Source: nginx Version: 1.26.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nginx. CVE-2025-53859[0]: | NGINX Open Source and NGINX Plus have a vulnerability in the | ngx_mail_smtp_module that might allow an unauthenticated attacker to | over-read NGINX SMTP authentication process memory; as a result, the | server side may leak arbitrary bytes sent in a request to the | authentication server. This issue happens during the NGINX SMTP | authentication process and requires the attacker to make | preparations against the target system to extract the leaked data. | The issue affects NGINX only if (1) it is built with the | ngx_mail_smtp_module, (2) the smtp_auth directive is configured with | method "none," and (3) the authentication server returns the "Auth- | Wait" response header. Note: Software versions which have | reached End of Technical Support (EoTS) are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53859 https://www.cve.org/CVERecord?id=CVE-2025-53859 [1] https://www.openwall.com/lists/oss-security/2025/08/13/5 [2] https://nginx.org/download/patch.2025.smtp.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore

