From cf219440756ce81d220e9ed736664539ce4ef6ae Mon Sep 17 00:00:00 2001 From: eaglegai Date: Thu, 6 Feb 2025 08:00:34 +0000 Subject: [PATCH] fix CVE-2025-23419 (cherry picked from commit 1b756be28559aab4e176b49eb9a91d1f667f9e04) --- backport-CVE-2025-23419.patch | 69 +++++++++++++++++++++++++++++++++++ nginx.spec | 6 ++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-23419.patch diff --git a/backport-CVE-2025-23419.patch b/backport-CVE-2025-23419.patch new file mode 100644 index 0000000..8d6c0f0 --- /dev/null +++ b/backport-CVE-2025-23419.patch @@ -0,0 +1,69 @@ +From 13935cf9fdc3c8d8278c70716417d3b71c36140e Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session + resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + 1 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 3cca57cf5ee..9593b7fb506 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { diff --git a/nginx.spec b/nginx.spec index 68b2d53..7878540 100644 --- a/nginx.spec +++ b/nginx.spec @@ -17,7 +17,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 2 +Release: 3 Summary: A HTTP server, reverse proxy and mail proxy server License: BSD URL: http://nginx.org/ @@ -42,6 +42,7 @@ Patch2: nginx-fix-pidfile.patch Patch3: backport-CVE-2023-44487.patch # https://nginx.org/download/patch.2024.mp4.txt Patch4: backport-CVE-2024-7347.patch +Patch5: backport-CVE-2025-23419.patch BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl @@ -389,6 +390,9 @@ fi %{_mandir}/man8/nginx.8* %changelog +* Thu Feb 06 2025 gaihuiying - 1:1.24.0-3 +- fix CVE-2025-23419 + * Thu Aug 15 2024 Funda Wang - 1:1.24.0-2 - fix CVE-2024-7347 -- Gitee