CVE-2025-23419 vulnerability in nginx

Bug #2105509 reported by imm6
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

nginx announced the CVE-2025-23419 vulnerability on February 5, 2025:

https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.

At https://ubuntu.com/security/CVE-2025-23419 it shows "Needs evaluation" for 24.04 LTS noble.

24.04's current version of nginx is 1.24.0-2ubuntu7.1 which has this vulnerability.

PCI tests are failing due to this vulnerability not yet being addressed in Ubuntu LTS.

CVE References

imm6 (imm6)
information type: Private Security → Public Security
Changed in nginx (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
status: New → In Progress
Revision history for this message
Brian McBride (brian-mcbride) wrote :

Is there an update on this issue?
Thanks!

Revision history for this message
Thomas Ward (teward) wrote :

According to https://ubuntu.com/security/CVE-2025-23419 this is already fixed.

Changed in nginx (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.