Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Warning: Undefined array key "Description" in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 220

Fedora 40: FEDORA-2025-016ed44ddc critical: nginx SSL session bypass

fedora
Calendar Grey February 15, 2025
Dist Fedora Esm H88
A security patch for nginx on Fedora 40 resolves problems related to SSL session validation stemming from inadequate verification procedures.
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different...

Summary

Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and

IMAP protocols, with a strong focus on high concurrency, performance and low

memory usage.

Update Information:

Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3.

Topics%20covered

Topics Covered

security advisory Fedora nginx web server TLS SSL session reuse insufficient check SSL session certificates verification

Change Log

* Thu Feb 6 2025 Felix Kaechele - 2:1.26.3-1 - update to 1.26.3 - fixes SSL session reuse vulnerability (CVE-2025-23419) - drop zlib-ng patch, the issue was addressed upstream * Wed Feb 5 2025 Luboš Uhliarik - 2:1.26.2-6 - Use systemd-sysusers * Mon Feb 3 2025 Joe Orton - 2:1.26.2-5 - Add systemd instantiated service nginx@.service, allowing e.g. "systemctl start nginx@foobar.service" to start an instance of nginx using /etc/nginx/foobar.conf as the configuration. * Sat Feb 1 2025 Björn Esser - 2:1.26.2-4 - Add explicit BR: libxcrypt-devel * Sat Feb 1 2025 Felix Kaechele - 2:1.26.2-3 - Add zlib-ng patch to fix rhbz#2343318 * Fri Jan 17 2025 Fedora Release Engineering - 2:1.26.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild

References


[ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2344197

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: nginx
Product: Fedora 40
Version: 1.26.3
Release: 1.fc40
URL: https://nginx.org
Summary: A high performance web server and reverse proxy server

Topics%20covered

Topics Covered

security advisory Fedora nginx web server TLS SSL session reuse insufficient check SSL session certificates verification

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here