Nginx Debian vulnerabilities

Are the vulnerabilities listed at
http://nginx.org/en/security_advisories.html fixed in the recent debian
lenny packet?

nginx -v

nginx version: nginx/0.6.32

I’ve installed nginx through apt-get install nginx, am I vunerable to
any of those vulnerabilities?

GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 für nur 19,99 ¿/mtl.!*

On Thu, 2010-08-12 at 17:10 +0200, [email protected] wrote:

Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?

nginx -v

nginx version: nginx/0.6.32

I’ve installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

The vulnerable versions are listed on the page you linked, so you seem
to have answered your own question.

In any case, 0.6.x is old and unsupported and 0.6.32 isn’t even the
latest of the old, unsupported releases. You are certainly vulnerable
to any non-Windows-specific issues.

You should install at least 0.7.x.

Cliff

On 12 Ago 2010 16h10 WEST, [email protected] wrote:

Are the vulnerabilities listed at
http://nginx.org/en/security_advisories.html fixed in the recent
debian lenny packet?

nginx -v

nginx version: nginx/0.6.32

I’ve installed nginx through apt-get install nginx, am I vunerable
to any of those vulnerabilities?

Why don’t you do some Apt pinning and use the version from testing?
Currently it’s 0.7.67.

— appa

Hello!

On Thu, Aug 12, 2010 at 05:10:16PM +0200, [email protected] wrote:

Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?

nginx -v

nginx version: nginx/0.6.32

I’ve installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

According to

http://patch-tracker.debian.org/package/nginx/0.6.32-3+lenny3

it has applied patches for CVE-2009-2629 (VU#180065) and
CVE-2009-3896.

The following remain:

  • CVE-2009-3555 - you have to ensure your OpenSSL installation is
    safe if you are using ssl (most likely it is - the patch was
    released before fixed OpenSSL was widely available)

  • CVE-2009-3898 - you shouldn’t expose webdav module to untrusted
    users

They aren’t critical (well, CVE-2009-3555 is, but you are likely
have it patched in OpenSSL itself) but it’s probably good idea to
upgrade anyway if you are planning to use nginx for something
serious. 0.6.32 is just way too old.

Maxim D.

On 13 Ago 2010 22h28 WEST, [email protected] wrote:

Hi,

IIRC from asking once, they don’t apply patches, they just bundle.
However, even on Sid nginx is way behind, so i prefer to build from
source, install with checkinstall (so i can purge if necessary and
to keep things overall clean), and pin it.

Not quite. Here’s how the current version on Sid/Squeeze, 0.7.67 is
structured when unpacking the src .deb pkg.

in the nginx-0.7.67/debian/patches directory:

-rwxr-xr-x 1 appa appa 921 Ago 9 10:24 dlopen.diff
-rw-r–r-- 1 appa appa 587 Ago 9 10:24 fix_reloading_ipv6.diff
-rw-r–r-- 1 appa appa 44205 Ago 9 10:24 nginx-upstream-fair.diff
-rw-r–r-- 1 appa appa 93 Ago 9 10:24 series

According to http://nginx.org/en/download.html, 0.7.67 is the stable
version. So yes debian is behind the development version but is
synched with the stable version.

checkinstall is just an incredible brittle tool for packaging
software. Debian packaging is somewhat complex. There are reasons for
that. Maintaining system consistency being one of them.

You’re better off just compiling the original source and installing it
under /usr/local/sbin. Be sure to have the proper PATH settings and
all should work. Use epkg (http://www.encap.org/epkg) to have the all
thing fit in one central location with automagical symlinks to the
proper locations. You can even have both the Debian package and your
custom compiled from source version. Of the right way ™ is to roll
your own .deb package with the proper policy.

— appa

On Fri, Aug 13, 2010 at 22:52, António P. P. Almeida [email protected]
wrote:

So yes debian is behind the development version but is
synched with the stable version.

Shouldn’t Debian unstable be in sync with the development branch, and
Debian stable with nginx stable?

Hi,

IIRC from asking once, they don’t apply patches, they just bundle.
However, even on Sid nginx is way behind, so i prefer to build from
source, install with checkinstall (so i can purge if necessary and to
keep things overall clean), and pin it.

My 2¢, HTH,
Nuno

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs