Vulnerability related Doubts in Nginx

Hi

We are running Nginx version 1.8 ( nginx-1.8.1-1.amzn1.ngx.x86_64 ) in
our
servers. So in the Vulnerability Assessment, Nessus gave report that it
is
vulnerable.

Current version :- nginx-1.8.1-1.amzn1.ngx.x86_64

Fix Version ( According to Nessus ) :- nginx-1.8.1-1.26.amzn1

I don’t seem to find the " Fix Version " of Nginx which Nessus
suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move
forward
with higher one ?

Any help will be appreciated!

Hi Zeal,

On 3/22/16 3:05 PM, Zeal Vora wrote:

I don’t seem to find the " Fix Version " of Nginx which Nessus
suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move
forward with higher one ?

Any help will be appreciated!

Does it help?

https://alas.aws.amazon.com/ALAS-2016-655.html


Maxim K.

On Tuesday 22 March 2016 17:35:19 Zeal Vora wrote:

I don’t seem to find the " Fix Version " of Nginx which Nessus suggested.

Is there any work around for this ?

Is 1.8 the latest stable version which is available or we can move forward
with higher one ?

Any help will be appreciated!

The CVE-2016-0742 that is referenced in the report is fixed in nginx
1.8.1.

See here for the official information:
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
http://nginx.org/en/security_advisories.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742

wbr, Valentin V. Bartenev

@Maxim :-

Thanks. Actually we compile Nginx so to include additional modules. The
solution mentioned in Amazon page is " yum update nginx " is something
which will not help as we will need the tar.gz / SRPM file for that
version.

@Valentin :-

Thanks, actually we already have 1.8.1 but the reported fix is
in nginx-1.8.1-1.26 for which I can’t find any SRPM / tar.gz file.

On Tue, Mar 22, 2016 at 5:43 PM, Valentin V. Bartenev [email protected]

On 3/22/16 3:17 PM, Zeal Vora wrote:

in nginx-1.8.1-1.26 for which I can’t find any SRPM / tar.gz file.

The nessus report is about the package version. “nginx-1.8.1-1.26”
is something AWS specific, it doesn’t come from nginx.org.

If you built your own package or compiled nginx from the nginx.org
sources you are safe with 1.8.1.


Maxim K.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs