new file mode 100644
@@ -0,0 +1,87 @@
+From bc23d3cdf98e855a5409d3584a241d4d773ab306 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 22 Jan 2025 18:55:44 +0400
+Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session
+ resumption.
+
+In OpenSSL, session resumption always happens in the default SSL context,
+prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
+protocols, SSL_get_servername() returns values received in the resumption
+handshake, which may be different from the value in the initial handshake.
+Notably, this makes the restriction added in b720f650b insufficient for
+sessions resumed with different SNI server name.
+
+Considering the example from b720f650b, previously, a client was able to
+request example.org by presenting a certificate for example.org, then to
+resume and request example.com.
+
+The fix is to reject handshakes resumed with a different server name, if
+verification of client certificates is enabled in a corresponding server
+configuration.
+
+CVE: CVE-2025-23419
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e]
+
+This patch is partially cherry picked from commit
+13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
+parts. One fixed problem in `http/ngx_http_request` module and the
+second fixed problem in `stream/ngx_stream_ssl_module` module. The fix
+for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
+virtual servers' funcionality was added later in this commit:
+https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
+Therefore only `http/ngx_http_request` part was backported.
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 5e0340b..514c021 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -907,6 +907,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ goto done;
+ }
+
++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION \
++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++ /*
++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++ * but servername being negotiated in every TLSv1.3 handshake
++ * is only returned in OpenSSL 1.1.1+ as well
++ */
++
++ if (sscf->verify) {
++ const char *hostname;
++
++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++ c->ssl->handshake_rejected = 1;
++ *ad = SSL_AD_ACCESS_DENIED;
++ return SSL_TLSEXT_ERR_ALERT_FATAL;
++ }
++ }
++
++#endif
++
+ hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+ if (hc->ssl_servername == NULL) {
+ goto error;
+@@ -920,8 +945,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+
+ ngx_set_connection_log(c, clcf->error_log);
+
+- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+ c->ssl->buffer_size = sscf->buffer_size;
+
+ if (sscf->ssl.ctx) {
+--
+2.34.1
+
@@ -2,5 +2,7 @@ require nginx.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
+SRC_URI:append = " file://CVE-2025-23419.patch"
+
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"