Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 42: nginx-mod-modsecurity Critical Memory Leak Risk CVE-2025-53859

fedora
Calendar Grey January 4, 2026
Dist Fedora Esm H88
Fedora 42 nginx-mod-modsecurity patch addresses memory disclosure risk in authentication. Immediate updates recommended.
Changes with nginx 1.28.1 23 Dec 2025 *) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might ...

Summary

The ModSecurity-nginx connector is the connection point between nginx and

libmodsecurity (ModSecurity v3). Said another way, this project provides a

communication channel between nginx and libmodsecurity. This connector is

required to use LibModSecurity with nginx.

The ModSecurity-nginx connector takes the form of an nginx module. The module

simply serves as a layer of communication between nginx and ModSecurity

Update Information:

Changes with nginx 1.28.1 23 Dec 2025 *) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. *) Change: the native nginx/Windows binary release is now ...

Topics%20covered

Topics Covered

security advisory fedora authentication issue memory disclosure cve-2025-53859 nginx-mod-modsecurity

Change Log

* Fri Dec 26 2025 Felix Kaechele - 1.0.4-5 - Rebuild for 1.28.1 * Fri Sep 5 2025 Mikel Olasagasti Uranga - 1.0.4-4 - Use pcre2-devel * Thu Jul 24 2025 Fedora Release Engineering - 1.0.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild

References

Fedora Update Notification FEDORA-2025-8caa129b2e 2026-01-04 01:00:12.006176+00:00 Name : nginx-mod-modsecurity Product : Fedora 42 Version : 1.0.4 Release : 5.fc42 URL : https://github.com/owasp-modsecurity/ModSecurity-nginx Summary : ModSecurity v3 nginx connector Description : The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-8caa129b2e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: nginx-mod-modsecurity
Product: Fedora 42
Version: 1.0.4
Release: 5.fc42
URL: https://github.com/owasp-modsecurity/ModSecurity-nginx
Summary: ModSecurity v3 nginx connector

Topics%20covered

Topics Covered

security advisory fedora authentication issue memory disclosure cve-2025-53859 nginx-mod-modsecurity

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here