nginx-1.26.3 and nginx-1.27.4 released. *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdc5cd5fc8762a80936091dba0eef8008b8157e6 commit fdc5cd5fc8762a80936091dba0eef8008b8157e6 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2025-02-05 21:49:49 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2025-02-05 21:49:49 +0000 www-servers/nginx: bump to 1.26.3 and 1.27.4 Bug: https://bugs.gentoo.org/949354 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 3 +- www-servers/nginx/nginx-1.26.3.ebuild | 1144 ++++++++++++++++++++ ...{nginx-1.27.3-r2.ebuild => nginx-1.27.4.ebuild} | 0 3 files changed, 1146 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=402c765378c5919e260a07855a4cb9b1b5a1c7ca commit 402c765378c5919e260a07855a4cb9b1b5a1c7ca Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2025-02-06 14:54:49 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2025-02-06 14:55:01 +0000 www-servers/nginx: drop 1.26.2-r9 Bug: https://bugs.gentoo.org/949354 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 - www-servers/nginx/nginx-1.26.2-r9.ebuild | 1144 ------------------------------ 2 files changed, 1145 deletions(-)
All vulnerable versions dropped.
