CVE-2025-23419 vulnerability in nginx

Bug #2105509 reported by imm6
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
In Progress
Undecided
Leonidas S. Barbosa

Bug Description

nginx announced the CVE-2025-23419 vulnerability on February 5, 2025:

https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.

At https://ubuntu.com/security/CVE-2025-23419 it shows "Needs evaluation" for 24.04 LTS noble.

24.04's current version of nginx is 1.24.0-2ubuntu7.1 which has this vulnerability.

PCI tests are failing due to this vulnerability not yet being addressed in Ubuntu LTS.

imm6 (imm6)
information type: Private Security → Public Security
Changed in nginx (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
status: New → In Progress
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.