Your message dated Sat, 16 Aug 2025 14:56:57 +0000
with message-id <[email protected]>
and subject line Bug#1111138: fixed in nginx 1.28.0-2
has caused the Debian Bug report #1111138,
regarding nginx: CVE-2025-53859
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.26.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nginx.
CVE-2025-53859[0]:
| NGINX Open Source and NGINX Plus have a vulnerability in the
| ngx_mail_smtp_module that might allow an unauthenticated attacker to
| over-read NGINX SMTP authentication process memory; as a result, the
| server side may leak arbitrary bytes sent in a request to the
| authentication server. This issue happens during the NGINX SMTP
| authentication process and requires the attacker to make
| preparations against the target system to extract the leaked data.
| The issue affects NGINX only if (1) it is built with the
| ngx_mail_smtp_module, (2) the smtp_auth directive is configured with
| method "none," and (3) the authentication server returns the "Auth-
| Wait" response header. Note: Software versions which have
| reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53859
https://www.cve.org/CVERecord?id=CVE-2025-53859
[1] https://www.openwall.com/lists/oss-security/2025/08/13/5
[2] https://nginx.org/download/patch.2025.smtp.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.28.0-2
Done: Jan Mojžíš <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Mojžíš <[email protected]> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Aug 2025 16:11:55 +0200
Source: nginx
Architecture: source
Version: 1.28.0-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Jan Mojžíš <[email protected]>
Closes: 1111138
Changes:
nginx (1.28.0-2) experimental; urgency=medium
.
* d/p/CVE-2025-53859.patch add, fixes CVE-2025-53859 (Closes: 1111138)
Checksums-Sha1:
c5c878e8aef7db23b055cf7a64e2da931b54206d 3795 nginx_1.28.0-2.dsc
dce446656007a7d235f26236feb778bdad16bb8c 72104 nginx_1.28.0-2.debian.tar.xz
fb2a97fd419ee476f71f1986a535f868798bc233 8036 nginx_1.28.0-2_source.buildinfo
Checksums-Sha256:
2420efb6a820b3030fb04134d3bcbf377b21b0e64f5678465db3d00a006a8d50 3795
nginx_1.28.0-2.dsc
67d3c697c0c6b61e731460528227c3e92312dde1d268e87d206afdd138f08f55 72104
nginx_1.28.0-2.debian.tar.xz
f2073686edab6eb80408805fd58237027399dddf41a7d2e91bf8f4b94ad87d56 8036
nginx_1.28.0-2_source.buildinfo
Files:
cbb6653db1bc755c578deef4e712b8cf 3795 httpd optional nginx_1.28.0-2.dsc
6a128188ea1367006702393a2b6e7a37 72104 httpd optional
nginx_1.28.0-2.debian.tar.xz
6dd3c0cabc59599052c2c9f1bfdcfcae 8036 httpd optional
nginx_1.28.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmigkoMVHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/54MkP/0KH2OJ3l0a0dZF3VRZ42n5QCcEK
Ork/al1/8mcb+WlW3WR8MrT7ps0grcOJTKAbvMnA8yezg/tmB74J7MQzy/z/iyln
XX24OwAEBdRGuQGgulHe/OcvnjH0jR4wFxouAVnHy2dhSlDbfykUajnuL9Eh4taB
nfs1FG8g9tV8P6Avq+WlA630IP9L9Wgp3zrpZE8Q1MVRHii54ySZnAKCCNGC+bGS
cBjgu8XScrUlRfPn7YqN5rpUWQWbixW5f0cvPQASsXY8W+rKYzxd3hl+Op5HdLQ1
YoTyeRRk5DEHRQTjT5PDxv6GRrqezcjgFMoNGPPxTZSai2bZTCRViGZ2DMVqXSDM
AVke5bLUkovqchMoNu+BnzRxCKV2XQP+bd/dSum9pREXf/ocfFBYsA9el/nuxPQt
Yb2+23xkN7uK2n92KP1IVmZZ6rYILOFwGeVzJzDA+kRLaOzRrmUqVvpgFVZ08Rsg
lFxBVt6iqEO98zuQ7qTo2bTbxmnbCf2ocLbyC+pw6TtYY/T4SOIScJ3kz3zeXE8v
9raxU71yRj4g0kOSPTmIXus6E8OLO3aarpjtxL54SUfNKxP8E1/kmTOF5LrbqjVo
jeK6Y+gk6qdZMoWTuhuDGVY2nuc3mKowXI4mL6Ry/IOVimYE2QvfwDiW7S5LzKbm
I/L8zlkf0Pod8iRA
=Y72d
-----END PGP SIGNATURE-----
pgpjD6cvm2uft.pgp
Description: PGP signature
--- End Message ---