Your message dated Tue, 26 Aug 2025 05:50:02 +0000
with message-id <[email protected]>
and subject line Bug#1111138: fixed in nginx 1.28.0-3
has caused the Debian Bug report #1111138,
regarding nginx: CVE-2025-53859
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1111138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.26.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for nginx.

CVE-2025-53859[0]:
| NGINX Open Source and NGINX Plus have a vulnerability in the
| ngx_mail_smtp_module that might allow an unauthenticated attacker to
| over-read NGINX SMTP authentication process memory; as a result, the
| server side may leak arbitrary bytes sent in a request to the
| authentication server. This issue happens during the NGINX SMTP
| authentication process and requires the attacker to make
| preparations against the target system to extract the leaked data.
| The issue affects NGINX only if (1) it is built with the
| ngx_mail_smtp_module, (2) the smtp_auth directive is configured with
| method "none," and (3) the authentication server returns the "Auth-
| Wait" response header.     Note: Software versions which have
| reached End of Technical Support (EoTS) are not evaluated.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-53859
    https://www.cve.org/CVERecord?id=CVE-2025-53859
[1] https://www.openwall.com/lists/oss-security/2025/08/13/5
[2] https://nginx.org/download/patch.2025.smtp.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.28.0-3
Done: Jan Mojžíš <[email protected]>

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Mojžíš <[email protected]> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Aug 2025 07:16:58 +0200
Source: nginx
Architecture: source
Version: 1.28.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers 
<[email protected]>
Changed-By: Jan Mojžíš <[email protected]>
Closes: 1111138
Changes:
 nginx (1.28.0-3) unstable; urgency=medium
 .
   * Upload to unstable
   * d/p/CVE-2025-53859.patch add, fixes CVE-2025-53859 (Closes: 1111138)
   * d/gbp.conf: dist = DEP14, debian-branch = debian/latest
Checksums-Sha1:
 a088729f4ec0b015de457ad781afab133bf6e655 3795 nginx_1.28.0-3.dsc
 f83e9e761142852b3ca7f649cc533b45783f5326 72112 nginx_1.28.0-3.debian.tar.xz
 0fe1d045fe737bb3a8a86fedf593374a87f1e9ea 8036 nginx_1.28.0-3_source.buildinfo
Checksums-Sha256:
 5ad22132474377f4d033ebc7ea4a9dc22a527d01a6f951b666eca9a69c94a2bc 3795 
nginx_1.28.0-3.dsc
 8d821128d2c79fe3c170413969838398875b0fdc88150986b5c7529e1bfd8074 72112 
nginx_1.28.0-3.debian.tar.xz
 d2a70bcc7de6ab92c2ba402ea8f61323a9dd8fcae7879668c734f222b2fa02b6 8036 
nginx_1.28.0-3_source.buildinfo
Files:
 b5e96465b5c977d8a109a37753350ca5 3795 httpd optional nginx_1.28.0-3.dsc
 6592988fcdcc1866e9fc5aa5ec06246a 72112 httpd optional 
nginx_1.28.0-3.debian.tar.xz
 cbe0fb546acfaa7eb33aa3f2975fcd58 8036 httpd optional 
nginx_1.28.0-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmitREQVHGphbm1vanpp
c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5IFsP/2z5zZSQl/EbLYPSSC5oTa3ojVsY
DA5IR9meFH10jeBdlChShWj+Q/dJSp3lQhcP9JlQaelt4Vnt2iNJx3kKxqXKLctv
Nzk81FxDC/e+7+NEeNQpInADPxCyFRyFNX0Qr+Txr9FKYImT/BQJyHZsRM2/4rRN
3O4KaHUMGYz9nEcmv6Wkm0tjJeNItal4C9lLy4ZXsUG0BcfqWsCnmFn+WCJI3HdL
MsXAu6mP3yjsRRQx+ENFw+160BfFOVfG6hZ5yKQoTHjAAPP5k7LmSlr/COepUtH1
/Jwv5uBnQUXdFCajgaLyI1T7qRZ5UejLqsZVmsg892ohsMzLJ3MMcCvOMrnzLqYq
3oXXttt3y1mWkrG5N3QizWFxLvaHkqWbHyxSYy/EvvHucYucUQSCmawZBdcM6FjD
EH+ve9j7cb7FKOZH0eLbmG0WBQ+Gn7rXVtUbX7fAosioy1aBWREVei/S+IBdnnEj
WdShHM4qYRANol0ba8WBVtK23QLBtnLp8rYX98KwjAUvjgj/uL5U36RmAPVJirod
nHrCpY+7s/tpts3xTbrt4cUxnjeJpBp/96E6xoHmVcpejavb1BS7Jaqgn8UFuE+1
WmAnE/FS2T1VADCw8Xs/cN1fwseSjeitIahaMnOnHc+RekV/TWp2pWbG+emnQlUL
9cXvhJzYQslzyblQ
=oW4R
-----END PGP SIGNATURE-----

Attachment: pgpi_UPne1J2k.pgp
Description: PGP signature


--- End Message ---

Reply via email to