Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN074

_____________________________________________________________________

DATE                : 06/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running nginx versions prior to 1.26.3,
                                          1.27.4.

=====================================================================
https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html
_____________________________________________________________________

A problem with SSL session resumption in nginx was identified.
It was possible to reuse SSL sessions in named-based
virtual hosts in unrelated contexts, allowing to bypass client
certificate authentication in some configurations (CVE-2025-23419).

The problem affects nginx 1.11.4 and newer built with OpenSSL if the
TLSv1.3 protocol and session resumption are enabled either with
ssl_session_cache or ssl_session_tickets.

The problem is fixed in 1.26.3 and 1.27.4.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================