Hi, > On 18. 2. 2025, at 9:25, Andrej Shadura <andre...@debian.org> wrote: > > Hello, > > On Tue, 18 Feb 2025, at 09:14, Jan Mojzis wrote: >> I have independently tested a patch for bookworm nginx (1.22.1-9 version), >> and I got the same result. > > Thank you! > Are you planning to upload a fix for bookworm? Or should I file the p-u > request?
Yes, I will upload it to bookworm. > >> And if I understand correctly, support for 'stream virtual servers' was >> added in this commit >> https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. >> So I assume that the 'ngx_stream_ssl_module' code is not vulnerable >> before this change. > > Or it was *more* vulnerable before that code was added as there was no > verification at all, and the patch doesn’t change that? That’s what I’m > struggling to understand. At least I see we’re not making things worse, > right? :) Exactly. > > Jan
