Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 43: nginx-mod-modsecurity Critical Memory Disclosure CVE-2025-53859

fedora
Calendar Grey January 3, 2026
Dist Fedora Esm H88
A critical security advisory for Fedora 43 regarding nginx-mod-modsecurity memory disclosure vulnerability.
Changes with nginx 1.28.1 23 Dec 2025 *) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might ...

Summary

The ModSecurity-nginx connector is the connection point between nginx and

libmodsecurity (ModSecurity v3). Said another way, this project provides a

communication channel between nginx and libmodsecurity. This connector is

required to use LibModSecurity with nginx.

The ModSecurity-nginx connector takes the form of an nginx module. The module

simply serves as a layer of communication between nginx and ModSecurity

Update Information:

Changes with nginx 1.28.1 23 Dec 2025 *) Security: processing of a specially crafted login/password when using the "none" authentication method in the ngx_mail_smtp_module might cause worker process memory disclosure to the authentication server (CVE-2025-53859). *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. *) Bugfix: in SSL certificate caching during reconfiguration. *) Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. *) Change: the native nginx/Windows binary release is now ...

Topics%20covered

Topics Covered

security advisory fedora authentication nginx memory disclosure ModSecurity

Change Log

* Fri Dec 26 2025 Felix Kaechele - 1.0.4-5 - Rebuild for 1.28.1 * Fri Sep 5 2025 Mikel Olasagasti Uranga - 1.0.4-4 - Use pcre2-devel

References

Fedora Update Notification FEDORA-2025-8aa169ea14 2026-01-03 00:41:36.670931+00:00 Name : nginx-mod-modsecurity Product : Fedora 43 Version : 1.0.4 Release : 5.fc43 URL : https://github.com/owasp-modsecurity/ModSecurity-nginx Summary : ModSecurity v3 nginx connector Description : The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-8aa169ea14' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: nginx-mod-modsecurity
Product: Fedora 43
Version: 1.0.4
Release: 5.fc43
URL: https://github.com/owasp-modsecurity/ModSecurity-nginx
Summary: ModSecurity v3 nginx connector

Topics%20covered

Topics Covered

security advisory fedora authentication nginx memory disclosure ModSecurity

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here