Ubuntu
nginx package

CVE-2025-23419 vulnerability in nginx

Bug #2105509 reported by imm6 on 2025-03-31

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	nginx (Ubuntu)	In Progress	Undecided	Leonidas S. Barbosa

Bug Description

nginx announced the CVE-2025-23419 vulnerability on February 5, 2025:

https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.

At https://ubuntu.com/security/CVE-2025-23419 it shows "Needs evaluation" for 24.04 LTS noble.

24.04's current version of nginx is 1.24.0-2ubuntu7.1 which has this vulnerability.

PCI tests are failing due to this vulnerability not yet being addressed in Ubuntu LTS.

imm6 (imm6) on 2025-03-31

information type:

Private Security → Public Security

Leonidas S. Barbosa (leosilvab) on 2025-03-31

Changed in nginx (Ubuntu):
assignee:	nobody → Leonidas S. Barbosa (leosilvab)
status:	New → In Progress

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntunginx package

CVE-2025-23419 vulnerability in nginx

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
nginx package