Hello, On Tue, 18 Feb 2025, at 09:14, Jan Mojzis wrote: > I have independently tested a patch for bookworm nginx (1.22.1-9 version), > and I got the same result.
Thank you! Are you planning to upload a fix for bookworm? Or should I file the p-u request? > And if I understand correctly, support for 'stream virtual servers' was > added in this commit > https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. > So I assume that the 'ngx_stream_ssl_module' code is not vulnerable > before this change. Or it was *more* vulnerable before that code was added as there was no verification at all, and the patch doesn’t change that? That’s what I’m struggling to understand. At least I see we’re not making things worse, right? :) -- Cheers, Andrej
