Hi, I have independently tested a patch for bookworm nginx (1.22.1-9 version), and I got the same result.
The part of the upstream patch that cannot be applied is related to the module `ngx_stream_ssl_module` and `ngx_stream_ssl_servername` function, which is in older version (bullseye/bookworm) dummy function. And if I understand correctly, support for 'stream virtual servers' was added in this commit https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. So I assume that the 'ngx_stream_ssl_module' code is not vulnerable before this change. But I haven't been able to do a practical test yet. Jan > On 17. 2. 2025, at 12:07, Andrej Shadura <andre...@debian.org> wrote: > > Hi Jan, > > On Fri, 07 Feb 2025 13:28:18 +0100 Salvatore Bonaccorso <car...@debian.org> > wrote: >> CVE-2025-23419[0]: >> | When multiple server blocks are configured to share the same IP >> | address and port, an attacker can use session resumption to bypass >> | client certificate authentication requirements on these servers. >> | This vulnerability arises when TLS Session Tickets https://nginx.or >> | g/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are >> | used and/or the SSL session cache https://nginx.org/en/docs/http/ng >> | x_http_ssl_module.html#ssl_session_cache are used in the default >> | server and the default server is performing client certificate >> | authentication. Note: Software versions which have reached End of >> | Technical Support (EoTS) are not evaluated. > >> [2] >> https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e > > I tried backport this patch to bullseye. It changes the logic in the same way > in two places, but one of them does not exist in the version bullseye ships. > I ended up dropping that part of the patch: > > https://salsa.debian.org/lts-team/packages/nginx/-/commit/69bacbb70605c40a2f6fbef74eb7c0f248c1c650 > > Could you please have a look if this change still makes sense? I have no way > to test it properly. > > Thanks! > > -- > Cheers, > Andrej
