Nginx Debian vulnerabilities

M
Mesaya@gmx.de
  • 12 Aug '10
Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?

# nginx -v
nginx version: nginx/0.6.32

I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?
-- 
GMX DSL SOMMER-SPECIAL: Surf & Phone Flat 16.000 f?r nur 19,99 ?/mtl.!*
http://portal.gmx.net/de/go/dsl
C
Cliff
  • 12 Aug '10
On Thu, 2010-08-12 at 17:10 +0200, Mesaya at gmx.de wrote:
> Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?
> 
> # nginx -v
> nginx version: nginx/0.6.32
> 
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

The vulnerable versions are listed on the page you linked, so you seem
to have answered your own question.

In any case, 0.6.x is old and unsupported and 0.6.32 isn't even the
latest of the old, unsupported releases.   You are certainly vulnerable
to any non-Windows-specific issues.

You should install at least 0.7.x.   

Cliff

--
A
Antonio
  • 12 Aug '10
On 12 Ago 2010 16h10 WEST, Mesaya at gmx.de wrote:

> Are the vulnerabilities listed at
> http://nginx.org/en/security_advisories.html fixed in the recent
> debian lenny packet?
>
> # nginx -v
> nginx version: nginx/0.6.32
>
> I've installed nginx through apt-get install nginx, am I vunerable
> to any of those vulnerabilities?

Why don't you do some Apt pinning and use the version from testing?
Currently it's 0.7.67.

--- appa
M
Maxim
  • 12 Aug '10
Hello!

On Thu, Aug 12, 2010 at 05:10:16PM +0200, Mesaya at gmx.de wrote:

> Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?
> 
> # nginx -v
> nginx version: nginx/0.6.32
> 
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

According to

http://patch-tracker.debian.org/package/nginx/0.6.32-3+lenny3

it has applied patches for CVE-2009-2629 (VU#180065) and 
CVE-2009-3896.

The following remain:

- CVE-2009-3555 - you have to ensure your OpenSSL installation is 
  safe if you are using ssl (most likely it is - the patch was 
  released before fixed OpenSSL was widely available)

- CVE-2009-3898 - you shouldn't expose webdav module to untrusted 
  users

They aren't critical (well, CVE-2009-3555 is, but you are likely 
have it patched in OpenSSL itself) but it's probably good idea to 
upgrade anyway if you are planning to use nginx for something 
serious.  0.6.32 is just way too old.

Maxim Dounin
N
Nuno_Magalhães
  • 13 Aug '10
Hi,

IIRC from asking once, they don't apply patches, they just bundle.
However, even on Sid nginx is way behind, so i prefer to build from
source, install with checkinstall (so i can purge if necessary and to
keep things overall clean), and pin it.

My 2?, HTH,
Nuno
A
António
  • 13 Aug '10
On 13 Ago 2010 22h28 WEST, nunomagalhaes at eu.ipp.pt wrote:

> Hi,
>
> IIRC from asking once, they don't apply patches, they just bundle.
> However, even on Sid nginx is way behind, so i prefer to build from
> source, install with checkinstall (so i can purge if necessary and
> to keep things overall clean), and pin it.

Not quite. Here's how the current version on Sid/Squeeze, 0.7.67 is
structured when unpacking the src .deb pkg.

in the nginx-0.7.67/debian/patches directory:

-rwxr-xr-x 1 appa appa   921 Ago  9 10:24 dlopen.diff
-rw-r--r-- 1 appa appa   587 Ago  9 10:24 fix_reloading_ipv6.diff
-rw-r--r-- 1 appa appa 44205 Ago  9 10:24 nginx-upstream-fair.diff
-rw-r--r-- 1 appa appa    93 Ago  9 10:24 series

According to http://nginx.org/en/download.html, 0.7.67 is the *stable*
version. So yes debian is behind the *development* version but is
synched with the stable version.

checkinstall is just an incredible brittle tool for packaging
software. Debian packaging is somewhat complex. There are reasons for
that. Maintaining system consistency being one of them.

You're better off just compiling the original source and installing it
under /usr/local/sbin. Be sure to have the proper PATH settings and
all should work. Use epkg (http://www.encap.org/epkg) to have the all
thing fit in one central location with automagical symlinks to the
proper locations. You can even have both the Debian package and your
custom compiled from source version. Of the right way (tm) is to roll
your own .deb package with the proper policy.

--- appa
N
Nuno_Magalhães
  • 14 Aug '10
On Fri, Aug 13, 2010 at 22:52, Ant?nio P. P. Almeida <appa at perusio.net> wrote:
> So yes debian is behind the *development* version but is
> synched with the stable version.

Shouldn't Debian unstable be in sync with the development branch, and
Debian stable with nginx stable?
  • Page 1 of 1
Reply