing client certificate
| authentication. Note: Software versions which have reached End of
| Technical Support (EoTS) are not evaluated.
[2]
https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
I tried backport this patch to bullseye. It changes the logic in the
same way in two places, but one of them does not exist in the version
bullseye ships. I ended up dropping that part of the patch:
https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650
Could you please have a look if this change still makes sense? I have no
way to test it properly.
Thanks!
--
Cheers,
Andrej
