Resolves: RHEL-78236 - nginx: TLS Session Resumption

Vulnerability (CVE-2025-23419)
2025-02-13 12:59:06 +01:00 · 2025-02-13 12:59:06 +01:00 · d3249a24dd
commit d3249a24dd
parent ae74f4cfd8
2 changed files with 53 additions and 1 deletions
--- a/nginx-1.20.1-CVE-2025-23419.patch
+++ b/nginx-1.20.1-CVE-2025-23419.patch
@ -0,0 +1,45 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 684fabd..404aa77 100644
+--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
+@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
--- a/nginx.spec
+++ b/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           21%{?dist}
+Release:           22%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -101,6 +101,9 @@ Patch8:            0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-40075
 Patch9:            0010-Optimized-chain-link-usage.patch

+# upstream patch - https://issues.redhat.com/browse/RHEL-78236
+Patch10:           nginx-1.20.1-CVE-2025-23419.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -610,6 +613,10 @@ fi


 %changelog
+* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
+- Resolves: RHEL-78236 - nginx: TLS Session Resumption
+  Vulnerability (CVE-2025-23419)
+
 * Wed Feb 05 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-21
 - Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers