Hi, The following vulnerability was published for nginx. CVE-2025-53859[0]: | NGINX Open Source and NGINX Plus have a vulnerability in the | ngx_mail_smtp_module that might allow an unauthenticated attacker to | over-read NGINX SMTP authentication process memory; as a result, the | server side may leak arbitrary bytes sent in a request to the | authentication server. This issue happens during the NGINX SMTP | authentication process and requires the attacker to make | preparations against the target system to extract the leaked data. | The issue affects NGINX only if (1) it is built with the | ngx_mail_smtp_module, (2) the smtp_auth directive is configured with | method "none," and (3) the authentication server returns the "Auth- | Wait" response header. Note: Software versions which have | reached End of Technical Support (EoTS) are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53859 https://www.cve.org/CVERecord?id=CVE-2025-53859 [1] https://www.openwall.com/lists/oss-security/2025/08/13/5 [2] https://nginx.org/download/patch.2025.smtp.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1111138@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jan Mojžíš <janmojzis@debian.org> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sat, 16 Aug 2025 16:11:55 +0200 Source: nginx Architecture: source Version: 1.28.0-2 Distribution: experimental Urgency: medium Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net> Changed-By: Jan Mojžíš <janmojzis@debian.org> Closes: 1111138 Changes: nginx (1.28.0-2) experimental; urgency=medium . * d/p/CVE-2025-53859.patch add, fixes CVE-2025-53859 (Closes: 1111138) Checksums-Sha1: c5c878e8aef7db23b055cf7a64e2da931b54206d 3795 nginx_1.28.0-2.dsc dce446656007a7d235f26236feb778bdad16bb8c 72104 nginx_1.28.0-2.debian.tar.xz fb2a97fd419ee476f71f1986a535f868798bc233 8036 nginx_1.28.0-2_source.buildinfo Checksums-Sha256: 2420efb6a820b3030fb04134d3bcbf377b21b0e64f5678465db3d00a006a8d50 3795 nginx_1.28.0-2.dsc 67d3c697c0c6b61e731460528227c3e92312dde1d268e87d206afdd138f08f55 72104 nginx_1.28.0-2.debian.tar.xz f2073686edab6eb80408805fd58237027399dddf41a7d2e91bf8f4b94ad87d56 8036 nginx_1.28.0-2_source.buildinfo Files: cbb6653db1bc755c578deef4e712b8cf 3795 httpd optional nginx_1.28.0-2.dsc 6a128188ea1367006702393a2b6e7a37 72104 httpd optional nginx_1.28.0-2.debian.tar.xz 6dd3c0cabc59599052c2c9f1bfdcfcae 8036 httpd optional nginx_1.28.0-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmigkoMVHGphbm1vanpp c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/54MkP/0KH2OJ3l0a0dZF3VRZ42n5QCcEK Ork/al1/8mcb+WlW3WR8MrT7ps0grcOJTKAbvMnA8yezg/tmB74J7MQzy/z/iyln XX24OwAEBdRGuQGgulHe/OcvnjH0jR4wFxouAVnHy2dhSlDbfykUajnuL9Eh4taB nfs1FG8g9tV8P6Avq+WlA630IP9L9Wgp3zrpZE8Q1MVRHii54ySZnAKCCNGC+bGS cBjgu8XScrUlRfPn7YqN5rpUWQWbixW5f0cvPQASsXY8W+rKYzxd3hl+Op5HdLQ1 YoTyeRRk5DEHRQTjT5PDxv6GRrqezcjgFMoNGPPxTZSai2bZTCRViGZ2DMVqXSDM AVke5bLUkovqchMoNu+BnzRxCKV2XQP+bd/dSum9pREXf/ocfFBYsA9el/nuxPQt Yb2+23xkN7uK2n92KP1IVmZZ6rYILOFwGeVzJzDA+kRLaOzRrmUqVvpgFVZ08Rsg lFxBVt6iqEO98zuQ7qTo2bTbxmnbCf2ocLbyC+pw6TtYY/T4SOIScJ3kz3zeXE8v 9raxU71yRj4g0kOSPTmIXus6E8OLO3aarpjtxL54SUfNKxP8E1/kmTOF5LrbqjVo jeK6Y+gk6qdZMoWTuhuDGVY2nuc3mKowXI4mL6Ry/IOVimYE2QvfwDiW7S5LzKbm I/L8zlkf0Pod8iRA =Y72d -----END PGP SIGNATURE-----
Hi, FWIW, this is not really needed, the Debian BTS can close bugs in multiple versions, so actually I would have leaft the fixed version for the experimental fix,, and then close it again either if you fix it specifically by cherry-pickign as well for 1.26.3 version, or when you move the experimental version to unstable pass -v approriately to include the changes from the erarlier version in unstable. Same holds when you fix the bug back in stable, then a second closer does not harm, actually makes the metadata more correct (And SRM would ask why it is not yet marked as fixed in the upper suite). Adding more found versions, tag them e.g. bookworm trixie forky and sid, make sure the BTS would not archive the bug prematurely. so, tl,dr would be "you can close bugs in multiple versions". Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1111138@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jan Mojžíš <janmojzis@debian.org> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 26 Aug 2025 07:16:58 +0200 Source: nginx Architecture: source Version: 1.28.0-3 Distribution: unstable Urgency: medium Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net> Changed-By: Jan Mojžíš <janmojzis@debian.org> Closes: 1111138 Changes: nginx (1.28.0-3) unstable; urgency=medium . * Upload to unstable * d/p/CVE-2025-53859.patch add, fixes CVE-2025-53859 (Closes: 1111138) * d/gbp.conf: dist = DEP14, debian-branch = debian/latest Checksums-Sha1: a088729f4ec0b015de457ad781afab133bf6e655 3795 nginx_1.28.0-3.dsc f83e9e761142852b3ca7f649cc533b45783f5326 72112 nginx_1.28.0-3.debian.tar.xz 0fe1d045fe737bb3a8a86fedf593374a87f1e9ea 8036 nginx_1.28.0-3_source.buildinfo Checksums-Sha256: 5ad22132474377f4d033ebc7ea4a9dc22a527d01a6f951b666eca9a69c94a2bc 3795 nginx_1.28.0-3.dsc 8d821128d2c79fe3c170413969838398875b0fdc88150986b5c7529e1bfd8074 72112 nginx_1.28.0-3.debian.tar.xz d2a70bcc7de6ab92c2ba402ea8f61323a9dd8fcae7879668c734f222b2fa02b6 8036 nginx_1.28.0-3_source.buildinfo Files: b5e96465b5c977d8a109a37753350ca5 3795 httpd optional nginx_1.28.0-3.dsc 6592988fcdcc1866e9fc5aa5ec06246a 72112 httpd optional nginx_1.28.0-3.debian.tar.xz cbe0fb546acfaa7eb33aa3f2975fcd58 8036 httpd optional nginx_1.28.0-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmitREQVHGphbm1vanpp c0BkZWJpYW4ub3JnAAoJEEXaUXSWk5/5IFsP/2z5zZSQl/EbLYPSSC5oTa3ojVsY DA5IR9meFH10jeBdlChShWj+Q/dJSp3lQhcP9JlQaelt4Vnt2iNJx3kKxqXKLctv Nzk81FxDC/e+7+NEeNQpInADPxCyFRyFNX0Qr+Txr9FKYImT/BQJyHZsRM2/4rRN 3O4KaHUMGYz9nEcmv6Wkm0tjJeNItal4C9lLy4ZXsUG0BcfqWsCnmFn+WCJI3HdL MsXAu6mP3yjsRRQx+ENFw+160BfFOVfG6hZ5yKQoTHjAAPP5k7LmSlr/COepUtH1 /Jwv5uBnQUXdFCajgaLyI1T7qRZ5UejLqsZVmsg892ohsMzLJ3MMcCvOMrnzLqYq 3oXXttt3y1mWkrG5N3QizWFxLvaHkqWbHyxSYy/EvvHucYucUQSCmawZBdcM6FjD EH+ve9j7cb7FKOZH0eLbmG0WBQ+Gn7rXVtUbX7fAosioy1aBWREVei/S+IBdnnEj WdShHM4qYRANol0ba8WBVtK23QLBtnLp8rYX98KwjAUvjgj/uL5U36RmAPVJirod nHrCpY+7s/tpts3xTbrt4cUxnjeJpBp/96E6xoHmVcpejavb1BS7Jaqgn8UFuE+1 WmAnE/FS2T1VADCw8Xs/cN1fwseSjeitIahaMnOnHc+RekV/TWp2pWbG+emnQlUL 9cXvhJzYQslzyblQ =oW4R -----END PGP SIGNATURE-----