Concrete issue: The Oneiric nginx package is at version 1.0.5-1, released in July 2011 according to the changelog.
The recent memory-disclosure vulnerability (advisory page, CVE-2012-1180, DSA-2434-1) isn't fixed in 1.0.5-1. If I'm not misreading the Ubuntu CVE page, all Ubuntu versions seem to ship a vulnerable nginx.
Is this true?
If so: I thought there was a security team at Canonical that's actively working on issues like this, so I expected to get a security update within a short timeframe (hours or days) through
apt-get update
.Is this expectation -- that keeping my packages up-to-date is enough to stop my server from having known vulnerabilities -- generally wrong?
If so: What should I do to keep it secure? Reading the Ubuntu security notices wouldn't have helped in this case, as the nginx vulnerability was never posted there.
Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community. See the security team FAQ for more information.
Since nginx is in the Universe component, it does not get updates from the security team. It is up to the community to fix security issues in that package. See here for the exact procedure.
You can use Software Center or the ubuntu-support-status
command line tool to determine which packages are officially supported, and for how long.
Update from the future: Nginx is moving to main so will receive support from the Ubuntu Security Team at that point. If you're unsure whether your version will, just look at apt-cache show nginx
and look for the "Section" tag. When that's in Main, you're getting Canonical support for it.
No comments:
Post a Comment