DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NGINX: Bump to OpenResty v1.25.3.2. (#13530)

Browse source
This commit is contained in:
Marco Ebert 2025-06-18 12:12:51 +02:00 committed by GitHub
parent 045bad6733
commit d01c0757d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 154 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

40
images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch Normal file
View file

@ -0,0 +1,40 @@
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 013b7158e..a7a3ee5b0 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -909,6 +909,26 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
goto done;
}
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION \
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+ /*
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+ * but servername being negotiated in every TLSv1.3 handshake
+ * is only returned in OpenSSL 1.1.1+ as well
+ */
+ if (sscf->verify) {
+ const char *hostname;
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+ c->ssl->handshake_rejected = 1;
+ *ad = SSL_AD_ACCESS_DENIED;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ }
+#endif
+
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
goto error;
@@ -922,8 +942,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
ngx_set_connection_log(c, clcf->error_log);
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
-
c->ssl->buffer_size = sscf->buffer_size;
if (sscf->ssl.ctx) {