diff --git a/nginx-1.20.1-CVE-2025-23419.patch b/nginx-1.20.1-CVE-2025-23419.patch
new file mode 100644
index 0000000..bee1c1c
--- /dev/null
+++ b/nginx-1.20.1-CVE-2025-23419.patch
@@ -0,0 +1,45 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 684fabd..404aa77 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
diff --git a/nginx.spec b/nginx.spec
index ce2ed8f..7ee9dcb 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           21%{?dist}
+Release:           22%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -101,6 +101,9 @@ Patch8:            0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-40075
 Patch9:            0010-Optimized-chain-link-usage.patch
 
+# upstream patch - https://issues.redhat.com/browse/RHEL-78236
+Patch10:           nginx-1.20.1-CVE-2025-23419.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -610,6 +613,10 @@ fi
 
 
 %changelog
+* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
+- Resolves: RHEL-78236 - nginx: TLS Session Resumption
+  Vulnerability (CVE-2025-23419)
+
 * Wed Feb 05 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-21
 - Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers