On Wed, Dec 31, 2025 at 11:39 PM Colin McAllister via
lists.openembedded.org
<[email protected]> wrote:
>
> Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and
> 1.25.5. However, a unique patch is provided for 1.25.5 since the
> upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5.
>
> Signed-off-by: Colin Pinnell McAllister <[email protected]>
> ---
>
> I'm not 100% sure if this is the best way to handle overriding the patch for
> 1.25.5.
> I figured this was better than having two patch files both in the files
> directory
> with nearly identical names. Please let me know if there is a better way to
> do this.
This relies on BP being included first before files. I think we should
also create a separate directory with ${BP} as the name and move patch
for 1.24.0 there as well to make it easy to identify. It also won't
rely on parsing order.
>
> .../nginx/nginx-1.25.5/CVE-2025-23419.patch | 119 ++++++++++++++++++
> meta-webserver/recipes-httpd/nginx/nginx.inc | 1 +
> .../recipes-httpd/nginx/nginx_1.24.0.bb | 3 +-
> 3 files changed, 121 insertions(+), 2 deletions(-)
> create mode 100644
> meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
>
> diff --git
> a/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
> b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
> new file mode 100644
> index 0000000000..d1c5bd9b40
> --- /dev/null
> +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
> @@ -0,0 +1,119 @@
> +From 2de0d3fd114e9d3d6a56bd7298aff8c637063509 Mon Sep 17 00:00:00 2001
> +From: Sergey Kandaurov <[email protected]>
> +Date: Wed, 22 Jan 2025 18:55:44 +0400
> +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session
> + resumption.
> +
> +In OpenSSL, session resumption always happens in the default SSL context,
> +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
> +protocols, SSL_get_servername() returns values received in the resumption
> +handshake, which may be different from the value in the initial handshake.
> +Notably, this makes the restriction added in b720f650b insufficient for
> +sessions resumed with different SNI server name.
> +
> +Considering the example from b720f650b, previously, a client was able to
> +request example.org by presenting a certificate for example.org, then to
> +resume and request example.com.
> +
> +The fix is to reject handshakes resumed with a different server name, if
> +verification of client certificates is enabled in a corresponding server
> +configuration.
> +
> +CVE: CVE-2025-23419
> +Upstream-Status: Backport
> [https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e]
> +Signed-off-by: Colin Pinnell McAllister <[email protected]>
> +---
> + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
> + src/stream/ngx_stream_ssl_module.c | 27 +++++++++++++++++++++++++--
> + 2 files changed, 50 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
> +index 3cca57cf5..9593b7fb5 100644
> +--- a/src/http/ngx_http_request.c
> ++++ b/src/http/ngx_http_request.c
> +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int
> *ad, void *arg)
> + goto done;
> + }
> +
> ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
> ++
> ++#if (defined TLS1_3_VERSION
> \
> ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
> ++
> ++ /*
> ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
> ++ * but servername being negotiated in every TLSv1.3 handshake
> ++ * is only returned in OpenSSL 1.1.1+ as well
> ++ */
> ++
> ++ if (sscf->verify) {
> ++ const char *hostname;
> ++
> ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
> ++
> ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
> ++ c->ssl->handshake_rejected = 1;
> ++ *ad = SSL_AD_ACCESS_DENIED;
> ++ return SSL_TLSEXT_ERR_ALERT_FATAL;
> ++ }
> ++ }
> ++
> ++#endif
> ++
> + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
> + if (hc->ssl_servername == NULL) {
> + goto error;
> +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int
> *ad, void *arg)
> +
> + ngx_set_connection_log(c, clcf->error_log);
> +
> +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
> +-
> + c->ssl->buffer_size = sscf->buffer_size;
> +
> + if (sscf->ssl.ctx) {
> +diff --git a/src/stream/ngx_stream_ssl_module.c
> b/src/stream/ngx_stream_ssl_module.c
> +index ba444776a..6dee106de 100644
> +--- a/src/stream/ngx_stream_ssl_module.c
> ++++ b/src/stream/ngx_stream_ssl_module.c
> +@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn,
> int *ad, void *arg)
> + goto done;
> + }
> +
> ++ sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
> ++
> ++#if (defined TLS1_3_VERSION
> \
> ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
> ++
> ++ /*
> ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
> ++ * but servername being negotiated in every TLSv1.3 handshake
> ++ * is only returned in OpenSSL 1.1.1+ as well
> ++ */
> ++
> ++ if (sscf->verify) {
> ++ const char *hostname;
> ++
> ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
> ++
> ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
> ++ c->ssl->handshake_rejected = 1;
> ++ *ad = SSL_AD_ACCESS_DENIED;
> ++ return SSL_TLSEXT_ERR_ALERT_FATAL;
> ++ }
> ++ }
> ++
> ++#endif
> ++
> + s->srv_conf = cscf->ctx->srv_conf;
> +
> + ngx_set_connection_log(c, cscf->error_log);
> +
> +- sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
> +-
> + if (sscf->ssl.ctx) {
> + if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
> + goto error;
> +--
> +2.52.0
> +
> diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc
> b/meta-webserver/recipes-httpd/nginx/nginx.inc
> index 945be05c6a..865d7f86ee 100644
> --- a/meta-webserver/recipes-httpd/nginx/nginx.inc
> +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
> @@ -26,6 +26,7 @@ SRC_URI = " \
> file://CVE-2024-7347-1.patch \
> file://CVE-2024-7347-2.patch \
> file://CVE-2025-53859.patch \
> + file://CVE-2025-23419.patch \
> "
>
> inherit siteinfo update-rc.d useradd systemd
> diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> index ed18b6471d..e5666f6fe6 100644
> --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
> @@ -2,8 +2,7 @@ require nginx.inc
>
> LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
>
> -SRC_URI:append = " file://CVE-2023-44487.patch \
> - file://CVE-2025-23419.patch"
> +SRC_URI:append = " file://CVE-2023-44487.patch"
>
> SRC_URI[sha256sum] =
> "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
>
> --
> 2.52.0
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123121):
https://lists.openembedded.org/g/openembedded-devel/message/123121
Mute This Topic: https://lists.openembedded.org/mt/117013060/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
