USN-7285-1: nginx vulnerability

Releases

• Ubuntu 24.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• nginx - small, powerful, scalable web/proxy server

Details

It was discovered that nginx incorrectly handled when multiple
server blocks are configured to share the same IP address and port.
An attacker could use this issue to use session resumption to bypass
client certificate authentication requirements on these servers.
This issue only affected Ubuntu 24.10.

A buffer overflow and a null pointer deref was fixed in nginx rtmp module
(#LP 1977718). This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• nginx - 1.26.0-2ubuntu3.2
• nginx-common - 1.26.0-2ubuntu3.2
• nginx-core - 1.26.0-2ubuntu3.2
• nginx-dev - 1.26.0-2ubuntu3.2
• nginx-doc - 1.26.0-2ubuntu3.2
• nginx-extras - 1.26.0-2ubuntu3.2
• nginx-full - 1.26.0-2ubuntu3.2
• nginx-light - 1.26.0-2ubuntu3.2

Ubuntu 22.04

• libnginx-mod-rtmp - 1.18.0-6ubuntu14.6
• nginx - 1.18.0-6ubuntu14.6
• nginx-common - 1.18.0-6ubuntu14.6
• nginx-core - 1.18.0-6ubuntu14.6
• nginx-doc - 1.18.0-6ubuntu14.6
• nginx-extras - 1.18.0-6ubuntu14.6
• nginx-full - 1.18.0-6ubuntu14.6
• nginx-light - 1.18.0-6ubuntu14.6

Ubuntu 20.04

• libnginx-mod-rtmp - 1.18.0-0ubuntu1.7
• nginx - 1.18.0-0ubuntu1.7
• nginx-common - 1.18.0-0ubuntu1.7
• nginx-core - 1.18.0-0ubuntu1.7
• nginx-doc - 1.18.0-0ubuntu1.7
• nginx-extras - 1.18.0-0ubuntu1.7
• nginx-full - 1.18.0-0ubuntu1.7
• nginx-light - 1.18.0-0ubuntu1.7

In general, a standard system update will make all the necessary changes.

References

• CVE-2025-23419
• https://launchpad.net/bugs/1977718