Package Update for Ubuntu

Ralf Mardorf ralf.mardorf at alice-dsl.net
Wed Aug 31 01:00:41 UTC 2022 

On Tue, 2022-08-30 at 22:45 +0200, Maxime Pietrucci-Blacher wrote:
> Good evening, I have come to contact you to find out if the nginx-
> common and nginx-core packages are going to be updated soon, as there
> are many problems with the use of TLS on these two packages as they
> are no longer up to date. 
> Also, I would like to know if there is a way to fix this independently
> or if it is necessary to wait (an update of the package which seems
> urgent to me, considering the recent CVE). 
> Thank you for your help, 
> Maxime Pietrucci-Blacher
> 

I'm neither an Ubuntu developer nor a nginx user, but I wonder:
- Which Ubuntu release are you using?
- What are those TLS issues?
- Is any CVE fix missing?

http://nginx.org/en/security_advisories.html
https://ubuntu.com/security/cves?package=nginx

Ubuntu is a release model distro, important isn't the upstream version.
important are the security fixes of the version used by the Ubuntu
release.

https://packages.ubuntu.com/bionic/nginx
http://archive.ubuntu.com/ubuntu/pool/main/n/nginx/nginx_1.14.0-0ubuntu1.10.debian.tar.xz

>From the changelog:
"nginx (1.14.0-0ubuntu1.10) bionic-security; urgency=medium

  * SECURITY UPDATE: ALPACA TLS issue
    - debian/patches/CVE-2021-3618.patch: specify the number of
      errors after which the connection is closed in
      src/mail/ngx_mail.h, src/mail/ngx_mail_core_module.c and
      src/mail/ngx_mail_handler.c.
    - CVE-2021-3618
  * SECURITY UPDATE: request mutation by unsafe characters
    - Add input validation to requests in Lua module in
      debian/modules/http-lua/src/ngx_http_lua_control.c,
      debian/modules/http-lua/src/ngx_http_lua_headers_in.c,
      debian/modules/http-lua/src/ngx_http_lua_headers_out.c,
      debian/modules/http-lua/src/ngx_http_lua_uri.c,
      debian/modules/http-lua/src/ngx_http_lua_util.h and
      debian/modules/http-lua/src/ngx_http_lua_util.h.
    - CVE-2020-36309
  * SECURITY UPDATE: request smuggling in ngx.location.capture
    - Add manual crafting of Content-Length in case request is 
      chunked in 
      debian/modules/http-lua/src/ngx_http_lua_subrequest.c.
    - CVE-2020-11724 

 -- David Fernandez Gonzalez <david.fernandezgonzalez at canonical.com> 
Tue, 12 Apr 2022 11:00:15 +0200

nginx (1.14.0-0ubuntu1.9) bionic-security; urgency=medium

  * SECURITY UPDATE: DNS Resolver issues
    - debian/patches/CVE-2021-23017-1.patch: fixed off-by-one write in
      src/core/ngx_resolver.c.
    - debian/patches/CVE-2021-23017-2.patch: fixed off-by-one read in
      src/core/ngx_resolver.c.
    - CVE-2021-23017

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 25 May 2021
13:11:02 -0400
[snip]"

Regards,
Ralf

More information about the Ubuntu-devel-discuss mailing list