Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <20250205173529.GA31344@openwall.com>
Date: Wed, 5 Feb 2025 18:35:29 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Sergey Kandaurov <pluknet@...nx.com>
Subject: CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption

----- Forwarded message from F5SIRT via nginx-announce <nginx-announce@...nx.org> -----

To: "nginx-announce@...nx.org" <nginx-announce@...nx.org>
Date: Wed, 5 Feb 2025 17:23:12 +0000
Subject: [nginx-announce] nginx security advisory (CVE-2025-23419)
From: F5SIRT via nginx-announce <nginx-announce@...nx.org>
Reply-To: F5SIRT <f5sirt@...com>

A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.
_______________________________________________
nginx-announce mailing list
nginx-announce@...nx.org
https://mailman.nginx.org/mailman/listinfo/nginx-announce

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.