Ubuntu
nginx package

CVE-2025-23419 vulnerability in nginx

Bug #2105509 reported by imm6 on 2025-03-31

260

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	nginx (Ubuntu)	Fix Released	Undecided	Leonidas S. Barbosa

Bug Description

nginx announced the CVE-2025-23419 vulnerability on February 5, 2025:

https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.

At https://ubuntu.com/security/CVE-2025-23419 it shows "Needs evaluation" for 24.04 LTS noble.

24.04's current version of nginx is 1.24.0-2ubuntu7.1 which has this vulnerability.

PCI tests are failing due to this vulnerability not yet being addressed in Ubuntu LTS.

CVE References

2025-23419

imm6 (imm6) on 2025-03-31

information type:

Private Security → Public Security

Leonidas S. Barbosa (leosilvab) on 2025-03-31

Changed in nginx (Ubuntu):
assignee:	nobody → Leonidas S. Barbosa (leosilvab)
status:	New → In Progress

Revision history for this message

Brian McBride (brian-mcbride) wrote on 2025-05-12:

Is there an update on this issue?
Thanks!

Revision history for this message

Thomas Ward (teward) wrote on 2025-05-12:

According to https://ubuntu.com/security/CVE-2025-23419 this is already fixed.

Changed in nginx (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntunginx package