diff --git a/SPECS/nginx/CVE-2025-23419.patch b/SPECS/nginx/CVE-2025-23419.patch new file mode 100644 index 00000000000..eac62698187 --- /dev/null +++ b/SPECS/nginx/CVE-2025-23419.patch @@ -0,0 +1,72 @@ +From 117654149dea3a5ff72eae8c9ff2484c35f77732 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session + resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 3cca57c..9593b7f 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { +-- +2.34.1 + diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec index a3022eb044c..7f8f956f5df 100644 --- a/SPECS/nginx/nginx.spec +++ b/SPECS/nginx/nginx.spec @@ -7,7 +7,7 @@ Name: nginx # Currently on "stable" version of nginx from https://nginx.org/en/download.html. # Note: Stable versions are even (1.20), mainline versions are odd (1.21) Version: 1.22.1 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD-2-Clause Vendor: Microsoft Corporation Distribution: Mariner @@ -19,6 +19,7 @@ Source2: https://github.com/nginx/njs/archive/refs/tags/%{njs_version}.ta Source3: https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/%{opentelemetry_cpp_contrib_git_commit}.tar.gz#/opentelemetry-cpp-contrib-%{opentelemetry_cpp_contrib_git_commit}.tar.gz Patch0: CVE-2023-44487.patch Patch1: CVE-2024-7347.patch +Patch2: CVE-2025-23419.patch BuildRequires: libxml2-devel BuildRequires: libxslt-devel BuildRequires: openssl-devel @@ -146,6 +147,9 @@ exit 0 %{_sysconfdir}/%{name}/modules/otel_ngx_module.so %changelog +* Mon Fev 10 2025 Mitch Zhu - 1.22.1-13 +- Fix CVE-2025-23419 + * Tue Aug 20 2024 Cameron Baird - 1.22.1-12 - Fix CVE-2024-7347