An update for nginx is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2086 Final 1.0 1.0 2025-08-29 Initial 2025-08-29 2025-08-29 openEuler SA Tool V1.0 2025-08-29 nginx security update An update for nginx is now available for openEuler-22.03-LTS-SP3 NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fix(es): NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.(CVE-2025-53859) An update for nginx is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Low nginx https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2086 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-53859 https://nvd.nist.gov/vuln/detail/CVE-2025-53859 openEuler-22.03-LTS-SP3 nginx-1.21.5-10.oe2203sp3.aarch64.rpm nginx-debuginfo-1.21.5-10.oe2203sp3.aarch64.rpm nginx-debugsource-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-devel-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-http-image-filter-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-http-perl-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-http-xslt-filter-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-mail-1.21.5-10.oe2203sp3.aarch64.rpm nginx-mod-stream-1.21.5-10.oe2203sp3.aarch64.rpm nginx-1.21.5-10.oe2203sp3.src.rpm nginx-1.21.5-10.oe2203sp3.x86_64.rpm nginx-debuginfo-1.21.5-10.oe2203sp3.x86_64.rpm nginx-debugsource-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-devel-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-http-image-filter-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-http-perl-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-http-xslt-filter-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-mail-1.21.5-10.oe2203sp3.x86_64.rpm nginx-mod-stream-1.21.5-10.oe2203sp3.x86_64.rpm nginx-all-modules-1.21.5-10.oe2203sp3.noarch.rpm nginx-filesystem-1.21.5-10.oe2203sp3.noarch.rpm nginx-help-1.21.5-10.oe2203sp3.noarch.rpm NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. 2025-08-29 CVE-2025-53859 openEuler-22.03-LTS-SP3 Low 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N nginx security update 2025-08-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2086