Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
89
security advisoryfedoraFedoraFedora 41: 2025-66ebd291f8 urgent: nginx Denial of Service vulnerability
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-66ebd291f8 2025-02-15 02:35:33.711202+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-fancyindex Product : Fedora 41 Version : 0.5.2 Release : 10.fc41 URL : https://github.com/aperezdc/ngx-fancyindex Summary : Nginx FancyIndex module Description : The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: * Custom headers. Either local or stored remotely. * Custom footers. Either local or stored remotely. * Add you own CSS style rules. * Allow choosing to sort elements by name (default), modification time, or size; both ascending (default), or descending. -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiationpackets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 0.5.2-10 - Rebuild for nginx 1.26.3 * Fri Jan 17 2025 Fedora Release Engineering - 0.5.2-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2344198 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Feb 15, 2025
•Critical
Fedora
89
security advisoryfedoracriticalFedora 41: FEDORA-2025-66ebd291f8 Critical: nginx TLS Session Bypass
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-66ebd291f8 2025-02-15 02:35:33.711202+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-naxsi Product : Fedora 41 Version : 1.6 Release : 9.fc41 URL : https://github.com/wargio/naxsi Summary : nginx web application firewall module Description : naxsi is an nginx module that provides score based Web Application Firewall (WAF) abilities in a highly granular fashion. -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 1.6-9 - Rebuild for nginx 1.26.3 * Fri Jan 17 2025 Fedora Release Engineering - 1.6-8 - Rebuilt forhttps://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Mon Aug 26 2024 Felix Kaechele - 1.6-7 - Rebuild for nginx 1.26.2... again. -------------------------------------------------------------------------------- References: [ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344198 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2344198 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-66ebd291f8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Feb 15, 2025
•Critical
Fedora
89
security advisorysecurity issueFedoraFedora 40: 2025-016ed44ddc moderate: nginx TLS session bypass
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-016ed44ddc 2025-02-15 02:22:06.812098+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-fancyindex Product : Fedora 40 Version : 0.5.2 Release : 8.fc40 URL : Summary : Nginx FancyIndex module Description : The Fancy Index module makes possible the generation of file listings, like the built-in autoindex module does, but adding a touch of style. This is possible because the module allows a certain degree of customization of the generated content: * Custom headers. Either local or stored remotely. * Custom footers. Either local or stored remotely. * Add you own CSS style rules. * Allow choosing to sort elements by name (default), modification time, or size; both ascending (default), or descending. -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginxcould not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 0.5.2-8 - Rebuild for nginx 1.26.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2344197 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Feb 15, 2025
Fedora
89
security advisorysecurity issueFedoraFedora 40: FEDORA-2025-016ed44ddc critical: nginx mod-vts TLS resumption
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-016ed44ddc 2025-02-15 02:22:06.812098+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-vts Product : Fedora 40 Version : 0.2.3 Release : 3.fc40 URL : https://github.com/vozlt/nginx-module-vts Summary : Nginx virtual host traffic status module Description : Nginx virtual host traffic status module. -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 0.2.3-3 - Rebuild for nginx 1.26.3 * Fri Jan 17 2025 Fedora Release Engineering - 0.2.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Thu Jan 2 2025 Mikel Olasagasti Uranga - 0.2.3-1 - Updateto 0.2.3 rhbz#2335121 * Mon Sep 2 2024 Miroslav Suchý - 0.2.2-11 - convert license to SPDX * Mon Aug 26 2024 Felix Kaechele - 0.2.2-10 - Rebuild for nginx 1.26.2... again. -------------------------------------------------------------------------------- References: [ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2344197 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . Fedora 40 highlights significant updates for nginx-mod-vts, focusing on resolving vulnerabilities related to TLS session resumption and implementing critical bug fixes.. nginx Traffic Status, Fedora Security Update, TLS Session Issue. . Severity: Critical. LinuxSecurity.com Team
Feb 15, 2025
•Critical
Fedora
89
security advisoryupdatecriticalFedora 40: FEDORA-2025-016ed44ddc moderate: nginx TLS session bypass
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-016ed44ddc 2025-02-15 02:22:06.812098+00:00 -------------------------------------------------------------------------------- Name : nginx-mod-modsecurity Product : Fedora 40 Version : 1.0.3 Release : 16.fc40 URL : https://github.com/owasp-modsecurity/ModSecurity-nginx Summary : ModSecurity v3 nginx connector Description : The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 1.0.3-16 - Rebuild for nginx 1.26.3 * Fri Jan 17 2025 Fedora Release Engineering - 1.0.3-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Mon Aug 26 2024 Felix Kaechele - 1.0.3-14 - Rebuild for nginx 1.26.2... again. -------------------------------------------------------------------------------- References: [ 1 ] Bug #2277663 - please switch to using systemd-sysusers to create the nginx user https://bugzilla.redhat.com/show_bug.cgi?id=2277663 [ 2 ] Bug #2344197 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2344197 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-016ed44ddc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Feb 15, 2025
Fedora
89
security advisoryFedoranginxFedora 40: FEDORA-2025-016ed44ddc critical: nginx SSL session bypass
Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-016ed44ddc 2025-02-15 02:22:06.812098+00:00 -------------------------------------------------------------------------------- Name : nginx Product : Fedora 40 Version : 1.26.3 Release : 1.fc40 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. -------------------------------------------------------------------------------- Update Information: Changes with nginx 1.26.3 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 6 2025 Felix Kaechele - 2:1.26.3-1 - update to 1.26.3 - fixes SSL session reuse vulnerability (CVE-2025-23419) - drop zlib-ng patch, theissue was addressed upstream * Wed Feb 5 2025 Luboš Uhliarik - 2:1.26.2-6 - Use systemd-sysusers * Mon Feb 3 2025 Joe Orton - 2:1.26.2-5 - Add systemd instantiated service nginx@.service, allowing e.g. "systemctl start
Feb 15, 2025
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!