Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:nginx-snippets User: [email protected] Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Courtesy of a report to [email protected], a report was filed about nginx-snippets in Trixie not including the post-quantum resilient ECDH curve of X25519MLKEM768 in the enabled/supported curves by the snippets. This isn't really a 'security' issue as post-quantum is not yet required by any standard, though can introduce a security 'regression' of a non- security bug nature if your company's policies require post-quantum. This issue was filed as https://bugs.debian.org/1138590 by me as there was no tracking bug to track this for a change log entry. This is a direct backport from Testing/Unstable to Trixie with no other changes. [ Impact ] Users who wish to enable post-quantum resilient curves run into the snippets provided by nginx-snippets removing PQ curves. While not directly a 'security' issue as currently define by the industry, it poses a concern if someone needs PQ resilience. [ Tests ] Manual tests running the newer snippets from version 1.3 in Unstable confirm that the curve is supported in Trixie but not default-enabled when using nginx-snippets [ Risks ] If someone using Trixie wants to use DHE ciphers for TLS 1.2 and such, those are no longer available. Version 1.3 of nginx-snippets uses an April 2026-era updated set of TLS Guidance from Mozilla. DHE ciphers (but not ECDHE and PQ ciphers) were removed from the 'Intermediate' cipher sets. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in stable [X] the issue is verified as fixed in unstable [ Changes ] No change 'backport' of the 1.3 package to trixie proposed updates. [ Other info ] The Security Team is aware that this request came through, however it is really not a 'security' grade bug in package maintainer's current assessment of the issue. Maintainer of this package is a CISSP-certified cyber security expert. Note that PQ resilience, while recommended by TLS guidelines from Mozilla and others, is not yet mandatory in any known standards as of May 31, 2026 (except requirements in CNSA 2.0 that take effect by 2029). Debdiff will be uploaded independently of this submission due to the reportbug tool in Unstable being run in a VM separate from where the packaging of nginx-snippets is held.
