Security update for nginx SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03089-1 Final 1 1 2025-09-05T10:38:57Z current 2025-09-05T10:38:57Z 2025-09-05T10:38:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nginx This update for nginx fixes the following issues: - CVE-2025-53859: the server side may leak arbitrary bytes during the NGINX SMTP authentication process (bsc#1248070). - CVE-2025-23419: session resumption can bypass client certificate authentication requirements using TLSv1.3 (bsc#1236851). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3089 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503089-1/ Link for SUSE-SU-2025:03089-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041525.html E-Mail link for SUSE-SU-2025:03089-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236851 SUSE Bug 1236851 https://bugzilla.suse.com/1248070 SUSE Bug 1248070 https://www.suse.com/security/cve/CVE-2025-23419/ SUSE CVE CVE-2025-23419 page https://www.suse.com/security/cve/CVE-2025-53859/ SUSE CVE CVE-2025-53859 page nginx-1.19.8-150300.3.18.1 nginx-source-1.19.8-150300.3.18.1 vim-plugin-nginx-1.19.8-150300.3.18.1 When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE-2025-23419 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503089-1/ https://www.suse.com/security/cve/CVE-2025-23419.html CVE-2025-23419 https://bugzilla.suse.com/1236851 SUSE Bug 1236851 NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE-2025-53859 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503089-1/ https://www.suse.com/security/cve/CVE-2025-53859.html CVE-2025-53859 https://bugzilla.suse.com/1248070 SUSE Bug 1248070